identifier
Specifies a user or groups of users whose access to an object
is defined in the ACE. A system manager creates or removes
identifiers and assigns users to hold these identifiers.
Types of identifiers are as follows:
UIC Identifiers in alphanumeric format that are based
on the user identification codes (UICs) and that
uniquely identify each user on the system. Users
with accounts on the system automatically receive
a UIC identifier, for example, [GROUP1,JONES] or
[JONES]. Thus, each UIC identifier specifies a
particular user.
General Identifiers defined by the security administrator
in the rights list to identify groups of users on
the system. A general identifier is an alphanumeric
string of 1 to 31 characters, containing at least
one alphabetic character. It can include the
letters A to Z, dollar signs ($), underscores (_),
and the numbers 0 to 9, for example, 92SALES$,
ACCOUNT_3, or PUBLISHING.
Environmental Identifiers describing different types of users
based on their initial entry into the system.
Environmental identifiers are also called system-
defined identifiers. Environmental identifiers
correspond directly to the login classes described
in the OpenVMS Guide to System Security. They
include batch, network, interactive, local, dialup,
and remote.
For more information, see the OpenVMS Guide to System Security.
options
Specify any of the following attributes:
Default Indicates that an ACE is to be included in the
ACL of any files created within a directory. When
the entry is propagated, the Default attribute
is removed from the ACE of the created file. This
attribute is valid for directory files only.
Note that an Identifier ACE with the Default
attribute has no effect on access.
Hidden Indicates that this ACE should be changed only by
the application that adds it. Although the Hidden
attribute is valid for any ACE type, its intended
use is to hide Application ACEs. To delete or modify
a hidden ACE, you must use the SET SECURITY command.
Users need the SECURITY privilege to display a
hidden ACE with the DCL commands SHOW SECURITY
or DIRECTORY/SECURITY. SECURITY privilege is also
required to modify or delete a hidden ACE with the
DCL command SET SECURITY. The ACL editor displays
the ACE only to show its relative position within
the ACL, not to facilitate editing of the ACE. To
create a hidden ACE, an application can invoke the
$SET_SECURITY system service.
Protected Protects the ACE against casual deletion. Protected
ACEs can be deleted only in the following ways:
o By using the ACL editor
o By specifying the ACE explicitly when deleting it
Use the command SET SECURITY/ACL=(ace)/DELETE to
specify and delete an ACE.
o By deleting all ACEs, both protected and
unprotected
Use the command SET SECURITY/ACL/DELETE=ALL to
delete all ACEs.
The following commands do not delete protected ACEs:
SET SECURITY/ACL/DELETE
SET SECURITY/LIKE
SET SECURITY/DEFAULT
Nopropagate Indicates that the ACE cannot be copied by
operations that usually propagate ACEs. For example,
the ACE cannot be copied by the SET SECURITY/LIKE or
SET SECURITY/DEFAULT commands.
None Indicates that no attributes apply to an entry.
Although you can create an ACL entry with
OPTIONS=None, the attribute is not displayed.
Whenever you specify additional attributes with
the None attribute, the other attributes take
precedence. The None attribute is equivalent to
omitting the field.
access
Specify access types that are valid for the object class. See the
OpenVMS Guide to System Security for a listing of valid access
types.