Previous Topic: SECLABEL ClassNext Topic: SPECIALPGM Class


SEOS Class

The SEOS class controls the behavior of the CA ControlMinder authorization system.

The class contains only one record, called SEOS, which specifies general security and authorization options. To view or change the status of SEOS class properties, use the setoptions command.

The following definitions describe the properties contained in this class record. Most properties are modifiable and can be manipulated using selang or the administration interfaces. Non-modifiable properties are marked informational.

ACCPACL

Indicates the order in which the UACC (defaccess) and PACL lists are scanned during authorization.

When ACCPACL is active and explicit access is provided for a user through an ACL, then that accessor is the allowed access. If there is no explicit access through an ACL but explicit access is defined through a PACL, then the PACL access is the allowed access. If neither ACL nor PACL contains explicit access, defaccess is checked for access definitions.

If ACCPACL is not activated, the ACL is still checked first for explicit access. If the ACL contains no explicit access definitions for the resource being checked, defaccess definitions are checked next. If no explicit access is defined in defaccess, then the PACL access definitions are checked.

When CA ControlMinder is installed, the value of this property is set to yes.

Use the accpacl or accpacl‑ parameter with the setoptions command to modify this property.

ADMIN

Indicates whether the ADMIN class is active. Normally the ADMIN class is active and controls permission to perform security administration tasks. If the ADMIN class were inactive, all users could work as CA ControlMinder administrators.

APPL

Indicates whether the APPL class is active.

AUTHHOST

Indicates whether the AUTHHOST class is active.

CALENDAR

Indicates whether the CALENDAR class is active.

CATEGORY

Indicates whether the CATEGORY class is active.

CNG_ADMIN_PWD

Indicates whether a user with the PWMANAGER attribute can change an ADMIN user password using selang. The default is yes.

Use the class+ or class- parameter and the cng_adminpwd option with the setoptions command to activate or inactivate this property.

CNG_OWN_PWD

Indicates whether users can change their own passwords using selang.

Use the class+ or class- parameter and the cng_ownpwd option with the setoptions command to activate or inactivate this property.

COMMENT

Defines additional information that you want to include in the record. CA ControlMinder does not use this information for authorization.

Limit: 255 characters.

CONNECT

Indicates whether the CONNECT class is active. When the CONNECT class is active, records in the class protect the outgoing connections.

If the HOST class is active, the CONNECT class is not used as an active class, even when activated.

If the TCP class is active, the CONNECT class is not used as an active class.

CREATE_TIME

(Informational) Displays the date and time when the record was created.

DAYTIMERES

(UNIX only) Indicates whether CA ControlMinder checks the daytime restrictions on resources.

DMS

List of DMS servers this database should send notifications to.

DOMAIN

(Windows only) Indicates whether the DOMAIN class is active.

ENDTIME

(Informational). The date and time the database files were last closed in an orderly manner.

FILE

Indicates whether the FILE class is active. When the FILE class is active, records in the class protect files and directories.

ACCGRR

The accumulative group rights option (ACCGRR) affects how CA ControlMinder checks a resource's ACL. If ACCGRR is enabled, CA ControlMinder checks the ACL for the authorities granted from all the groups to which the user belongs. If ACCGRR is disabled, CA ControlMinder checks the ACL to see if any of the applicable entries contain the value none. If so, access is denied. Otherwise CA ControlMinder ignores all group entries except the first applicable one in the access control list.

Use the command setoptions ACCGRR command to enable or disable this property.

HOLIDAY

Indicates whether the HOLIDAY class is active. When the HOLIDAY class is active, users need extra permission to log in during defined Holiday periods.

HOST

Indicates whether the HOST class is active. When the HOST class is active, CA ControlMinder protects incoming TCP/IP service requests from remote hosts.

If the HOST class is active, the TCP and CONNECT classes are not used as active classes, even when activated.

The default for the HOST class is active.

INACT

Indicates the number of inactive days after which user login is suspended. An inactive day is a day in which the user does not log in.

A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.

Use the inactive or inactive‑ parameter with the setoptions command to update this property.

ISDMS

True if the PMDB serves as a DMS.

LOGINAPPL

(UNIX only) Indicates whether the LOGINAPPL class is active.

MAXLOGINS

The maximum number of concurrent logins (terminal sessions) a user is allowed, after which the user is denied access. A zero value indicates no maximum and the user can log in to any number of terminal sessions concurrently. The value must be either zero or greater than 1 if the user wants to log in and run selang or otherwise administer the database, because CA ControlMinder considers each task (login, selang, GUI, and so forth) to be a terminal session.

A value for the MAXLOGINS property in a USER record overrides a value in a GROUP record. Both override the MAXLOGINS property in the SEOS class record. The value in the SEOS record is the default value used when there is no explicit value in the accessor record.

Use the maxlogins parameter with the chres, editres, and newres commands to modify this property for the SEOS class.

MFTERMINAL

Indicates whether the MFTERMINAL class is active.

PASSWDRULES

Indicates the password rules. This property contains a number of fields that determine how CA ControlMinder handles password protection. For a complete list of the rules, see the modifiable property PROFILE of the USER class.

Use the password parameter and the rules or rules‑ option with the setoptions command to modify this property.

PASSWORD

Indicates whether password checking is active.

Use the class+ or class- parameter and the PASSWORD option with the setoptions command to activate or inactivate this property.

PROCESS

Indicates whether the PROCESS class is active. When the PROCESS class is active, records in the class protect defined processes from kill attempts.

The file must also be defined in the FILE class.

PROGRAM

Indicates whether the PROGRAM class is active. When the PROGRAM class is active, records in the class protect defined programs that were marked as Trusted.

PWPOLICY

Indicates whether the PWPOLICY class is active.

REGKEY

(Windows only) Indicates whether the REGKEY class is active.

REGVAL

(Windows only) Indicates whether the REGVAL class is active.

RESOURCE_DESC

Indicates whether the RESOURCE_DESC class is active.

RESPONSE_TAB

Indicates whether the RESPONSE_TAB class is active.

SECLABEL

Indicates whether the SECLABEL class is active.

SECLEVEL

Indicates whether the SECLEVEL class is active.

STARTTIME

(Informational). The date and time the database files were last opened.

SUDO

Indicates whether the SUDO class, used by sesudo, is active.

SYSTEM_AAUDIT_MODE

Specifies the default audit mode (systemwide audit mode) for users and enterprise users.

Default: Failure LoginSuccess LoginFailure

SURROGATE

Indicates whether the SURROGATE class is active. When the SURROGATE class is active, CA ControlMinder protects surrogate requests.

TCP

Indicates whether the TCP class is active. When the TCP class is active, CA ControlMinder protects incoming and outgoing TCP services such as mail, ftp, and http.

If the HOST class is active, the TCP class is not used as an active class, even when activated.

If the TCP class is active, the CONNECT class is not used as an active class.

TERMINAL

Indicates whether the TERMINAL class is active. When the TERMINAL class is active, CA ControlMinder performs a terminal access check during sign‑on and protects X‑window sessions.

USER_ATTR

Indicates whether the USER_ATTR class is active.

USER_DIR

Indicates whether the USER_DIR class is active.

UPDATE_TIME

(Informational) Displays the date and time when the record was last modified.

UPDATE_WHO

(Informational) Displays the administrator who performed the update.