The Question is:
My question has to do with the way the users
are set-up in the UAF FILE.
We are running an application at the college
where I am situated. Within the application
there are 3 modules: Financial Application,
Human Resources Application and a Student
Information System Application. Those users who
are primarily users of one application over the
other are set-up in a UIC Group for that
application; that is, Financial Application
(UIC Group 2000), Human Resources (3000) and
Student Information System (1000).
The users within one application need to
reference the data files from the other
applications (ex: Account Validation). The
consulting company that was here before set-up
the users in the UAF with the BYPASS Privilege,
which is obviously a very dangerous thing to do
because of the nature of the privilege.
I have been assigned the task of reworking, if
you will the security and eliminating the
BYPASS Privilege. I know that one way to do
would be to have all of the users in one UIC
Group. I believe that another way would be the
use of ACLs.
Would appreciate any help in this matter. I
have been referencing the ACL Editor Command
and regarding this command, if the OWNER of the
file is say the Financial Account and I want to
give access to Read and Write to say a Human
Resources User, would the command Syntax of the
ACL Command be like (IDENTIFIER=
[3000,*],ACCESS=READ+WRITE). In this scenario,
would you have to set-up an ACL for the
Financial User as well or since the owner is
the Financial User you would not have to?.
In addition, would you issue the ACL for the
directory if all files in the directory are
affected or if just one file is affected, issue
the above command for the affected file only?.
William G. Kassar
The Answer is :
You will want to read up on the access control list (ACL)
mechanism, as ACLs and security identifiers are intended
for this situation.
You will want to create identifiers -- such as the following
FINANCIAL identifier -- and assign ACLs such as the following
pair commonly found on directory files:
Security on directory files is a soft protection, and can
potentially be bypassed by a knowledgable user -- it is best
to place the appropriate ACL both on the specific file(s)
involved and also on the directory involved.
You could use UIC group values as identifiers, but it is more
flexible to create local identifiers.
You can assign ACLs on the device level, or on the file level,
or -- with the subsystem option -- even on executable images.
In one local case, the OpenVMS Wizard places an identifier on
an image, and users can access the relevent data files only
through the executable image.
For details on ACLs, please see the OpenVMS security manual.