Default Protection ACE

From VSI OpenVMS Wiki
Revision as of 05:42, 25 February 2019 by Darya.zelenina (talk | contribs) (added a link to the Default Protection page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

A Default Protection ACE is an Access Control Entry that defines a UIC-based protection to be propagated to new files throughout a directory tree. The protection code in the ACE is assigned to new files created in the directory (the protection of the existing files needs to be changed explicitly). The Default Protection ACE applies to directory files only. Although the system propagates the Default Protection ACE to new subdirectories, the protection code is not assigned to the subdirectories. Instead, the subdirectories receive a modified copy of the parent directory's protection code in which delete access is not granted. An example of a Default Protection ACE is as follows:





Hidden Indicates that this ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. To delete or modify a hidden ACE, you must use the SET SECURITY command.

Users need the SECURITY privilege to display a hidden ACE with the DCL commands SHOW SECURITY or DIRECTORY/SECURITY. SECURITY privilege is also required to modify or delete a hidden ACE with the DCL command SET SECURITY. The ACL editor displays the ACE only to show its relative position within the ACL, not to facilitate editing of the ACE. To create a hidden ACE, an application can invoke the $SET_SECURITY system service.

Protected Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
  • By using the ACL editor
  • By specifying the ACE explicitly when deleting it

Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE.

By deleting all ACEs, both protected and unprotected Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs.

The following commands do not delete protected ACEs:


Nopropagate Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands.
None Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field.


Specify access in the format of a UIC protection code as follows:

category: access types allowed (, category: access types allowed,...)], where

  • category is S(ystem), O(wner), G(roup), W(orld)
  • access types allowed for files include
    • READ
    • WRITE
    • DELETE

A null access list means no access, so when you omit an access type for a user category, that category of user is denied that type of access. To deny all access to a user category, specify the user category without any access types. Omit the colon after the user category when you deny access to a category of users.

When you omit a user category from a protection code, the current access allowed that category of user is set to no access.


In the following example, a Default Protection ACE is added to SUB.DIR. After that, all files created in the [SUB] directory get the protection code specified in the Default Protection ACE. Directory files created in the [SUB] directory inherit the protection of SUB.DIR, including the Default Protection ACE.

$ set security [jdoe]sub.dir /acl=(default_protection,s:rwed,o:rwed,g,w)
$ create [jdoe.sub]newfile3.lis
SMAN43$ show security [jdoe.sub]newfile3.lis

DSA1:[000000.JDOE.SUB]NEWFILE3.LIS;1 object of class FILE
     Owner: [WRITERS,JDOE]
     Protection: (System:RWED, Owner:RWED, Group, World)
     Access Control List: <empty>

$ create/directory [jdoe.sub.sub2]

$ show security [jdoe]sub.dir

DSA1:[000000.JDOE]SUB.DIR;1 object of class FILE
     Owner: [WRITERS,JDOE]
     Protection: (System: RWE, Owner: RWE, Group: RE, World: E)
     Access Control List: <empty>

$ show security [jdoe.sub]sub2.dir

DSA1:[000000.JDOE.SUB]SUB2.DIR;1 object of class FILE
     Owner: [WRITERS,JDOE]
     Protection: (System: RWE, Owner: RWE, Group: RE, World: E)
     Access Control List:

See also