Manualshelf

Technical data

ManualsBrandsCompaq ManualsPrinterLA36
371372373374375376377378379380
Using Files and Directories
10.2 Controlling Access to ODS-5 Volumes
10.2.2 Preventing an Untested Application from Accessing an ODS-5 Volume
Follow these steps to prevent an untested application from accessing an ODS-5
volume:
1. Define an identifier (for example, ODS5_UNSAFE) to identify applications
that you do not want to access an ODS-5 volume, for example:
UAF> ADD /IDENTIFIER ODS5_UNSAFE /ATTR=SUBSYSTEM
%UAF-I-RDBADDMSG, identifier ODS5_UNSAFE value %X80010039 added to rights database
2. Attach a protected subsystem ACE to the application with the ODS5_
UNSAFE identifier, for example:
$ SET SECURITY /CLASS=FILE SYS$SYSTEM:APPLICATION.EXE -
_$ /ACL=(SUBSYSTEM,ID=ODS5_UNSAFE)
3. To each ODS-5 volume, attach an ACE denying access to the ODS-5 volume
to holders of the ODS5_UNSAFE identifier, for example:
$ SET SECURITY /CLASS=VOLUME ODS5_DISK/ ACL=(ID=ODS5_UNSAFE,ACCESS=NONE)
Optionally, you can override the restriction in the last step to allow trained users
to access untested applications by following the remaining lettered steps:
a. Create another identifier (for example, ODS5_UNTRAINED):
UAF> ADD /IDENTIFIER ODS5_UNTRAINED
%UAF-I-RDBADDMSG, identifier ODS5_UNTRAINED value %X80010038 added to rights database
b. Assign this identifier to all users, for example:
UAF> GRANT/IDENTIFIER ODS5_UNTRAINED *
%UAF-I-GRANTMSG, identifier ODS5_UNTRAINED granted to *
c. Instead of Step 3, place an Access Control Entry (ACE) on the volume that
denies access to holders of the ODS5_UNTRAINED identifier; for example:
$ SET SECURITY /CLASS=VOLUME ODS5_DISK/ -
_$ ACL=(ID=ODS5_UNSAFE+ODS5_UNTRAINED,ACCESS=NONE)
This command prevents ODS5_UNTRAINED users from accessing the volume
with ODS5_UNSAFE applications.
d. Remove the identifier from individual users when you are willing to let them
use any application on an ODS-5 volume, for example:
UAF> REVOKE/IDENTIFIER ODS5_UNTRAINED SHEILA_USER
%UAF-I-REVOKEMSG, identifier ODS5_UNTRAINED revoked from SHEILA_USER
After you complete these steps:
An untrained user can use an untested application only to access ODS-2
volumes.
A trained user can access ODS-5 volumes with any application.
1010 Using Files and Directories