Unsolved
This post is more than 5 years old
2 Intern
•
20.4K Posts
0
998
Symacl and access type
I would like to implement symacl in my environment but would like to get clarification on a few items.
Let's say i have a system that will need to be able to issue timefinder/clone commands. So first i create a group that consists of that system, then i create a pool that consists of devices that will be cloned and lastly i create an ACL with Rights=BCV. Let's say i have a knucklehead system admin who decides to play around with symclone command and issues "symclone restore" instead of establish. Symacl will not be able to stop him because "Rights=BCV" applies to all timefinder/clone commands ? Any way to get more granular control on timefinder operations ? ( i want to stay away from using symauth to restrict who runs the command)
Thanks
Let's say i have a system that will need to be able to issue timefinder/clone commands. So first i create a group that consists of that system, then i create a pool that consists of devices that will be cloned and lastly i create an ACL with Rights=BCV. Let's say i have a knucklehead system admin who decides to play around with symclone command and issues "symclone restore" instead of establish. Symacl will not be able to stop him because "Rights=BCV" applies to all timefinder/clone commands ? Any way to get more granular control on timefinder operations ? ( i want to stay away from using symauth to restrict who runs the command)
Thanks
xe2sdc
2 Intern
2 Intern
•
2.8K Posts
0
November 13th, 2007 01:00
xe2sdc
2 Intern
2 Intern
•
2.8K Posts
0
November 13th, 2007 01:00
-s-
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
November 13th, 2007 05:00
xe2sdc
2 Intern
2 Intern
•
2.8K Posts
0
November 13th, 2007 06:00
rawstorage
419 Posts
1
November 13th, 2007 06:00
With the audit commands you can get very granular information about what command was run.
you can check to see if a restore was done recently
symaudit list -sid XXX -v -activity_id BeginRestore -start_date 11/1 -end_date 11/2
A list of the activity ID's is in the help for the symaudit command and also the command reference
also you can restrict a range of devices too; This functionality is available in se 6.4
xe2sdc
2 Intern
2 Intern
•
2.8K Posts
0
November 13th, 2007 08:00
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
November 13th, 2007 08:00
i would like to stop the knucklehead system admin before he destroys production data. Auditing will be good for root-cause analysis ..but at that point business has suffered.
RRR
2 Intern
2 Intern
•
5.7K Posts
0
November 14th, 2007 01:00
xe2sdc
2 Intern
2 Intern
•
2.8K Posts
0
November 14th, 2007 01:00
RRR
2 Intern
2 Intern
•
5.7K Posts
0
November 14th, 2007 01:00
The RFE is sent.
RRR
2 Intern
2 Intern
•
5.7K Posts
0
November 14th, 2007 01:00
symmir est or split are fine, but no cancel or something....