Managing Serviceguard A.11.20, March 2013

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software

191

192

193

194

195

196

197

198

199

200

IMPORTANT: Users on systems outside the cluster can gain Serviceguard root access

privileges to configure the cluster only via a secure connection (rsh or ssh).

• Non-root access: Other users can be assigned one of four roles:

Full Admin: Allowed to perform cluster administration, package administration, and cluster

and package view operations.

These users can administer the cluster, but cannot configure or create a cluster. Full Admin

includes the privileges of the Package Admin role.

◦

◦ (all-packages) Package Admin: Allowed to perform package administration, and use

cluster and package view commands.

These users can run and halt any package in the cluster, and change its switching

behavior, but cannot configure or create packages. Unlike single-package Package

Admin, this role is defined in the cluster configuration file. Package Admin includes the

cluster-wide privileges of the Monitor role.

◦ (single-package) Package Admin: Allowed to perform package administration for a

specified package, and use cluster and package view commands.

These users can run and halt a specified package, and change its switching behavior,

but cannot configure or create packages. This is the only access role defined in the

package configuration file; the others are defined in the cluster configuration file.

Single-package Package Admin also includes the cluster-wide privileges of the Monitor

role.

◦ Monitor: Allowed to perform cluster and package view operations.

These users have read-only access to the cluster and its packages.

IMPORTANT: A remote user (one who is not logged in to a node in the cluster, and is not

connecting via rsh or ssh) can have only Monitor access to the cluster.

(Full Admin and Package Admin can be configured for such a user, but this usage is deprecated

and in a future release may cause cmapplyconf and cmcheckconf to fail. As of

Serviceguard A.11.18 configuring Full Admin or Package Admin for remote users gives them

Monitor capabilities. See “Setting up Access-Control Policies” (page 199) for more information.)

Setting up Access-Control Policies

The HP-UX root user on each cluster node is automatically granted the Serviceguard root access

role on all nodes. (See “Configuring Root-Level Access” (page 171) for more information.)

Access-control policies define non-root roles for other cluster users.

NOTE: For more information and advice, see the white paper Securing Serviceguard at http://

www.hp.com/go/hpux-serviceguard-docs.

Define access-control policies for a cluster in the cluster configuration file; see “Cluster Configuration

Parameters ” (page 114). You can define up to 200 access policies for each cluster. A root user

can create or modify access control policies while the cluster is running.

Define policies for a specific package in the package configuration file; see the entries for

user_name and related package-configuration parameters (page 257).

NOTE: Once nodes are configured into a cluster, the access-control policies you set in the cluster

and package configuration files govern cluster-wide security; changes to the “bootstrap”

cmclnodelist file are ignored (see “Allowing Root Access to an Unconfigured Node” (page 171)).

Configuring the Cluster 199