Alarm ACE

From VSI OpenVMS Wiki
Revision as of 12:35, 28 November 2019 by Jane.doe (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

An Alarm ACE is a type of Access Control Entry that causes an alarm message to be sent to all security operator terminals whenever the object is successfully or unsuccessfully accessed in the specified ways.

Enabling ACL alarms

ACL alarms are enabled by default; however, alarms are not written to the system security audit log file. If you have existing files or resources protected by Alarm ACEs and you want messages to be recorded in the log file, replace the Alarm ACEs with Audit ACEs.

To enable ACL alarms is they are disabled, use AUDIT/ALARM/ENABLE=ACL.

Format

(ALARM=SECURITY [,OPTIONS=attributes], ACCESS=access-type[+access-type...])

options

Default Indicates that an ACE is to be included in the ACL of any files created within a directory. When the entry is propagated, the Default attribute is removed from the ACE of the created file. This attribute is valid for directory files only.
Hidden Indicates that this ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. To delete or modify a hidden ACE, you must use the SET SECURITY command.

Users need the SECURITY privilege to display a hidden ACE with the DCL commands SHOW SECURITY or DIRECTORY/SECURITY. SECURITY privilege is also required to modify or delete a hidden ACE with the DCL command SET SECURITY. The ACL editor displays the ACE only to show its relative position within the ACL, not to facilitate editing of the ACE. To create a hidden ACE, an application can invoke the $SET_SECURITY system service.

Protected Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
  • By using the ACL editor
  • By specifying the ACE explicitly when deleting it

Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE.

By deleting all ACEs, both protected and unprotected Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs.

The following commands do not delete protected ACEs:

SET SECURITY/ACL/DELETE SET SECURITY/LIKE SET SECURITY/DEFAULT

Nopropagate Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands.
None Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field.

access

Specify one or more access types in addition to SUCCESS, FAILURE, or both:

(ALARM=SECURITY, ACCESS=WRITE+FAILURE)

See also