Previous Topic: WINSERVICE ClassNext Topic: XUSER Class


XGROUP Class

Each record in the XGROUP class defines a group of users in the database.

The key of each XGROUP class record is the name of the group.

Note: The properties of profile groups apply to each user associated with the profile group. However, if the same property is specified in a user (USER or XUSER) record, the user record overrides those in the profile group record.

You can change most of these properties from the CA ControlMinder Endpoint Management, or by using the selang command chxgrp.

Note: In most cases, and unless otherwise indicated, to change a property using chxgrp, you use the property name as the command parameter.

You can view all properties from the CA ControlMinder Endpoint Management, or by using the selang command showxgrp.

APPLS

(Informational) Displays the list of applications that the accessor is authorized to access. Used by eTrust SSO.

AUDIT_MODE

Defines the activities that CA ControlMinder records in the audit log. You can specify any combination of the following activities:

Note: This property corresponds to the audit parameter of the ch[x]usr and ch[x]grp commands. You can use AUDIT_MODE for a GROUP or XGROUP to set the audit mode for all members of the group. However, you cannot use AUDIT_MODE to set the audit mode for group members if a user's audit mode is defined in a USER record, XUSER record, or profile group.

AUTHNMTHD

(Informational) Displays the authentication method or methods to be used with the group record; from method 1 to method 32, or none. Used by eTrust SSO.

CALENDAR

Represents a Unicenter TNG calendar object for user, group, and resource restrictions in CA ControlMinder. CA ControlMinder fetches Unicenter TNG active calendars at specified time intervals.

COMMENT

Defines additional information that you want to include in the record. CA ControlMinder does not use this information for authorization.

Limit: 255 characters.

CREATE_TIME

(Informational) Displays the date and time when the record was created.

DAYTIME

Defines the day and time restrictions that govern when an accessor can access a resource.

Use the restrictions parameter with the chres, ch[x]usr, or ch[x]grp commands to modify this property.

The resolution of daytime restrictions is one minute.

EXPIRE_DATE

Defines the date on which an accessor becomes invalid. A value for the EXPIRE_DATE property in a user record overrides a value in a group record.

Note: This property corresponds to the expire[-] parameter of the ch[x]usr and ch[x]grp commands.

FULLNAME

Defines the full name associated with an accessor. CA ControlMinder uses the full name to identify the accessor in audit log messages, but not for authorization.

FULLNAME is an alphanumeric string. For groups the maximum length is 255 characters. For users the maximum length is 47 characters.

GAPPLS

Defines the list of application groups that the group is authorized to access. Used by eTrust SSO.

GROUP_MEMBER

Defines the groups that are members of this group.

GROUP_TYPE

Specifies the group authority attributes. Each of these attributes corresponds to the parameter of the same name in the ch[x]grp command. A group can have one or more of the following authority attributes:

ADMIN

Specifies whether a user who belongs to the group can perform administrative functions, similar to root in the UNIX environment.

AUDITOR

Specifies whether a user who belongs to the group can monitor the system, list information in the database, and set the audit mode for existing records.

OPERATOR

Specifies whether a user who belongs to the group can list everything in the database and use the secons utility.

PWMANAGER

Specifies whether a user who belongs to the group can modify the password settings of other users and can enable a user account that has been disabled by the serevu utility.

SERVER

Specifies whether a process can ask users who belong to the group for authorization and can issue the SEOSROUTE_VerifyCreate API call.

MEMBER_OF

Defines the groups that this group is a member of.

OWNER

Defines the user or group that owns the record.

PROFUSR

Displays a list of the users associated with this profile group.

PWD_AUTOGEN

Indicates whether the group password is automatically generated. The default is no. Used by eTrust SSO.

PWD_SYNC

Indicates whether the group password is automatically kept identical for all group applications. The default is no. Used by eTrust SSO.

PWPOLICY

Defines the record name of the password policy for the group. A password policy is a set of rules for checking the validity of a new password and for defining when a password expires. The default is no validity check. Used by eTrust SSO.

REVACL

Displays the accessor's access control lists.

SHELL

(UNIX only) The shell program assigned to a new UNIX user when the user is a member of this group.

Use the shellprog parameter with the chxgrp command to modify this property.

SUBGROUP

Displays the list of groups that have this group as a parent.

SUPGROUP

Defines the name of the parent group (“superior” group).

Use the parent[-] parameter with the ch[x]grp command to modify this property.

SUSPEND_DATE

Defines the date on which a user account is suspended and so becomes invalid.

If the suspend date for a record precedes its resume date, the user can work before the suspend date and after the resume date.

The timeline shows what happens when a resume date follows the suspend date

If a user has a resume date that is earlier than the suspend date, the record is also invalid before the resume date. The user can work only between the resume and suspend dates.

The timeline shows what happens when a resume date precedes the suspend date

A value for the SUSPEND_DATE property in a user record overrides the value in a group record.

Note: This property corresponds to the suspend[-] parameter of the ch[x]usr and ch[x]grp commands.

SUSPEND_WHO

Displays the administrator who activated the suspend date.

UPDATE_TIME

(Informational) Displays the date and time when the record was last modified.

UPDATE_WHO

(Informational) Displays the administrator who performed the update.

USERLIST

Displays the users that belong to the group.

The user list contained in this property may be different from the one in the native environment USERS property.