Managing Serviceguard 13th Edition, February 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5196
If this policy is defined in the cluster configuration file, it grants user
john the PACKAGE_ADMIN role for any package on node bit. User john
also has the MONITOR role for the entire cluster, because PACKAGE_ADMIN
includes MONITOR.
If the policy is defined in the package configuration file for PackageA,
then user john on node bit has the PACKAGE_ADMIN role only for
PackageA.
You will not be allowed to configure roles that conflict; Serviceguard will
fail with an error when applying the configuration. (“Wildcards” are an
exception: it is acceptable for ANY_USER and john to be given different
roles. if you enter conflicting roles.)
For example, consider what would happen if these entries were in the
cluster configuration file:
# Policy 1:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
# Policy 2:
USER_NAME john
USER_HOST bit
USER_ROLE MONITOR
# Policy 3:
USER_NAME ANY_USER
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
In the above example, the configuration would fail because user john is
assigned two roles. (In any case, Policy 2 is unnecessary, because
PACKAGE_ADMIN includes the role of MONITOR.)
Policy 3 does not conflict with any other policies, even though the
wildcard ANY_USER includes the individual user john.
NOTE Be careful when granting access to ANY_SERVICEGUARD_NODE. This
allows access from any node on the subnet.