SEOS Class

The SEOS class controls the behavior of the authorization system.
capamsc141
The SEOS class controls the behavior of the
PAM Server Control
authorization system.
The class contains only one record, called SEOS, which specifies general security and authorization options. To view or change the status of SEOS class properties, use the setoptions command.
The following definitions describe the properties that are contained in this class record. Most properties are modifiable and can be manipulated using selang or the administration interfaces. Non-modifiable properties are marked
informational
.
  • ACCPACL
    Indicates the order in which the UACC (defaccess) and PACL lists are scanned during authorization.
    When ACCPACL is active and explicit access is provided for a user through an ACL, then that accessor is the allowed access. If there is no explicit access through an ACL but explicit access is defined through a PACL, then the PACL access is the allowed access. If neither ACL or PACL contains explicit access, defaccess is checked for access definitions.
    If ACCPACL is not activated, the ACL is still checked first for explicit access. If the ACL contains no explicit access definitions for the resource being checked, defaccess definitions are checked next. If no explicit access is defined in defaccess, then the PACL access definitions are checked.
    When 
    PAM Server Control
    is installed, the value of this property is set to yes.
    Use the accpacl or accpacl- parameter with the setoptions command to modify this property.
  • ADMIN
    Each record in the ADMIN class defines what authorization privileges non-admin users have to administer specific classes. Each 
    PAM Server Control
     class that is to be administered by specific non-admin users is represented by an ADMIN record. The record contains a list of accessors with the access authority of each.
    Example: To allow user John to view FILE class rules, specify "authorize ADMIN FILE uid(John) access(read)"
    If ADMIN class is off, then a non-admin user cannot get administrator privileges using this ADMIN class.
  • APPL
    Indicates whether the APPL class is active.
  • AUTHHOST
    Indicates whether the AUTHHOST class is active.
  • CALENDAR
    Indicates whether the CALENDAR class is active.
  • CATEGORY
    Indicates whether the CATEGORY class is active.
  • CNG_ADMIN_PWD
    Indicates whether a user with the PWMANAGER attribute can change an ADMIN user password using selang. The default is yes.
    Use the class+ or class- parameter and the
    cng_adminpwd
    option with the setoptions command to activate or inactivate this property.
  • CNG_OWN_PWD
    Indicates whether users can change their own passwords using selang.
    Use the class+ or class- parameter and the
    cng_ownpwd
    option with the setoptions command to activate or inactivate this property.
  • COMMENT
    Defines additional information that you want to include in the record. 
    PAM Server Control
    does not use this information for authorization.
    Limit:
    255 characters.
  • CONNECT
    Indicates whether the CONNECT class is active. When the CONNECT class is active, records in the class protect the outgoing connections.
    If the HOST class is active, the CONNECT class is not used as an active class, even when activated.
    If the TCP class is active, the CONNECT class is not used as an active class.
  • CREATE_TIME
    (Informational) Displays the date and time when the record was created.
  • DAYTIMERES
    (UNIX only) Indicates whether 
    PAM Server Control
    checks the daytime restrictions on resources.
  • DMS
    List of DMS servers this database should send notifications to.
  • DOMAIN
    (Windows only) Indicates whether the DOMAIN class is active.
  • ENDTIME
    (Informational). The date and time the database files were last closed in an orderly manner.
  • FILE
    Indicates whether the FILE class is active. When the FILE class is active, records in the class protect files and directories.
  • ACCGRR
   The
accumulative group rights
option (ACCGRR) affects how 
PAM Server Control
checks the ACL of a resource. If ACCGRR is enabled, 
PAM Server Control
checks the ACL for the authorities that are granted from all the groups to which the user belongs. If    ACCGRR is disabled,
PAM Server Control
checks the ACL to see if any of the applicable entries contain the value none. If so, access is denied. Otherwise 
PAM Server Control
ignores all group entries except the first applicable one in the access control list. Use the command setoptions ACCGRR command to enable or disable this property.
  • HOLIDAY
    Indicates whether the HOLIDAY class is active. When the HOLIDAY class is active, users need extra permission to log in during defined Holiday periods.
  • HOST
    Indicates whether the HOST class is active. When the HOST class is active, 
    PAM Server Control
    protects incoming TCP/IP service requests from remote hosts.
    If the HOST class is active, the TCP and CONNECT classes are not used as active classes, even when activated.
    The default for the HOST class is active.
  • INACT
    Indicates the number of inactive days after which user login is suspended. An inactive day is a day in which the user does not log in.
    A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.
    Use the inactive or inactive- parameter with the setoptions command to update this property.
  • ISDMS
    True if the PMDB serves as a DMS.
  • LOGINAPPL
    (UNIX only) Indicates whether the LOGINAPPL class is active.
  • MAXLOGINS
    The maximum number of concurrent logins (terminal sessions) a user is allowed, after which the user is denied access. A zero value indicates no maximum and the user can log in to any number of terminal sessions concurrently. The value must be either zero or greater than 1 if the user wants to log in and run selang or otherwise administer the database, because 
    PAM Server Control
    considers each task (login, selang, GUI, and so forth) to be a terminal session.
    A value for the MAXLOGINS property in a USER record overrides a value in a GROUP record. Both override the MAXLOGINS property in the SEOS class record. The value in the SEOS record is the default value used when there is no explicit value in the accessor record.
    Use the maxlogins parameter with the chres, editres, and newres commands to modify this property for the SEOS class.
  • MFTERMINAL
    Indicates whether the MFTERMINAL class is active.
  • PASSWDRULES
    Indicates the password rules. This property contains a number of fields that determine how 
    PAM Server Control
    handles password protection. For a complete list of the rules, see the modifiable property PROFILE of the USER class.
    Use the passwordparameter and the rules or rules- option with the setoptions command to modify this property.
  • PASSWORD
    Indicates whether password checking is active.
    Use the class+ or class- parameter and the PASSWORD option with the setoptions command to activate or inactivate this property.
  • PROCESS
    Indicates whether the PROCESS class is active. When the PROCESS class is active, records in the class protect defined processes from kill attempts.
    The file must also be defined in the FILE class.
  • PROGRAM
    Indicates whether the PROGRAM class is active. When the PROGRAM class is active, records in the class protect defined programs that were marked as Trusted.
  • PWPOLICY
    Indicates whether the PWPOLICY class is active.
  • REGKEY
    (Windows only) Indicates whether the REGKEY class is active.
  • REGVAL
    (Windows only) Indicates whether the REGVAL class is active.
  • RESOURCE_DESC
    Indicates whether the RESOURCE_DESC class is active.
  • RESPONSE_TAB
    Indicates whether the RESPONSE_TAB class is active.
  • SECLABEL
    Indicates whether the SECLABEL class is active.
  • SECLEVEL
    Indicates whether the SECLEVEL class is active.
  • STARTTIME
    (Informational). The date and time the database files were last opened.
  • SUDO
    Indicates whether the SUDO class, used by sesudo, is active.
  • SYSTEM_AAUDIT_MODE
    Specifies the default audit mode (systemwide audit mode) for users and enterprise users.
    Default:
    Failure LoginSuccess LoginFailure
  • SURROGATE
    Indicates whether the SURROGATE class is active. When the SURROGATE class is active, 
    PAM Server Control
    protects surrogate requests.
  • TCP
    Indicates whether the TCP class is active. When the TCP class is active, 
    PAM Server Control
    protects incoming and outgoing TCP services such as mail, ftp, and http.
    If the HOST class is active, the TCP class is not used as an active class, even when activated.
    If the TCP class is active, the CONNECT class is not used as an active class.
  • TERMINAL
    Indicates whether the TERMINAL class is active. When the TERMINAL class is active, 
    PAM Server Control
    performs a terminal access check during sign-on and protects X-window sessions.
  • USER_ATTR
    Indicates whether the USER_ATTR class is active.
  • USER_DIR
    Indicates whether the USER_DIR class is active.
  • UPDATE_TIME
    (Informational) Displays the date and time when the record was last modified.
  • UPDATE_WHO
    (Informational) Displays the administrator who performed the update.