Defines a UIC-based protection to be propagated to new files
throughout a directory tree. The protection code in the ACE
is assigned to new files created in the directory. The Default
Protection ACE applies to directory files only.
Although the system propagates the Default Protection ACE to
new subdirectories, the protection code is not assigned to the
subdirectories. Instead, the subdirectories receive a modified
copy of the parent directory's protection code in which delete
access is not granted.
An example of a Default Protection ACE is as follows:
(DEFAULT_PROTECTION,S:RWED,O:RWED,G,W)
The ACE grants read, write, execute, and delete access to users
in the system (S) and owner (O) categories but no access to users
in the group and world categories. For more information, see the
OpenVMS Guide to System Security.
Format
(DEFAULT_PROTECTION[,OPTIONS=attribute[+attribute...]],access)
1 – Parameters
options
Specify any of the following attributes:
Hidden Indicates that this ACE should be changed only by
the application that adds it. Although the Hidden
attribute is valid for any ACE type, its intended
use is to hide Application ACEs. To delete or modify
a hidden ACE, you must use the SET SECURITY command.
Users need the SECURITY privilege to display a
hidden ACE with the DCL commands SHOW SECURITY
or DIRECTORY/SECURITY. SECURITY privilege is also
required to modify or delete a hidden ACE with the
DCL command SET SECURITY. The ACL editor displays
the ACE only to show its relative position within
the ACL, not to facilitate editing of the ACE. To
create a hidden ACE, an application can invoke the
$SET_SECURITY system service.
Protected Protects the ACE against casual deletion. Protected
ACEs can be deleted only in the following ways:
o By using the ACL editor
o By specifying the ACE explicitly when deleting it
Use the command SET SECURITY/ACL=(ace)/DELETE to
specify and delete an ACE.
o By deleting all ACEs, both protected and
unprotected
Use the command SET SECURITY/ACL/DELETE=ALL to
delete all ACEs.
The following commands do not delete protected ACEs:
SET SECURITY/ACL/DELETE
SET SECURITY/LIKE
SET SECURITY/DEFAULT
Nopropagate Indicates that the ACE cannot be copied by
operations that usually propagate ACEs. For example,
the ACE cannot be copied by the SET SECURITY/LIKE or
SET SECURITY/DEFAULT commands.
None Indicates that no attributes apply to an entry.
Although you can create an ACL entry with
OPTIONS=None, the attribute is not displayed.
Whenever you specify additional attributes with
the None attribute, the other attributes take
precedence. The None attribute is equivalent to
omitting the field.
access
Specify access in the format of a UIC-based protection code,
which is as follows:
[category: list of access allowed (, category:
list of access allowed,...)]
o User categories include system (S), owner (O), group (G),
and world (W). See the OpenVMS Guide to System Security
for a definition of these categories. Access types for files
include read (R), write (W), execute (E), and delete (D).
The access type is assigned to each ownership category and is
separated from its access types with a colon (:).
o A null access list means no access, so when you omit an access
type for a user category, that category of user is denied that
type of access. To deny all access to a user category, specify
the user category without any access types. Omit the colon
after the user category when you deny access to a category of
users.
o When you omit a user category from a protection code, the
current access allowed that category of user is set to no
access.