Difference between revisions of "Subsystem ACE"
(Created page with "A '''Subsystem ACE''' is an Access Control Entry that grants additional identifiers to a process while it is running the image to which the Subsystem ACE applies. User...") |
(added a link to the security manual) |
||
| Line 45: | Line 45: | ||
The identifier characteristics you specify when you add identifiers to the rights list or grant identifiers to users. You can specify the following attribute: | The identifier characteristics you specify when you add identifiers to the rights list or grant identifiers to users. You can specify the following attribute: | ||
*Resource: allows holders of the identifier to charge disk space to the identifier. Used only for file objects. | *Resource: allows holders of the identifier to charge disk space to the identifier. Used only for file objects. | ||
| + | |||
| + | =See also= | ||
| + | * {{Template:Sec}} | ||
Revision as of 05:38, 16 February 2019
A Subsystem ACE is an Access Control Entry that grants additional identifiers to a process while it is running the image to which the Subsystem ACE applies. Users with execute access to the image can access objects that are in the protected subsystem, such as data files and printers, but only when they run the subsystem images. The Subsystem ACE applies to executable images only.
An example of a Subsystem ACE is as follows:
(SUBSYSTEM, IDENTIFIER=ACCOUNTING)
Format
(SUBSYSTEM,[OPTIONS=attribute[+attribute...],]IDENTIFIER=identifier [,ATTRIBUTES=attribute[+attribute...]] [,IDENTIFIER=identifier [,ATTRIBUTES=attribute[+attribute...]],...])
options
| Protected | Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE. By deleting all ACEs, both protected and unprotected Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs. The following commands do not delete protected ACEs: SET SECURITY/ACL/DELETE SET SECURITY/LIKE SET SECURITY/DEFAULT |
| Nopropagate | Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands. |
| None | Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field. |
identifier
Specifies a user or groups of users whose access to an object is defined in the ACE. A system manager creates or removes identifiers and grants them to users.
A Subsystem ACE can have multiple pairs of identifiers, with special attributes assigned to the identifiers. A subsystem might require several identifiers to work properly. For example:
(SUBSYSTEM,IDENTIFIER=MAIL_SUBSYSTEM,ATTRIBUTE=NONE,IDENTIFIER=BLDG5,ATTRIBUTE=NONE)
attribute
The identifier characteristics you specify when you add identifiers to the rights list or grant identifiers to users. You can specify the following attribute:
- Resource: allows holders of the identifier to charge disk space to the identifier. Used only for file objects.
