Identifier

From VSI OpenVMS Wiki
Jump to: navigation, search

Identifiers, or rights identifiers, are labels used to grant users access to system objects (as an alternative to UIC access). They are stored in RIGHTSLIST.DAT and can be used in access control lists.

Identifier Attributes

Identifier attributes that can be specified when creating and granting identifiers modify the behavior of an attribute. The following identifier attributes are available:

  • DYNAMIC: allows unprivileged holders of the identifier to remove and to restore the identifier from the process rights list by using the DCL command SET RIGHTS_LIST.
  • HOLDER_HIDDEN: prevents people from getting a list of users who hold an identifier, unless they own the identifier themselves.
  • NAME_HIDDEN: allows holders of an identifier to have it translated, either from binary to ASCII or from ASCII to binary, but prevents unauthorized users from translating the identifier.
  • NOACCESS: makes any access rights of the identifier null and void. If a user is granted an identifier with the No Access attribute, that identifier has no effect on the user's access rights to objects. This attribute is a modifier for an identifier with the RESOURCE or SUBSYSTEM attribute.
  • RESOURCE: allows holders of an identifier to charge disk space to the identifier. Used only for file objects.
  • SUBSYSTEM: allows holders of the identifier to create and maintain protected subsystems by assigning the Subsystem ACE to the application images in the subsystem. Used only for file objects.

Creating identifiers

To create an identifier, enter the AUTHORIZE utility and use the ADD/ID command. The following qualifiers can be specified:

  • /USER scans the UAF record for the specified user and creates the corresponding identifier. Specify user-spec by user name or UIC. You can use the asterisk wildcard to specify multiple user names or UICs. Full use of the asterisk and percent wildcards is permitted for user names; UICs must be in the form [*,*], [n,*], [*,n], or [n,n]. A wildcard user name specification (*) creates identifiers alphabetically by user name; a wildcard UIC specification ([*,*]) creates them in numerical order by UIC.
  • /ATTRIBUTES
  • /VALUE specifies the value to be attached to the identifier. The following formats are valid for the value-specifier:
Value Description
IDENTIFIER:n An integer value in the range of 65,536 to 268,435,455. You can also specify the value in hexadecimal (precede the value with %X) or octal (precede the value with %O).

The system displays this type of identifier in hexadecimal. To differentiate general identifiers from UIC identifiers, the system adds %X80000000 to the value you specify.

UIC:uic A UIC value in standard UIC format consists of a member name and, optionally, a group name enclosed in brackets. For example, [360,031].

In numeric UICs, the group number is an octal number in the range of 1 to 37776; the member number is an octal number in the range of 0 to 177776. You can omit leading zeros when you are specifying group and member numbers. Regardless of the UIC format you use, the system translates a UIC to a 32-bit numeric value. Alphanumeric UICs are not allowed.

UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORY
%UAF-I-RDBADDMSGU, identifier INVENTORY value: [000300,000011] added to 
RIGHTSLIST.DAT 
 

The command in this example adds an identifier named INVENTORY to the rights database. By default, the identifier is not marked as a resource.


UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) -
_/VALUE=IDENTIFIER:%X80011 PAYROLL
%UAF-I-RDBADDMSGU, identifier PAYROLL value: %X80080011 added to 
RIGHTSLIST.DAT
 

This command adds the identifier PAYROLL and marks it as a resource. To differentiate identifiers with integer values from identifiers with UIC values, %X80000000 is added to the specified code.

Listing identifiers

You can display identifiers in the current RIGHTSLIST.DAT using the AUTHORIZE SHOW/ID command, optionally specifying the identifier name as the parameter or specifying the value of the identifier with /VALUE (usage is the same as for ADD/ID. You can also extract the listing to RIGHTSLIST.LIS in the current directory with LIST/ID, also optionally specifying the identifier name as the parameter or the value of the identifier with /VALUE (usage is the same as for ADD/ID. To modes of listing identifiers are available:

  • /BRIEF provides only the identifier name, value and attributes.
  • /FULL provides a full listing, in which the names of the identifier's holders are displayed along with the identifier's name, value, and attributes. The /FULL qualifier specifies the default listing format.

You can also specify a user for which the specifiers are displayed with /USER.

Removing identifiers

To remove an identifier from the rights database, use the AUTHORIZE REMOVE/IDENTIFIER command. It takes one parameter, the name of the identifier you wish to remove.

UAF> REMOVE/IDENTIFIER Q1SALES
%UAF-I-RDBREMMSGU, identifier Q1SALES value %X80010024 removed from RIGHTSLIST.DAT
 

The command in this example removes the identifier Q1SALES from the rights database. All of its holder records are removed with it.

Note that when you remove a user record from the UAF file, the user name and account identifiers are removed automatically, provided that there are no other UIC records with the same UIC. If you do not wish to remove the identifiers when removing the user record, specify /NOREMOVE_IDENTIFIER on the user record REMOVE command.

Granting identifiers

To grant an identifier, enter the AUTHORIZE utility and use the GRANT/ID command.

See also