Technical data

ManualsBrandsCompaq ManualsPrinterLA36

201

202

203

204

205

206

207

208

209

210

Managing User Accounts

7.5 Preparing to Add User Accounts

7.5.2.5 Setting the User Default Device for a Captive Account

For a captive account, whether you create a top-level directory depends on

the nature of the user system. If people use ﬁles in a particular directory,

make that directory the default directory speciﬁcation. For example, if

the inventory system uses the ﬁles DISK$DATA:[INV]STOCK1.DAT and

DISK$DATA:[INV]STOCK2.DAT, make the default device speciﬁcation

DISK$DATA: and make the default directory speciﬁcation [INV].

7.5.3 Understanding Account Security

The level of security that you establish for an account depends on the purpose

of the account and whether it is shared with other users or groups. For an

interactive user account, the default UIC-based protection is usually adequate.

Protecting Users’ Files

The default protection for top-level directories is no world access. However, for

new user directories, you might want to change the default to world execute

access so that users will not have to change directory protection to allow other

users read access to ﬁles in that directory.

Users can further protect their ﬁles and subdirectories on an individual basis

with the DCL command SET SECURITY.

Using Access Control Lists (ACLs)

In some cases, such as project accounts, you might want to set up an additional

level of protection by using access control lists (ACLs). ACL-based protection

provides a more reﬁned level of security in cases where different groups or

members of overlapping groups share access to an account such as a project

account. ACLs offer a way to grant or deny users access to any security-relevant

object.

Section 7.9.2 describes how to set up a project account with ACL-based protection.

For more information about how to set up and edit ACLs, see the OpenVMS

Guide to System Security and the OpenVMS System Management Utilities

Reference Manual.

Using AUTHORIZE to Maintain the Rights Database

The rights database (RIGHTSLIST.DAT) is a ﬁle that associates users of the

system with access-controlling identiﬁers. When a user logs in, the system checks

the rights database for the identiﬁers that the user holds. You use the Authorize

utility (AUTHORIZE) to maintain the rights database by adding or deleting

identiﬁers as needed.

By allowing a group of users to hold common identiﬁers, you can create a group

protection scheme that is more intricate than that provided by the UIC-based

protection.

Using Protected Subsystems

Protected subsystems provide conditional access to data. In a protected

subsystem, an application protected by normal access controls serves as a

gatekeeper to objects belonging to the subsystem. While users are running

the application, their process rights list contains identiﬁers giving them access to

objects owned by the subsystem. As soon as users exit from the application, these

identiﬁers and, therefore, the users’ access rights to objects are taken away. For

more information, see the OpenVMS Guide to System Security.

7–16 Managing User Accounts