HELPLIB.HLB  —  Hints  Security

1  –  Object Protection

    Modifying and displaying the security characteristics of
    protected objects.

    SET SECURITY     Modifies the access control list (ACL),
                     protection code, and owner of a protected
                     object.
    SHOW SECURITY    Displays the name, class, and profile of a
                     protected object. The profile lists the object's
                     access control list (ACL), protection code, and
                     owner.

2  –  Protection Codes

    A protection code controls the type of access allowed (or denied)
    to a particular user or group of users. It has the following
    format:

    [category:list of access allowed(,category:list of access allowed,...)]

    o  Category

       User categories include system (S), owner (O), group (G),
       and world (W). Each category can be abbreviated to its first
       character. Categories have the following definition:

       System      Any user process or application whose UIC is
                   in the range 1 through 10 (octal), has SYSPRV
                   privilege, or is in the same group as the owner
                   and holds GRPPRV.
       Owner       Any user process or application whose UIC is
                   identical to the UIC of the object.
       Group       Any user process or application whose Group UIC is
                   identical to the group UIC of the object.
       World       Any user process or application on the system.

       When specifying more than one user category, separate the
       categories with commas, and enclose the entire code in
       parentheses. You can specify user categories and access types
       in any order.

       A null access specification means no access, so when you omit
       an access type for a user category, that category of user
       is denied that type of access. To deny all access to a user
       category, specify the user category without any access types.
       Omit the colon after the user category when you are denying
       access to a category of users.

    o  access-list

       For files, the access types include read (R), write (W),
       execute (E), or delete (D). The access type is assigned
       to each ownership category and is separated from its
       access types with a colon (:); for example, SET SECURITY
       /PROTECTION=(S:RWE,O:RWE,G:RE,W). File access types have the
       following meanings:

       Read     Gives you the right to read, print, or copy a disk
                file. With directory files, the right to read or list
                a file and use a file name with wildcard characters
                to look up files. Read access implies execute access.
       Write    Gives you the right to write to or change the
                contents of a file, but not delete it. Write access
                allows modification of the file characteristics that
                describe the contents of the file. With directory
                files, the right to make or delete an entry in the
                catalog of files.
       Execute  Gives you the right to execute a file that contains
                an executable program image or DCL command procedure.
                With a directory file, the right to look up files
                whose names you know.
       Delete   Gives you the right to delete the file. To delete
                a file, you must have delete access to the file and
                write access to the directory that contains the file.
       Control  Gives you the right to file characteristics,
                including the protection code and ACL. Special
                restrictions apply to changing the owner of a file.

3  –  Assigning File Profiles

    The new file obtains its owner, protection code, and ACL from a
    number of sources. The ownership assignment of a new file is done
    independently of protection and ACL.

3.1  –  Ownership

    If any of the following conditions are true, then you can assign
    an identifier as the owner of a file:

    o  The identifier matches your process UIC.

    o  You hold the identifier with the Resource attribute.

    o  You hold GRPPRV privilege and the identifier's group number
       matches your UIC group.

    o  You hold SYSPRV privilege.

    A file receives its owner identifier from the first applicable
    source that you are allowed to assign:

    o  The explicit assignment of an owner at creation with the
       /OWNER_UIC qualifier to the CREATE or COPY command

    o  The previous version

    o  The parent directory

    o  The process UIC

3.2  –  Protection Code and ACL

    The sources of a new file's protection code and ACL are similar
    to those of ownership and are considered in the same order. The
    system assigns a file's protection code and ACL from one of the
    following sources:

    1. The explicit assignment of elements at creation

    2. The profile of the previous version of the file, if one exists

    3. A Default Protection ACE and Default ACL on the parent
       directory

    4. The UIC and protection defaults of the process issuing the
       command

    5. One of the above with provision for the user creating the file

    See the OpenVMS Guide to System Security for further information.

4  –  Security Auditing

    The SET AUDIT command and the SHOW AUDIT command provide the
    management interface to the security auditing system, and the
    ANALYZE/AUDIT command processes the audit log file.

    ANALYZE/AUDIT          Processes event messages in security audit
                           log files to produce reports of security-
                           related events on the system.
    SET AUDIT/ENABLE       Select categories of events to audit.
    /AUDIT
    SET AUDIT/SERVER       Change the operational characteristics of
                           the audit server
    SET AUDIT/JOURNAL      Establish the location of the audit log
    /DESTINATION           file.
    SET AUDIT/RESOURCE     Control the monitoring of the log file's
                           disk space.
    SHOW AUDIT             Displays the security auditing
                           characteristics in effect on the system.
Close Help