Technical data

ManualsBrandsCompaq ManualsPrinterLA36

471

472

473

474

475

476

477

478

479

480

Security Considerations

12.4 Understanding Ways to Protect Objects

user category

User categories include system (S), owner (O), group (G), and world (W). Each

category can be abbreviated to its ﬁrst character. Categories have the following

deﬁnitions:

• System: Members of this category can include any of the following users:

– Users with low group numbers, usually from 1 to 10 (octal). These group

numbers are generally for system managers, security administrators,

and system programmers. (The exact range of system group numbers

is determined by the security administrator in the setting of the system

parameter MAXSYSGROUP. It can range as high as 37776 (octal).)

– Users with the SYSPRV privilege.

– Users with the GRPPRV privilege whose UIC group matches the UIC

group of the object’s owner.

– In access requests to ﬁles on a disk volume, users whose UIC matches the

UIC of the volume’s owner.

• Owner: The user with the same UIC as the user who currently owns the

object. In general, the creator of an object is entitled to owner access unless

explicit action is taken to secure the object from its creator.

• Group: All users who are in the same UIC group as the object’s owner.

• World: All users, including those in the ﬁrst three categories.

When specifying more than one user category, separate the categories with

commas, and enclose the entire code in parentheses. You can specify user

categories and access types in any order.

A null access speciﬁcation means no access, so when you omit an access type

for a user category, that category of user is denied that type of access. To deny

all access to a user category, specify the user category without any access types.

Omit the colon after the user category when you are denying access to a category

of users.

When you omit a user category from a protection code, the current access allowed

that category of user remains unchanged.

access-list

Access types are object-dependent and are described in the OpenVMS Guide to

System Security. For ﬁles, the access types include read (R), write (W), execute

(E), and delete (D). The access type is assigned to each user category and is

separated from its user category by a colon (:).

Example

The protection code in the following example allows system users full access to an

object, the owner full access except delete, and group and world users no access:

$ SET SECURITY/PROTECTION=(S:RWED,O:RWE,G,W) [JONES]MY_FILE.TXT

How to Change the Default Protection

The operating system provides each process with a default UIC-based protection

of (S:RWED,O:RWED,G:RE,W). To change the default protection, enter the SET

PROTECTION/DEFAULT command, as shown in the following example:

$ SET PROTECTION=(S:RWED,O:RWED,G:RE,W:RE)/DEFAULT

12–8 Security Considerations