Previous Topic: Predefined UsersNext Topic: Profile Groups

Endpoint Administration Guide for UNIXManaging Users and GroupsDatabase AccessorsPredefined Groups

Predefined Groups

CA ControlMinder comes with predefined groups. Except for the _interactive and _network groups, you add users to these groups in the same way as you do for any other group.

_abspath

If a user is in the _abspath group when logging in, that user must use absolute path names to invoke programs.

_interactive

A user is a member of the _interactive group only for the purposes of an access attempt. Users are members of the _interactive group if they are logged into the same host as the resource they are trying to access. CA ControlMinder dynamically and automatically manages the membership of the _interactive group—you cannot change the membership.

interactive_restricted

The users in the interactive_restricted group need strong authentication before they can modify files. Users in the Interactive_restricted group can read files and execute commands. They cannot modify any files except for a predefined list of non-files that they are authorized to modify. A message reminds users to run the sepromote utility to authenticate when they need to remove the restriction.

_network

This is the complementary group to _interactive. A user is a member of the _network group for the purposes of access only. Users are members of the _network group if they are trying to access a resource from a different host than the resource belongs to. CA ControlMinder dynamically and automatically manages the membership of the _network group—you cannot change the membership.

_restricted

For users in the _restricted group, all files, and on Windows registry keys too, are protected by CA ControlMinder. If a file or a Windows registry key does not have an access rule explicitly defined, access permissions are covered by the _default record for that class (FILE or REGKEY).

Note: Users in the _restricted group may not have sufficient authorization to do their work. If you plan to add users to the _restricted group, consider using Warning mode initially.

_surrogate

When a user uses a member of the _surrogate group as a surrogate, CA ControlMinder writes a full trace in the audit trail of the surrogate's actions, tagged with the original user's name.

Example: Adding a User to the _restricted Group Using selang

The following selang command adds the enterprise user john_smith to the _restricted group:

joinx john_smith group(_restricted)