CA ControlMinder comes with predefined groups. Except for the _interactive and _network groups, you add users to these groups in the same way as you do for any other group.
If a user is in the _abspath group when logging in, that user must use absolute path names to invoke programs.
A user is a member of the _interactive group only for the purposes of an access attempt. Users are members of the _interactive group if they are logged into the same host as the resource they are trying to access. CA ControlMinder dynamically and automatically manages the membership of the _interactive group—you cannot change the membership.
The users in the interactive_restricted group need strong authentication before they can modify files. Users in the Interactive_restricted group can read files and execute commands. They cannot modify any files except for a predefined list of non-files that they are authorized to modify. A message reminds users to run the sepromote utility to authenticate when they need to remove the restriction.
This is the complementary group to _interactive. A user is a member of the _network group for the purposes of access only. Users are members of the _network group if they are trying to access a resource from a different host than the resource belongs to. CA ControlMinder dynamically and automatically manages the membership of the _network group—you cannot change the membership.
For users in the _restricted group, all files, and on Windows registry keys too, are protected by CA ControlMinder. If a file or a Windows registry key does not have an access rule explicitly defined, access permissions are covered by the _default record for that class (FILE or REGKEY).
Note: Users in the _restricted group may not have sufficient authorization to do their work. If you plan to add users to the _restricted group, consider using Warning mode initially.
When a user uses a member of the _surrogate group as a surrogate, CA ControlMinder writes a full trace in the audit trail of the surrogate's actions, tagged with the original user's name.
Example: Adding a User to the _restricted Group Using selang
The following selang command adds the enterprise user john_smith to the _restricted group:
joinx john_smith group(_restricted)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|