Previous Topic: UACC Class (Deprecated)Next Topic: User-Defined Classes


Predefined Classes

The predefined classes can be categorized into the following types:

Class Type

Purpose

Accessor

Defines objects that access resources, such as users and groups

Definition

Defines objects that define security entities, such as security labels and categories

Installation

Defines objects that control the behavior of CA ControlMinder

Resource

Defines objects that are protected by access rules

The following table contains a list of all predefined classes.

Class

Class Type

Description

ADMIN

Definition

Lets you delegate administrative responsibilities to users who do not have the ADMIN attribute. You give these users global authorization attributes and limit their administration authority scope.

AGENT

Resource

Not applicable to CA ControlMinder

AGENT_TYPE

Resource

Not applicable to CA ControlMinder

APPL

Resource

Not applicable to CA ControlMinder

AUTHHOST

Accessor

Not applicable to CA ControlMinder

CALENDAR

Resource

Lets you define a Unicenter TNG calendar object for user, group, and resource enforced time restrictions.

CATEGORY

Definition

Lets you define a security category.

CONNECT

Resource

Lets you protect outgoing connections. The records in this class define which users can access which Internet hosts.

Before you activate the CONNECT class, be sure that the streams module is active.

CONTAINER

Resource

Lets you define a group of objects from other resource classes, thus simplifying the job of defining access rules when a rule applies to several different classes of objects.

FILE

Resource

Lets you protect a file, a directory, or a file name mask.

GAPPL

Resource

Not applicable to CA ControlMinder

GAUTHHOST

Definition

Not applicable to CA ControlMinder

GFILE

Resource

Each record in this class defines a group of files or directories. Grouping is accomplished by explicitly connecting files or directories (resources of the FILE class) to the GFILE resource in the same way users are connected to groups.

GHOST

Resource

Each record in this class defines a group of hosts. Grouping is accomplished by explicitly connecting hosts (resources of the HOST class) to the GHOST resource in the same way users are connected to groups.

GROUP

Accessor

Each record in this class defines an internal group.

GSUDO

Resource

Each record in this class defines a group of commands that one user can execute as if another user were executing it. The sesudo command uses this class.

GTERMINAL

Resource

Each record in this class defines a group of terminals.

HNODE

Definition

The HNODE class contains information about the organization's CA ControlMinder hosts. Each record in the class represents a node in the enterprise.

HOLIDAY

Definition

Each record in this class defines one or more periods when users need extra permission to log in.

HOST

Resource

Each record in this class defines a host. The host is identified by either its name or its IP address. The object contains access rules that determine whether the local host can receive services from this host.

Before you activate the HOST class, be sure that the streams module is active.

HOSTNET

Resource

Each record in this class is identified by an IP address mask and contains access rules.

HOSTNP

Resource

Each record in this class defines a group of hosts, where the hosts belonging to the group all have the same name pattern. Each HOSTNP object's name contains a wildcard.

LOGINAPPL

Definition

Each record in the LOGINAPPL class defines a login application, identifies who can use the program to log in, and controls the way the login program is used.

MFTERMINAL

Definition

Each record in the MFTERMINAL class defines a Mainframe CA ControlMinder administration computer.

POLICY

Resource

Each record in the POLICY class defines the information required to deploy and remove a policy. It includes a link to the RULESET objects that contain a list of the selang commands for deploying and removing the policy.

PROCESS

Resource

Each record in this class defines an executable file.

PROGRAM

Resource

Each record in this class defines a trusted program that can be used with conditional access rules. Trusted programs are setuid/setgid programs that are monitored by the Watchdog to ensure they are not tampered with.

PWPOLICY

Definition

Each record in the PWPOLICY class defines a password policy.

RESOURCE_DESC

Definition

Not applicable to CA ControlMinder

RESPONSE_TAB

Definition

Not applicable to CA ControlMinder

RULESET

Resource

Each record in the RULESET class represents a set of rules which define a policy.

SECFILE

Definition

Each record in this class defines a file that must not be altered.

SECLABEL

Definition

Each record in this class defines a security label.

SEOS

Installation

The one record in this class specifies your active classes and password rules.

SPECIALPGM

Installation

Each record in the SPECIALPGM class registers backup, DCM, PBF and PBN functions in Windows or xdm, backup, mail, DCM, PBF, and PBN programs in UNIX or associates an application that needs special authorization protection with a logical user ID. This allows you to set access permissions according to what is being done rather than who is doing it.

SUDO

Resource

This class, used by the sesudo command, defines commands that one user (such as a regular user) can execute as if another user (such as root) were executing them.

SURROGATE

Resource

Each record in this class contains access rules for an accessor that define who can use that accessor as a surrogate.

TCP

Resource

Each record in this class defines a TCP/IP service, for example, mail or http or ftp.

TERMINAL

Resource

Each record in this class defines a terminal-a device from which a user can log in.

UACC

Resource

Defines default access rules for each resource class.

USER

Accessor

Each record in this class defines an internal user.

USER_ATTR

Definition

Not applicable to CA ControlMinder

USER_DIR

Resource

Not applicable to CA ControlMinder

XGROUP

Resource

Each record in this class defines an enterprise group to CA ControlMinder.

XUSER

Resource

Each record in this class defines an enterprise user to CA ControlMinder.

Note: CA ControlMinder database classes TCP and SURROGATE are not active by default.

If you upgrade from an earlier release where the TCP class is active but you do not have any TCP records and have not changed the _default TCP resource, CA ControlMinder deactivates the class during upgrade. The same is true for the SURROGATE class.

If you upgrade from an earlier release where the SURROGATE class is active and you have defined SURROGATE records or have changed the value of any SURROGATE record from its default, CA ControlMinder retains the SURROGATE class configuration after the upgrade. The class remains active and kernel mode interception remains enabled.

Note: For more information about CA ControlMinder classes, see the selang Reference Guide.