Managing Serviceguard Fifteenth Edition, reprinted May 2008
Building an HA Cluster Configuration
Configuring the Cluster
Chapter 5 243
Setting up Access-Control Policies
The HP-UX root user on each cluster node is automatically granted the
Serviceguard root access role on all nodes. (See “Configuring Root-Level
Access” on page 200 for more information.) Access-control policies define
non-root roles for other cluster users.
NOTE For more information and advice, see the white paper Securing
Serviceguard at http://docs.hp.com -> High Availability ->
Serviceguard -> White Papers.
Define access-control policies for a cluster in the cluster configuration file
(see “Cluster Configuration Parameters” on page 156), and for a specific
package in the package configuration file (see page 308). You can define
up to 200 access policies for each cluster. A root user can create or modify
access control policies while the cluster is running.
NOTE Once nodes are configured into a cluster, the access-control policies you
set in the cluster and package configuration files govern cluster-wide
security; changes to the “bootstrap” cmclnodelist file are ignored (see
“Allowing Root Access to an Unconfigured Node” on page 200).
Access control policies are defined by three parameters in the
configuration file:
•Each USER_NAME can consist either of the literal ANY_USER, or a
maximum of 8 login names from the /etc/passwd file on USER_HOST.
The names must be separated by spaces or tabs, for example:
# Policy 1:
USER_NAME john fred patrick
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
• USER_HOST is the node where USER_NAME will issue Serviceguard
commands.