If an enterprise account (user or group) with associated database rules is recycled (deleted and created with the same name), the old database rules appear to apply to the new account. However, as CA ControlMinder authorization is based on SID, these rules no longer apply, and you need to create new rules for the new group. Before you can create the new rules, you have to resolve recycled accounts.
Follow these steps:
secons -checkSID -users secons -checkSID -groups
CA ControlMinder works through all the enterprise user accounts it has (XUSER records) and then all the group accounts (XGROUP records) and identifies accounts with an SID that differs from the SID of the enterprise account. It renames these accounts in CA ControlMinder using the following naming convention: SID (accountName)
Note: Recycled user accounts are resolved in this way when the user logs in or tries to access a resource. We recommend you run the secons -checkSID command as a scheduled task when you create an enterprise account.
Example: A Recycled Group Account
Company ABCD has a group called interns in its enterprise store. The group has nine members and they are working on productA. The administrator makes the group known to CA ControlMinder and assigns it with access permissions to the files group members need to access, as follows:
nxg interns owner(msmith) auth file c:\products\productA\materials\* xgid(interns) access(all) auth file c:\HR\interns\* xgid(interns) access(read)
When the interns complete their tenure with ABCD, the enterprise store administrator deletes the group. Three months later, a new group of interns with six members is created in the enterprise store, with the same name. The old rules in the CA ControlMinder database still exist so it seems like the new interns group inherited the permissions of the old group. However, these rules apply to the old interns group and the CA ControlMinder administrator needs to create new rules for the new group.
To do this, the administrator has to identify and resolve the recycled interns account, as follows:
secons -checkSID -groups interns
This renames the XGROUP resource, and any access rules references to it, to "SID (domain\interns)". Now, the administrator can create new rules for the new interns group that works on productB:
nxg interns owner(msmith) auth file c:\products\productB\materials\* xgid(interns) access(all) auth file c:\HR\interns\* xgid(interns) access(read)
Note: For more information on the secons utility, see the Reference Guide.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|