Introduction › CA-PanAPT Security › Logic Flow for CA-PanAPT Security
Logic Flow for CA-PanAPT Security
The CA‑PanAPT process for granting authority follows. It is assumed that you know what the user ID authority is, and if there is an Owner, the Owner Authority. It is also assumed that you know the activity or activities being processed. For additional information, refer to the CA‑PanAPT Activity List exhibit in the Control File chapter.
- The user ID is checked for CA‑PanAPT sign on.
- Users that are defined in a denied class are rejected. The three classes of users that can be denied are: Operations, Owners, and Anyone.
- If this is an approved activity (MOVEREQ/APM-level or MOVEREQ/APB-level where level is the 1 to 4 character short name for a level), then user approval categories are checked. If the user has authorization for the category, then processing continues with Step 4. (One more test must be approved.) Otherwise, the authorization is rejected.
- If the owner field is blank, then give all Group Administrators authority. Otherwise, authorize Group Administrators sharing a group with the Owner.
- Check if the user is in the class Operations, and the activity allows Operations, then the user is approved.
- Check if the user is the Owner, and the activity allows the Owners, then the user is approved.
- Check if anyone (everyone) can do this activity, then authorization is granted.
- If there is an Owner, then check for users sharing a group. (That is all users that are in a group with the Owner are considered to be sharing a group. Except the Owner which is not considered to be part of the group.)
- Check if the user is listed, (the following user IDs), if so, then authorization is granted.
- Check if the user is in a group listed (the following Groups), if so then authorization is granted.
If the user has not been authorized at this point, the user is rejected.
Copyright © 2004 CA.
All rights reserved.
|
|