Technical data
Security Considerations
12.6 Creating Access Control Lists
ACE Description
Subsystem ACE Grants additional identifiers to a process while it is running the image
to which the Subsystem ACE applies. Users with execute access to the
image can access objects that are in the protected subsystem, such as
data files and printers, but only when they run the subsystem image.
The Subsystem ACE applies to executable images only.
For example, the following ACE adds the identifier ACCOUNTING
to processes that are executing a particular subsystem image. The
identifier entitles the processes to access objects owned by the
subsystem.
(SUBSYSTEM, IDENTIFIER=ACCOUNTING)
Refer to the OpenVMS System Management Utilities Reference Manual for
a complete description of each kind of ACE. The OpenVMS Guide to System
Security provides further details on how to construct and apply ACEs.
12.6.2 Types of Identifiers
An Identifier ACE can contain different types of identifiers. Any of these
identifiers is an alphanumeric string of 1 to 31 characters with at least one
alphabetic character. Valid characters include numbers 0 to 9, characters A to Z,
the dollar sign ($), and the underscore (_). The following table lists each type of
identifier:
Type Description Example
UIC identifiers Based on a user’s identification code
(UIC), which uniquely identifies a user
on the system and defines the group to
which the user belongs.
[GROUP1,JONES]
[JONES]
GROUP1
JONES
General
identifiers
Defined by the security administrator. SALES
RESERVE_DESK
Environmental
identifiers
Describe different types of users based on
their initial entry into the system. These
identifiers are automatically created by
the system.
BATCH, NETWORK
INTERACTIVE
LOCAL, DIALUP
REMOTE
Facility
identifiers
Defined by a facility during installation RDB$ENTRY
‘
In addition to the environmental identifiers, a system node identifier of the
form SYS$NODE_node_name is created by the system startup procedure
(STARTUP.COM in SYS$SYSTEM).
12.7 Assigning ACLs
You can place ACLs on the following object classes:
Capability
Common event flag cluster
Device
File
Group global section
Logical name table
Queue
Resource domain
Security Considerations 12–11