Difference between revisions of "Subsystem ACE"

From VSI OpenVMS Wiki
Jump to: navigation, search
(added a link to the security manual)
m
 
Line 48: Line 48:
 
=See also=
 
=See also=
 
* {{Template:Sec}}
 
* {{Template:Sec}}
 +
 +
[[Category:Security]]

Latest revision as of 12:35, 28 November 2019

A Subsystem ACE is an Access Control Entry that grants additional identifiers to a process while it is running the image to which the Subsystem ACE applies. Users with execute access to the image can access objects that are in the protected subsystem, such as data files and printers, but only when they run the subsystem images. The Subsystem ACE applies to executable images only.

An example of a Subsystem ACE is as follows:

(SUBSYSTEM, IDENTIFIER=ACCOUNTING)


Format

(SUBSYSTEM,[OPTIONS=attribute[+attribute...],]IDENTIFIER=identifier [,ATTRIBUTES=attribute[+attribute...]] [,IDENTIFIER=identifier [,ATTRIBUTES=attribute[+attribute...]],...])

options

Protected Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
  • By using the ACL editor
  • By specifying the ACE explicitly when deleting it

Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE.

By deleting all ACEs, both protected and unprotected Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs.

The following commands do not delete protected ACEs:

SET SECURITY/ACL/DELETE SET SECURITY/LIKE SET SECURITY/DEFAULT

Nopropagate Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands.
None Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field.

identifier

Specifies a user or groups of users whose access to an object is defined in the ACE. A system manager creates or removes identifiers and grants them to users.

A Subsystem ACE can have multiple pairs of identifiers, with special attributes assigned to the identifiers. A subsystem might require several identifiers to work properly. For example:


(SUBSYSTEM,IDENTIFIER=MAIL_SUBSYSTEM,ATTRIBUTE=NONE,IDENTIFIER=BLDG5,ATTRIBUTE=NONE)


attribute

The identifier characteristics you specify when you add identifiers to the rights list or grant identifiers to users. You can specify the following attribute:

  • Resource: allows holders of the identifier to charge disk space to the identifier. Used only for file objects.

See also