Table of Contents
Advertisement
In order to resolve this problem a new parameter CLIENTMODEOWNERPOLICY was introduced in release 89
defining the policy how to set the owner of an entry. Defined values are LOGINNAME, GUARDIANNAME and
BOTH. The differences are explained in the following sections.
Client Mode Owner Policy LOGINNAME
The default owner is the login name, which can be a Guardian user identifier or an alias. An alias user cannot
add/read/manipulate entries for the guardian user the alias is configured with. A guardian user can add/manipulate entries
for that guardian user.
The value LOGINNAME is recommended if different people are using the various aliases configured with the same
Guardian user identifier.
Client Mode Owner Policy GUARDIANNAME
The default owner is the Guardian user identifier, independent if the logon name is an alias or a guardian user. Entries
are read using the guardian user only.
The assumption is that the same person uses the aliases of a Guardian user identifier and the Guardian user identifier
itself. This was the default before this enhancement was introduced (in release 89) and therefore value
GUARDIANNAME needs to be used if the client mode policy of previous releases should be kept.
Client Mode Owner Policy BOTH
The default owner is the login name but a guardian user can add or manipulate entries stored under an alias or a guardian
user identifier. Entries are read for both the login name and the guardian user in case these are different (entries of the
alias are read first, then entries of the guardian id). The value BOTH is only recommended if a guardian user and all
aliases configured for this guardian user are solely used by one person and client mode records are to be stored under
Guardian user identifier as well as alias names.
Note: The default value for CLIENTMODEOWNERPOLICY is BOTH. Please be aware that the default client mode
policy changed from GUARDIANNAME to BOTH with release 89. This change of the policy should not cause
problems with existing records as records had been read in previous releases only if stored under the Guardian user
identifier (entries stored under an alias had been ignored).
The following will change when using the new default value BOTH or value LOGINNAME:
If a user is logged on as an alias and new CLIENT MODE records are added (PASSWORD, KNOWNHOST,
PUBLICKEY), then the new records will be stored under the alias name. An alias user is not allowed to add records for
the underlying Guardian user when CLIENTMODEOWNERPOLICY is set to LOGINNAME.
Client Mode Owner Policy and Processing of SSHCOM Commands
The processing of the CLIENT mode SSHCOM commands has been enhanced in release 89 to support the new
CLIENTMODEOWNERPOLICY values LOGINNAME and BOTH. If the value is set to either LOGINNAME or
BOTH the following applies:
•
Entries can be added with alias user names. A user logged on using an alias can only display, add, and
manipulate entries for that alias.
•
A guardian user can display, add, and manipulate entries for the Guardian user.
•
Depending on the rules explained in the section about OBJECTTYPE USER records a group manager can add,
change or delete client mode records stored under an alias or Guardian name.
•
A user with full access can add/manipulate all entries unless an OBJECTTYPE USER record says otherwise.
If parameter CLIENTMODEOWNERPOLICY is set to value GUARDIANNAME, then the following applies:
•
Any attempt to add entries under an alias name will be rejected. Entries will be added under the Guardian name.
138 • SSHCOM Command Reference
HP NonStop SSH Reference Manual
- Quick Links:
- The Ssh2 Solution
- Secure Sftp Transfer
Hide quick links:
Advertisement
Table of Contents
