Technical data
Security Considerations
12.7 Assigning ACLs
Security class
System global section
Volume
Typically, ACLs are used when you want to provide access to an object for some,
but not all, users, or if you want to deny access to specific, unprivileged users.
When the operating system receives a request for access to an object having an
ACL, it searches each access control list entry in the ACL, stopping at the first
match. If another match occurs in the ACL, it has no effect. Therefore, ACEs
granting or denying access to a protected object for specific users should appear
in the ACL before ACEs identifying broader classes of users.
12.8 Using the ACL Editor
The access control list editor (ACL editor) is a screen-oriented editor used to
create and maintain ACLs. Use the ACL editor to define an ACL for a protected
object or to edit an existing ACL.
You can use either the EDIT/ACL command or the SET SECURITY/EDIT
command to invoke the ACL editor. In the command line, specify the name of
the object whose ACL you want to create or modify. For example, the following
command invokes the ACL editor to create an ACL for the file INVENTORY.DAT:
$ EDIT/ACL INVENTORY.DAT
If the object whose ACL you want to create or modify is not a file, you must
specify the type of object with the /CLASS qualifier. For example, the following
command invokes the ACL editor to create an ACL for the disk DOCD$:
$ EDIT/ACL/CLASS=DEVICE DOCD$
You can invoke the ACL editor to modify an existing ACL or to create a new ACL
on the object. If an object has an ACL, the ACL will appear on the screen when
the ACL editor is invoked.
The ACL editor can be invoked from within a program written in any OpenVMS
common language that generates calls using the OpenVMS calling standard.
Refer to the OpenVMS Utility Routines Manual for more information about using
the callable interface to the ACL editor.
12.8.1 Adding an Identifier ACE
An Identifier ACE controls the types of access allowed to a particular user or
group of users. It has the following format:
(IDENTIFIER=identifier[,options][,access])
For example, the following ACE grants user Pat, who is identified by the UIC
identifier [SALES,PAT], read, write, and execute access to a file. The ACL denies
Pat delete and control access because it omits them from the access statement.
(IDENTIFIER=[SALES,PAT],ACCESS=READ+WRITE+EXECUTE)
The Default attribute of an Identifier ACE allows users to define one or more
default ACEs for inclusion in the ACLs for newly created files in a particular
directory. Thus, if you wanted all files in the directory [MALCOLM] to have an
ACE that permitted read and write access to users with the PERSONNEL
identifier, you could include the following ACE in the ACL for the file
MALCOLM.DIR:
(IDENTIFIER=PERSONNEL,OPTIONS=DEFAULT,ACCESS=READ+WRITE)
12–12 Security Considerations