How to grant required users access to file resources when native file ownership and local file permission settings do not allow it.

Document ID : KB000010959
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

There are file resources being protected by OS native permissions but you need to grant regular users access to them. You can write selang rules in PIM to grant access to them using the sesudo utility and SUDO, PROGRAM classes.

Environment:
PIM 12.8x on UNIX
Instructions:

Example:

user below is tester1 that is Admin, Auditor and  Server but being blocked to access the seos.audit file that was copied to /tmp/calogs/seos.audit

without rules in place you would see this denial from the OS:

-sh-4.2$ /opt/CA/AccessControl/bin/seaudit -a -fn /tmp/calogs/seos.audit
CA ControlMinder seaudit  v12.81.0.2919 - Audit log lister
Copyright (c) 2013 CA. All rights reserved.

Cannot access /tmp/calogs/seos.audit

File permissions on /tmp/calogs/seos.audit are:


-rw-------.  1 root root 15305 Jan 30 17:13 seos.audit

Use the following rules to grant tester1 access using the sesudo utility:

# /opt/CA/AccessControl/bin/selang


AC> er program /opt/CA/AccessControl/bin/sesudo defacc(x) audit(all)

AC> auth program /opt/CA/AccessControl/bin/sesudo uid(tester1)

AC> er SUDO seaudit comment('/opt/CA/AccessControl/bin/seaudit;;') owner(nobody) audit(all) defacc(n)

AC> auth SUDO seaudit uid(tester1)

 

running the following command will give you access to seos.audit:

-sh-4.2$ /opt/CA/AccessControl/bin/sesudo seaudit -a -fn /tmp/calogs/seos.audit
CA ControlMinder seaudit  v12.81.0.2919 - Audit log lister
Copyright (c) 2013 CA. All rights reserved.
30 Jan 2018 08:01:01 O LOGOUT       root                  49  2 _CRONJOB_

.

.

.

Total records displayed 183
Command 'seaudit', (/opt/CA/AccessControl/bin/seaudit),  performed by tester1.

Additional Information:

link to the sesudo utility for reference:

https://docops.ca.com/ca-privileged-identity-manager/12-9/EN/reference/reference-guide/sesudo-utility