Previous Topic: Access Control ListsNext Topic: defaccess—The Default Access Field


Conditional Access Control Lists

Conditional Access Control Lists (CACLs) provide an extension to ACLs. When an accessor attempts to access a resource, if the resource's ACL and NACL do not define an access authority for the user, CA ControlMinder examines the conditional access control lists.

The conditional access control lists specify access to resource where the access is by a particular method, for example by using a specified program.

For example you can use a conditional access control list to define a program pathing rule.

CA ControlMinder allows the following conditional access control lists:

To define an entry in a conditional access control list entry, you can use the via option of the selang authorize command.

In common with other access control lists, each entry in a conditional access control list specifies the accessors that are granted access to the resource, together with the type of access that they are granted. In addition, an entry in a conditional access control list specifies the condition under which the authority is assigned. For a PACL, the condition is the name of a program which the accessor needs to run to have the access.

Example: Using a PACL

To allow the enterprise user sysadm1 to become superuser only by running the program secured_su, you can specify the corresponding conditional access rule using the following selang command:

authorize SURROGATE user.root xuid(sysadm1) via(pgm(secured_su))