HP OpenVMS Systems

ask the wizard
Content starts here

File and Directory Security? Protection?

» close window

The Question is:

how can i implement directory level security so the only the owner of the files
 in that specific directory can view,modify and delete the files created by him.
i also want to implement the security that only the owner can ftp files created
 by him.
how can i complete this task.

The Answer is :

  Security can be discretionary and thus you can establish default
  security settings but the user can override these, or security can
  be mandatory and the users cannot alter the security attributions.
  OpenVMS provides discretionary security.  Those OpenVMS releases
  with SEVMS releases available and installed provide non-discretionary
  (mandatory) security.
  You cannot prevent a user from setting the protections on any object
  that the user owns, as such a user has what is known as control access
  to the object.  (A corrollary here: if the user does not own the object,
  then the user cannot alter the protections.  This is available on OpenVMS
  using ACLs and identifiers, and most commonly involves the use of the
  so-called resource identifier mechanism.)
  In security terminology, an object is a file, directory, queue, global
  section, or other such security-relevent construct.
  Ownership of an object is determined based on the UIC value assigned
  to the object.  Access is determined by comparing the object ownership
  and the object protection mask and any ACL that might be associated
  with the object against the UIC and identifiers of the accessor.
  OpenVMS Engineering recommends that all users be assigned unique
  UIC values.
  To establish default protections on an object such as a directory,
  you can use the DEFAULT_PROTECTION access control list entry (ACE).
  Within a process, use the SET SECURITY/DEFAULT command to establish
  local defaults for objects the process might create.  Also see the
  RMS_FILEPROT system parameter.  The SET PROTECTION/DEFAULT command
  referenced in your question is also available and is a direct
  ancestor of SET SECURITY/DEFAULT, though that DCL command syntax
  was depreciated starting with OpenVMS V6.0.
  To estabish mandatory protections (assuming SEVMS is installed and
  running), you must use the SET SECURITY command to associate the
  object (likely) with a security category and to configure the user
  with access to the category.  You likely do not need nor want to
  use different security levels or security ranges here, though that
  is an option.
  For details on OpenVMS security and on configuring and customizing
  security, please see the security manual.  For details on SEVMS,
  please see the SEVMS documentation set.  The former is available
  at the website.   The latter is not.  When configuring security,
  you WILL want to become familiar with the manual, and particularly
  with the configuration recommendations in the appendix.
  For users with privileges and other security-related topics, please
  see topics (3289), (5639), (7368), and others.

answer written or last revised on ( 5-AUG-2002 )

» close window