Previous Topic: Defining User Authority to Use TerminalsNext Topic: Recommended Restrictions


Restricting Terminals for Root Users

Another issue to consider is the default rule of the TERMINAL class. At the initial implementation stages, the default is set to permit anything that is not defined. In the case of a TERMINAL, this could be a shortcoming.

Consider the following situation: A site has a few hundred terminals, and you want most users to be able to log in from any terminal, but you want root to be able to log in only from two predefined terminals.

First we consider that setting the default of the TERMINAL class to READ enables anyone-including root-to log in from any terminal that does not have a specific TERMINAL record in the database. You do not want the superuser to be able to log in from any terminal. But, we also consider that setting the default of the TERMINAL class to NONE forces you to define each terminal in the database, which may be impractical.

To solve this problem, CA ControlMinder supports the definition of an access control list within the _default record of the TERMINAL class. The following commands show you how to restrict root to two terminals with minimum effort:

newres TERMINAL term1 defaccess(N) owner(root)
newres TERMINAL term2 defaccess(N) owner(root)
newres TERMINAL _default defaccess(R)
authorize TERMINAL _default uid(root) access(N)

The first two commands define term1 and term2 as terminals owned by root, so they are eligible for superuser login. The newres TERMINAL _default and chres commands set the default access to READ, so that any terminal not defined in the database is accessible to anyone. The authorize command explicitly denies access of the superuser to undefined terminals.

Note: The UACC class still exists; you can use it to specify the default access of a resource. However, using _default records to specify the default access of a resource is much easier.