Help Center

SECURITY Configuration Overview

SUBSYS SECURITY

REVOKE (SUBSYS, NODE, USER[, OBJECT-TYPE[, OBJECT[, FUNCTION[, ALIAS]]]])
GRANT (SUBSYS, NODE, USER[, OBJECT-TYPE[, OBJECT[, FUNCTION[, ALIAS]]]])

The SECURITY Configuration is controlled by adding GRANT rules to allow access or REVOKE rules to deny access. The order of the rules is not significant as access is checked by first looking at all the GRANT rules and then looking at all the REVOKE rules. Therefore, access is allowed only if it matches a GRANT rule and does not match any REVOKE rule.

The SECURITY Configuration can be summarized as follows:

  • When a SECURITY Configuration has NOT been created, then access is allowed to all users.

  • When a SECURITY Configuration has been created and no GRANT or REVOKE rules have been added, then access will NOT be allowed to any users.

  • When a SECURITY Configuration has been created with a GRANT rule added which has not been revoked anywhere else in the configuration, then access is allowed.

Access to starting the SECURITY Configuration is implicitly granted to the user who started the last one. This is to avoid lockouts.

A SECURITY Configuration on a particular server only affects access to that server. Therefore, a SECURITY Configuration should be started on each server containing the Prognosis functions to be secured.

There are three mandatory parameters to the GRANT and REVOKE rules: SUBSYS, NODE and USER, in that order. The SUBSYS is the function being secured, the USER and NODE specify the user name and node name that access is being allowed or disallowed. An * (asterisk) can be used in any parameter to indicate all values of that parameter. Omitted parameters default to *.

The SECURITY Configuration syntax (SUBSYS) provides the facility to allow or deny access to the following functions or objects for individual users:

Function

Subsystem Name

Automated Analysts

ANALYST

Command execution

COMMAND

Databases

DATABASE

Prognosis shutdown

PROGNOSIS

Password control

PASSWORD

Static Configurations

CONFIGURATION

Thresholds

THRESHOLD

File Transfer and Execution

TRANSFER

Please refer to SECURITY Configuration Parameters for a full list of the options that are available and the Security FUNCTION Parameter for details of what each option controls.

Beware that adding a GRANT line for a specific user and/or function will automatically revoke access to all other users/functions, for example:

GRANT (DATABASE,*,\fred)

This will implicitly revoke access for all users to all functionality and revoke access for \fred to all functions except Databases.  To allow access for other users, additional GRANT lines are required.

On a Windows machine, if a SECURITY Configuration is set up with user access of anything except GRANT (*,*,*) an additional GRANT line must also be included to allow the Prognosis User to operate. The Prognosis User is a default entry that allows commands to be executed by Prognosis using the local system account via the PASSWORDS Configuration alias.

The following entry should be included in the SECURITY Configuration: GRANT (*, #LocalNode, \NT Authority.System) plus the PASSWORDS Configuration must contain a COMMAND:PROGNOSIS entry. For details see the COMMAND:PROGNOSIS Password Entry.

Provide feedback on this article