The SEOS class controls the behavior of the CA ControlMinder authorization system.
The class contains only one record, called SEOS, which specifies general security and authorization options. To view or change the status of SEOS class properties, use the setoptions command.
The following definitions describe the properties contained in this class record. Most properties are modifiable and can be manipulated using selang or the administration interfaces. Non-modifiable properties are marked informational.
Indicates the order in which the UACC (defaccess) and PACL lists are scanned during authorization.
When ACCPACL is active and explicit access is provided for a user through an ACL, then that accessor is the allowed access. If there is no explicit access through an ACL but explicit access is defined through a PACL, then the PACL access is the allowed access. If neither ACL nor PACL contains explicit access, defaccess is checked for access definitions.
If ACCPACL is not activated, the ACL is still checked first for explicit access. If the ACL contains no explicit access definitions for the resource being checked, defaccess definitions are checked next. If no explicit access is defined in defaccess, then the PACL access definitions are checked.
When CA ControlMinder is installed, the value of this property is set to yes.
Use the accpacl or accpacl‑ parameter with the setoptions command to modify this property.
Indicates whether the ADMIN class is active. Normally the ADMIN class is active and controls permission to perform security administration tasks. If the ADMIN class were inactive, all users could work as CA ControlMinder administrators.
Indicates whether the APPL class is active.
Indicates whether the AUTHHOST class is active.
Indicates whether the CALENDAR class is active.
Indicates whether the CATEGORY class is active.
Indicates whether a user with the PWMANAGER attribute can change an ADMIN user password using selang. The default is yes.
Use the class+ or class- parameter and the cng_adminpwd option with the setoptions command to activate or inactivate this property.
Indicates whether users can change their own passwords using selang.
Use the class+ or class- parameter and the cng_ownpwd option with the setoptions command to activate or inactivate this property.
Defines additional information that you want to include in the record. CA ControlMinder does not use this information for authorization.
Limit: 255 characters.
Indicates whether the CONNECT class is active. When the CONNECT class is active, records in the class protect the outgoing connections.
If the HOST class is active, the CONNECT class is not used as an active class, even when activated.
If the TCP class is active, the CONNECT class is not used as an active class.
(Informational) Displays the date and time when the record was created.
(UNIX only) Indicates whether CA ControlMinder checks the daytime restrictions on resources.
List of DMS servers this database should send notifications to.
(Windows only) Indicates whether the DOMAIN class is active.
(Informational). The date and time the database files were last closed in an orderly manner.
Indicates whether the FILE class is active. When the FILE class is active, records in the class protect files and directories.
The accumulative group rights option (ACCGRR) affects how CA ControlMinder checks a resource's ACL. If ACCGRR is enabled, CA ControlMinder checks the ACL for the authorities granted from all the groups to which the user belongs. If ACCGRR is disabled, CA ControlMinder checks the ACL to see if any of the applicable entries contain the value none. If so, access is denied. Otherwise CA ControlMinder ignores all group entries except the first applicable one in the access control list.
Use the command setoptions ACCGRR command to enable or disable this property.
Indicates whether the HOLIDAY class is active. When the HOLIDAY class is active, users need extra permission to log in during defined Holiday periods.
Indicates whether the HOST class is active. When the HOST class is active, CA ControlMinder protects incoming TCP/IP service requests from remote hosts.
If the HOST class is active, the TCP and CONNECT classes are not used as active classes, even when activated.
The default for the HOST class is active.
Indicates the number of inactive days after which user login is suspended. An inactive day is a day in which the user does not log in.
A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.
Use the inactive or inactive‑ parameter with the setoptions command to update this property.
True if the PMDB serves as a DMS.
(UNIX only) Indicates whether the LOGINAPPL class is active.
The maximum number of concurrent logins (terminal sessions) a user is allowed, after which the user is denied access. A zero value indicates no maximum and the user can log in to any number of terminal sessions concurrently. The value must be either zero or greater than 1 if the user wants to log in and run selang or otherwise administer the database, because CA ControlMinder considers each task (login, selang, GUI, and so forth) to be a terminal session.
A value for the MAXLOGINS property in a USER record overrides a value in a GROUP record. Both override the MAXLOGINS property in the SEOS class record. The value in the SEOS record is the default value used when there is no explicit value in the accessor record.
Use the maxlogins parameter with the chres, editres, and newres commands to modify this property for the SEOS class.
Indicates whether the MFTERMINAL class is active.
Indicates the password rules. This property contains a number of fields that determine how CA ControlMinder handles password protection. For a complete list of the rules, see the modifiable property PROFILE of the USER class.
Use the password parameter and the rules or rules‑ option with the setoptions command to modify this property.
Indicates whether password checking is active.
Use the class+ or class- parameter and the PASSWORD option with the setoptions command to activate or inactivate this property.
Indicates whether the PROCESS class is active. When the PROCESS class is active, records in the class protect defined processes from kill attempts.
The file must also be defined in the FILE class.
Indicates whether the PROGRAM class is active. When the PROGRAM class is active, records in the class protect defined programs that were marked as Trusted.
Indicates whether the PWPOLICY class is active.
(Windows only) Indicates whether the REGKEY class is active.
(Windows only) Indicates whether the REGVAL class is active.
Indicates whether the RESOURCE_DESC class is active.
Indicates whether the RESPONSE_TAB class is active.
Indicates whether the SECLABEL class is active.
Indicates whether the SECLEVEL class is active.
(Informational). The date and time the database files were last opened.
Indicates whether the SUDO class, used by sesudo, is active.
Specifies the default audit mode (systemwide audit mode) for users and enterprise users.
Default: Failure LoginSuccess LoginFailure
Indicates whether the SURROGATE class is active. When the SURROGATE class is active, CA ControlMinder protects surrogate requests.
Indicates whether the TCP class is active. When the TCP class is active, CA ControlMinder protects incoming and outgoing TCP services such as mail, ftp, and http.
If the HOST class is active, the TCP class is not used as an active class, even when activated.
If the TCP class is active, the CONNECT class is not used as an active class.
Indicates whether the TERMINAL class is active. When the TERMINAL class is active, CA ControlMinder performs a terminal access check during sign‑on and protects X‑window sessions.
Indicates whether the USER_ATTR class is active.
Indicates whether the USER_DIR class is active.
(Informational) Displays the date and time when the record was last modified.
(Informational) Displays the administrator who performed the update.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|