Help Center

SECURITY Configuration Examples

1)   The following configuration WILL NOT allow database access to anyone including \USER1.

SUBSYS SECURITY

GRANT (*,*,*)
REVOKE (DATABASE,*,*)
GRANT (DATABASE,*,\USER1)

2)   The following configuration WILL allow database access to \USER1 only.

SUBSYS SECURITY

GRANT (CONFIGURATION,*,*)
GRANT (DATABASE,*,\USER1)

3)   The following configuration allows the System Manager to modify the security configuration:

SUBSYS SECURITY

GRANT (CONFIGURATION,\PrgnMgrNode,PrgnMgrUser,CONFTYPE,SECURITY)

4)   This configuration will allow \USER1 to execute commands on anything except Dispatch Manager.

SUBSYS SECURITY

REVOKE (COMMAND,*,\USER1,CMDDEST,Dispatch Manager)
GRANT (COMMAND,*,\USER1)

5)   This configuration will allow \USER2 to read only the CPU database on all nodes but not write to it.

SUBSYS SECURITY

GRANT (DATABASE,*,\USER2,CPU,READ)

6)   The following HPE NonStop example will allow most users access and will selectively disallow other users.

SUBSYS SECURITY

! Start by granting access to all objects in all subsystems by all users
! from all nodes
GRANT (*,*,*)
! Disallow access to all subsystems by the GUEST user in any group or any
! user in the GUEST group
REVOKE (*,*,*.GUEST)
REVOKE (*,*,GUEST.*)
! Disallow access to the Analysts, Thresholds and Commands by members of the
! APPL group.
REVOKE (ANALYST,*,APPL.*)
REVOKE (THRESHOLD,*,APPL.*)
REVOKE (COMMAND,*,APPL.*)
! Disallow access to the EXTRACTOR and SECURITY Configurations by members of
! the APPL group.
REVOKE (CONFIGURATION,*,APPL.*,*,EXTRACTOR)
REVOKE (CONFIGURATION,*,APPL.*,*,SECURITY)
! Disallow access to Analysts and Commands by users who are logged on to the
! \TEST node
REVOKE (ANALYST,\TEST,*)
REVOKE (COMMAND,\TEST,*)
! Also disallow them access to the SECURITY Configuration
! (otherwise they could just change it to allow what we just revoked)
REVOKE (CONFIGURATION,\TEST,*,*,SECURITY)
! Prevent anyone from stopping the PROGNOSIS Configuration
REVOKE (CONFIGURATION,*,*,*,PROGNOSIS,STOP)

7)   The following HPE NonStop example allows only explicitly granted accesses.

SUBSYS SECURITY

! Security config on an HPE NonStop node
! Allow any user in the SUPER group to execute TACL commands on the node they
! are logged onto
GRANT (COMMAND,#LocalNode,SUPER.*,CMDDEST,SHELL,EXECUTE)
! Allow the SUPPORT group full access to Databases, Thresholds and Analysts
GRANT (DATABASE,*,SUPPORT.*)
GRANT (THRESHOLD,*,SUPPORT.*)
GRANT (ANALYST,*,SUPPORT.*)
! Allow the SUPPORT group to list Configurations
GRANT (CONFIGURATION,*,SUPPORT.*,*,*,INFO)
! Allow SUPPORT.MGR access to start and stop Configurations
GRANT (CONFIGURATION,*,SUPPORT.MGR,*,*,START)
GRANT (CONFIGURATION,*,SUPPORT.MGR,*,*,STOP)
! Allow SUPPORT.MGR and SUPER.SUPER to shutdown Prognosis
GRANT (PROGNOSIS,*,SUPPORT.MGR)
GRANT (PROGNOSIS,*,SUPER.SUPER)
! Allow members of the AUDIT group read-only access to Databases and the
! SECURITY Configuration
GRANT (DATABASE,*,AUDIT.*,*,*,READ)
GRANT (DATABASE,*,AUDIT.*,*,*,INFO)
GRANT (CONFIGURATION,*,AUDIT.*,*,SECURITY,INFO)

8)   The following HPE NonStop example allows only user SUPER.PRGN to execute TACL commands and start analysts and the extractor configuration. SUPER.PRGN is also the user who controls the SECURITY Configuration. It allows anyone full access to Database, Threshold, Prognosis subsystems.

SUBSYS SECURITY

GRANT (DATABASE,*,*)
GRANT (THRESHOLD,*,*)
GRANT (PROGNOSIS,*,*)
! Allow anyone full access to all static configurations except EXTRACTOR,
! which they cannot start and SECURITY which they can only list.
GRANT (CONFIGURATION,*,*,*,AVAILABILITY)
GRANT (CONFIGURATION,*,*,*,BASEMAN)
GRANT (CONFIGURATION,*,*,*,COMMS)
GRANT (CONFIGURATION,*,*,*,DISC)
GRANT (CONFIGURATION,*,*,*,DISPMAN)
GRANT (CONFIGURATION,*,*,*,NETWORK)
GRANT (CONFIGURATION,*,*,*,PATHWAY)
GRANT (CONFIGURATION,*,*,*,PROGNOSIS)
GRANT (CONFIGURATION,*,*,*,TUNE)
GRANT (CONFIGURATION,*,*,*,UPDOWN)
GRANT (CONFIGURATION,*,*,*,SECURITY,INFO)
GRANT (CONFIGURATION,*,*,*,EXTRACTOR, STOP)
GRANT (CONFIGURATION,*,*,*,EXTRACTOR, INFO)
! Only SUPER.PRGN can start EXTRACTOR conf or start or stop SECURITY conf
GRANT (CONFIGURATION,*,SUPER.PRGN,*,SECURITY)
GRANT (CONFIGURATION,*,SUPER.PRGN,*,EXTRACTOR)
! Anyone can stop or list analyst rules but only SUPER.PRGN can start them
GRANT (ANALYST,*,*,*,*,INFO)
GRANT (ANALYST,*,*,*,*,STOP)
GRANT (ANALYST,*,SUPER.PRGN,*,*)
! Only SUPER.PRGN can execute TACL commands but any user can send commands to
! Tivoli or Dispatch Manager
GRANT (COMMAND,*,*,*,Tivoli Console)
GRANT (COMMAND,*,*,*,Dispatch Manager)
GRANT (COMMAND,*,SUPER.PRGN,*)
Provide feedback on this article