Each record in the SURROGATE class defines restrictions that protect a user from impersonation attempts. CA ControlMinder treats an impersonation request as an abstract object that can only be accessed by authorized users. A record in the SURROGATE class represents each user or group who has surrogate (impersonation) protection.
When a user or group makes a request to impersonate another user or group, CA ControlMinder does the following:
CA ControlMinder uses the access authority of the SURROGATE record to permit or deny the impersonation request.
The process goes to Step 2.
Note: The default access authority of the USER._default, GROUP._default, and _default SURROGATE records is read. This means that CA ControlMinder permits any request to impersonate a user or group, unless a SURROGATE record for the user or group prohibits the impersonation request. To change this behavior, change the access authority of the USER._default and GROUP._default records. You can also set the same default for users and groups by changing the access authority of the _default SURROGATE record.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|