Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

dynamox

2 Intern

 • 

20.4K Posts

998

November 12th, 2007 12:00

Symacl and access type

I would like to implement symacl in my environment but would like to get clarification on a few items.

Let's say i have a system that will need to be able to issue timefinder/clone commands. So first i create a group that consists of that system, then i create a pool that consists of devices that will be cloned and lastly i create an ACL with Rights=BCV. Let's say i have a knucklehead system admin who decides to play around with symclone command and issues "symclone restore" instead of establish. Symacl will not be able to stop him because "Rights=BCV" applies to all timefinder/clone commands ? Any way to get more granular control on timefinder operations ? ( i want to stay away from using symauth to restrict who runs the command)

Thanks

xe2sdc

2 Intern

 • 

2.8K Posts

November 13th, 2007 01:00

First quick answer .. NO .. you have "classes" of commands .. you can not filter each and every command .. If you give "masking" (just an example) permission to an host, from this given host you will be able to add but also to REMOVE masking. I'll look further... :-)

xe2sdc

2 Intern

 • 

2.8K Posts

November 13th, 2007 01:00

The code internally allows you to record each and every command your hosts issue. You can check with symaudit the "history" of your box. I think that symacl MAY be expanded to filter narrower classes of commands and/or actions for any given command (but again it is my own speculation on the subject) .. Maybe it's a good RFE for ENG :-) .. Unfortunatly eng usually listen to customers and not to me :-P .. Maybe you can ask for such an RFE :D

-s-

dynamox

2 Intern

 • 

20.4K Posts

November 13th, 2007 05:00

i guess i will go ahead and submit an RFE ..maybe in SE 8.4 we will see this functionality ? :)

xe2sdc

2 Intern

 • 

2.8K Posts

November 13th, 2007 06:00

Don't be too harsh :-) .. the time needed to implement a given RFE depends on a number of things .. It depends on how easy is to implement .. it depends on how many requests ENG receives .. :D

rawstorage

419 Posts

November 13th, 2007 06:00

To add to the discussion.

With the audit commands you can get very granular information about what command was run.

you can check to see if a restore was done recently
symaudit list -sid XXX -v -activity_id BeginRestore -start_date 11/1 -end_date 11/2

A list of the activity ID's is in the help for the symaudit command and also the command reference

also you can restrict a range of devices too; This functionality is available in se 6.4

xe2sdc

2 Intern

 • 

2.8K Posts

November 13th, 2007 08:00

ThX ;-)

dynamox

2 Intern

 • 

20.4K Posts

November 13th, 2007 08:00

Paul,

i would like to stop the knucklehead system admin before he destroys production data. Auditing will be good for root-cause analysis ..but at that point business has suffered.

RRR

2 Intern

 • 

5.7K Posts

November 14th, 2007 01:00

Would this be a "symm management" product ? I can't find symacl or symcli as the product to choose.

xe2sdc

2 Intern

 • 

2.8K Posts

November 14th, 2007 01:00

I can only underline that the more customers pushes for an RFE, the more is likely that ENG can work on the feature requested :-)

RRR

2 Intern

 • 

5.7K Posts

November 14th, 2007 01:00

Done ;)
The RFE is sent.

RRR

2 Intern

 • 

5.7K Posts

November 14th, 2007 01:00

Perhaps I will join you as I was wondering about filtering commands out in a deeper level as well ;-)
symmir est or split are fine, but no cancel or something....

View More

View All

No Events found!

Top