Technical data

ManualsBrandsCompaq ManualsPrinterLA36

471

472

473

474

475

476

477

478

479

480

Security Considerations

12.6 Creating Access Control Lists

ACE Description

Identiﬁer ACE Controls the types of access allowed to speciﬁc users based on the

user’s identiﬁcation. Each Identiﬁer ACE includes one or more

rights identiﬁers and a list of the types of access the user holding

the identiﬁer has permission to exercise. See Section 12.6.2 for a

summary of identiﬁers.

For example, the following ACE grants the user Jones read, write, and

execute access to an object:

(IDENTIFIER=[ACCOUNTING,JONES],ACCESS=READ+WRITE+EXECUTE)

Default

Protection ACE

Allows you to specify a protection code for a directory ﬁle that

is propagated to all ﬁles created within that directory and its

subdirectories.

For example, the following ACE assigns a protection code to newly

created ﬁles in a directory. The code gives users in the system and

owner categories full access, it gives group users both read and execute

access, and it denies access to users in the world category.

(DEFAULT_PROTECTION,S:RWED,O:RWED,G:RE,W:)

Creator ACE Adds an extra ACE to the ACL of a ﬁle created within the directory to

which you assign the Creator ACE. The Creator ACE applies when the

ﬁle being created is not owned by the user identiﬁcation code (UIC) of

the process creating the ﬁle, such as when the directory is owned by a

resource identiﬁer.

The following ACE, for example, speciﬁes that any user creating a ﬁle

in the directory will receive read, write, execute, and delete access to it:

(CREATOR,ACCESS=READ+WRITE+EXECUTE+DELETE)

The Creator ACE applies to directory ﬁles only.

Security Alarm

ACE

Allows you to request that a security alarm message be sent to the

operator’s terminal if an object is accessed in a particular way.

For example, the following ACE causes an alarm message whenever a

particular ﬁle is successfully read:

(ALARM=SECURITY,ACCESS=SUCCESS+READ)

The security Alarm ACE has no effect unless ACL alarms are enabled

with the following command:

$ SET AUDIT/ALARM/ENABLE=(ACL)

Security Audit

ACE

Speciﬁes the access criteria that cause a security alarm message be

sent to the system security audit log ﬁle if an object is accessed in a

particular way.

For example, the following ACE causes an alarm message whenever a

particular ﬁle is successfully read:

(AUDIT=SECURITY,ACCESS=SUCCESS+READ)

A message is recorded only if ACL audits are enabled with the DCL

command SET AUDIT/AUDIT/ENABLE=ACL.

12–10 Security Considerations