0

I read about GT.M security docs and see that GT.M do not include a specific security solution ,it depend on OS system user roles

Now I want that each user have specific roles on databases ,how can I do that

Example :

  • user 'manager' can act SET ,KILL command on global "Account","Salary"

  • user 'employee' just only can act ZWRITE command on global "Salary"

Assume that "Account" and "Salary" global variables are mapping in the same database file

Thanks,

Ryo
  • 995
  • 2
  • 25
  • 41

2 Answers2

5

GT.M does not implement a security layer itself, and instead uses on access control as implemented by the operating system (user/group/world permissions and layered security such as SELinux). I know that some applications have accomplished what you want using the traditional user/group/world controls, but it does require the application schema to be amenable. Other applications implement access controls at the application layer.

The quote above by @DAiMor is dated. The current quote from the manual is:

Ensure that database file ownership (user and group), UNIX user and group ids, and permissions at the UNIX level match the intended access. If finer grained access controls than those provided by user and group ids and permissions are needed, consider using, where appropriate and available, security products layered on top of the operating system.

In general, we no longer recommend Access Control Lists. I notice that there is a later mention of it in the manual, which we should remove. ACLs work for files, but not for resources like shared memory.

K.S. Bhaskar
  • 296
  • 1
  • 4
  • Thanks Mr. Bhaskar , so that ,I have no way specific roles by user on each specific global variable with GT.M ? .If I want to implement a security layer to accomplish my work , could you suggest me some way (adding module or plugin to GT.M source code ) . I really interested in this feature – Ryo Sep 10 '15 at 08:50
0

Here I see, that you are talking about read and write access, so, you have to change access to DB file, you can add your users who should have an access to write to UNIX group with such access.
Quote from GT.M Security Philosophy

Ensure that database file ownership (user and group), UNIX user and group ids, and permissions at the UNIX level match the intended access. If finer grained access controls than those provided by user and group ids and permissions are needed, consider using Access Control Lists (ACLs) where they are available.

DAiMor
  • 3,185
  • 16
  • 24
  • Thanks , I edited my question .please help me check again .In case of multi-global in a database file ,I need to specific role on each global variables – Ryo Sep 08 '15 at 07:48
  • For that case it is impossible, because of UNIX way security. But it is not so difficult to split up database file for security reasons. – DAiMor Sep 08 '15 at 08:05