When CA ControlMinder is stopped, access rights to the database files are determined by native Windows permissions. Permissions are inherited from the parent directory in which CA ControlMinder is installed. Because of this inheritance, when CA ControlMinder is stopped the default access to the database files is read.
To protect CA ControlMinder when it is stopped, you can change the Windows permissions for the database files to suit your enterprise requirements. Before you change the permissions, consider the following:
The CA ControlMinder authorization engine inherits privileges from the NT AUTHORITY\System user. If this user cannot access the database, the engine does not have sufficient native privileges to update the database.
Users who need read and write access include users who back up, restore, or upgrade CA ControlMinder.
For example, to use the config environment to change CA ControlMinder registry entries when CA ControlMinder is stopped, you must have sufficient Windows privileges to change the registry.
Only CA ControlMinder administrators (users with the ADMIN attribute or with sub administration privileges) can use selang to maintain the database when CA ControlMinder is stopped. If the CA ControlMinder administrators cannot access the database when CA ControlMinder is stopped, no user can perform offline database maintenance and a deadlock may occur.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|