The Question is:
After a downgrade of security access associated with a user she started
recieving the error "insufficient privilege or object protection violation" on
certain files within her user directory.
What privilege should she have to be able to create, edit, delete files within
The Answer is :
Assuming a typical configuration, no privileges are required.
The typical file protections and particularly the typical file
ownership settings -- and ACLs, for more complex security
requirements -- provide all access that is necessary to write
entries into the parent directory file and to create new versions
of existing files is required.
If appropriate, please ensure that the user owns all of the files
and all file versions, and also owns the parent directly. Also
ensure that the protection masks are set to permit owner access
to the files.
To trace the cause of SS$_NOPRIV access-related errors, please enable
and use the OpenVMS security auditing and security alarm mechanisms.
When enabled, you will receive audits or alarms with details of the
specific cause of the SS$_NOPRIV access error.
The OpenVMS Wizard encourages a review of the OpenVMS security manual.
NOPRIV, insufficient privilege or object protection violation
Facility: SYSTEM, System Services
Explanation: This message can occur under any of the following conditions:
o A command or program requested a system function that
requires a specific user privilege or privileges that the
current process does not have.
o A program image attempted to access, modify, or delete a
control area created and owned by a more privileged access
mode. Such areas include pages in memory, I/O channels, or
timer queue entries.
o A command or program requested file or volume access that
o The requesting process does not have the privilege to read
or write to this mailbox. (The protection mask is defined
when the mailbox is created.)
o The flags parameter to $SUSPND has requested suspension of
kernel mode, but the caller is not running in executive or
User Action: If the message is in response to a command entered
interactively, verify that the particular command or qualifier
does not require a specific user privilege or privileges.
If the message occurs during the execution of a program,
determine the system service call that resulted in the error.
Verify that a service or an argument was not used for a
particular service that requires a user privilege that you
do not have. Or, verify that you are not attempting to modify
an RMS file system or system-owned data area or memory page.
If this message is associated with a vector disabled (VECDIS)
status code, an ACL on the system's vector capability has
prevented the process from executing vector instructions.
In each case, correct the command or program so that you do
not request the privileged function. If you determine that you
need the privilege for an application, ask your system manager
to give you the necessary privilege.
Verify the file or volume name. Have the owner of the file or
volume change the protection value.