Document revision date: 15 July 2002 | |
Previous | Contents | Index |
The following table describes options that you can use with queues:
Options | Type of queue | Reference |
---|---|---|
Control of access to queues | Batch and output | Section 14.6.1 |
Job retention | Batch and output | Section 14.6.2 |
Characteristics | Batch and output | Section 14.6.3 |
Control of batch processing | Batch | Section 14.6.4 |
Control of job scheduling | Output | Section 14.6.5 |
Banner pages | Output | Section 14.6.6 |
Forms | Output | Section 14.6.7 |
Control of line and page overflow | Output | Section 14.6.7.8 |
Suppression of initial form feed | Output | Section 14.6.7.9 |
Device control library modules | Output | Section 14.6.8 |
You can implement options in either of the following ways:
Table 14-1 lists qualifiers you can use to specify queue options, and indicates the type of queue for which you can specify each option.
Qualifier | Type of Queue | Description | For More Information |
---|---|---|---|
/AUTOSTART_ON | Batch and output | Creates an autostart execution queue and specifies the node or nodes (and for output queues, the device or devices) on which the queues can run. | Section 14.4.1 |
/BASE_PRIORITY | Batch and output | Specifies a base process priority (not the same as the job scheduling priority). For a batch queue, specifies the base priority for processes executing jobs in the queue. For output queues, specifies the base priority of the symbiont process. | Section 14.6.4.1 |
/BLOCK_LIMIT | Output | Limits the size of print jobs that can be processed on an output execution queue. | Section 14.6.5.1 |
/CHARACTERISTIC
/CHARACTERISTICS |
Batch and output | Specifies one or more characteristics associated with the queue. | Section 14.6.3 |
/CPUDEFAULT | Batch | Defines the default CPU time limit for batch jobs executed in the queue. | Section 14.6.4 |
/CPUMAXIMUM | Batch | Defines a maximum CPU time limit for batch jobs executed in the queue. | Section 14.6.4 |
/DEFAULT | Output | Establishes defaults for certain options of the PRINT command. After you set an option for the queue with the /DEFAULT qualifier, users do not have to specify that option in their PRINT commands. However, they can specify options to override the defaults set on the queues. Possible default options are as follows: | |
BURST | Section 14.6.6 | ||
FEED | Section 14.6.7.8 | ||
FLAG | Section 14.6.6 | ||
FORM | Section 14.6.7 | ||
TRAILER | Section 14.6.6 | ||
/DESCRIPTION | Batch and output | Specifies a text string to provide users with information about the queue. | |
/DEVICE | Output |
Specifies the type of output execution queue. The keywords are as
follows:
PRINTER (default) TERMINAL SERVER
|
Section 14.7.1.1 |
/DISABLE_SWAPPING | Batch | Specifies whether batch jobs executed from a queue can be swapped in and out of memory. | Section 14.6.4 |
/FORM_MOUNTED | Output | Specifies the mounted form for an output execution queue. | Section 14.6.7 |
/GENERIC | Batch and output | Creates a generic queue and names the execution queues it feeds. | Section 14.4.3.1 |
/JOB_LIMIT | Batch | Indicates the number of batch jobs that can be executed concurrently from a batch queue. | Section 14.6.4 |
/LIBRARY | Output | Specifies the file name for a device control library. | Section 14.6.8 |
/NAME_OF_MANAGER | Batch and output | Specifies the name of the queue manager with which the queue will be associated. | Section 13.8 |
/NO_INITIAL_FF | Output | Specifies the qualifier for an output execution queue; suppresses the initial form feed sent to an output execution queue. | Section 14.6.7.9 |
/ON | Batch and output | Creates a nonautostart execution queue and specifies the node (and, for output queues, the device) on which the queue is to run. | Section 14.4.2.1 |
/OWNER_UIC | Batch and output | Specifies the user identification code (UIC) for the queue. | Section 14.6.1.2 |
/PROCESSOR | Output | Specifies the symbiont to be used with an output execution queue. The default is the standard operating system print symbiont PRTSMB. | Section 14.4.1 |
/PROTECTION | Batch and output | Specifies a protection for the queue. | Section 14.6.1.2 |
/RAD | Batch | Specifies the RAD number on which to run batch jobs assigned to the queue. | Section 14.6.4.8 |
/RECORD_BLOCKING | Output | Determines whether the symbiont can concatenate (or block together) output records for transmission to the output device. | Section 14.4.1 |
/RETAIN | Batch and output | Holds jobs in the queue after they have executed. | Section 14.6.2 |
/SCHEDULE | Output | Specifies whether pending jobs in a queue are scheduled based on the size of the job. | Section 14.6.5 |
/SEPARATE | Output | Specifies required job separation or job reset options for an output execution queue. Required options cannot be overridden by the PRINT command. Possible options are as follows: | |
BURST | Section 14.6.6 | ||
FLAG | Section 14.6.6 | ||
RESET | Section 14.6.8 | ||
TRAILER | Section 14.6.6 | ||
/WSDEFAULT | Batch and output |
For batch queues, specifies a default working set size for batch jobs
executed in the queue. For output queues, specifies a default working
set size for the symbiont process.
The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue. |
Section 14.6.4 |
/WSEXTENT | Batch and output |
For batch queues, specifies the working set extent for batch jobs
executed in the queue. For output queues, specifies a working set
extent for the symbiont process.
The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue. |
Section 14.6.4 |
/WSQUOTA | Batch and output |
For batch queues, specifies the working set quota for batch jobs
executed in the queue. For output queues, specifies a working set quota
for the symbiont process.
The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue. |
Section 14.6.4 |
Queues are permanent security objects. They are stored in the system queue database together with their security profiles.
As with a file or directory, you can use UIC-based or ACL-based protection to control access to a queue.
Refer to the OpenVMS Guide to System Security for detailed information about establishing
system security.
14.6.1.1 Understanding UIC-Based Queue Protection
UIC-based protection restricts the jobs and the users who have access to a queue. Operations that apply to queues are controlled by UIC-based protection in the same way that access to other protected objects (such as files) is controlled.
When you create a queue, the queue is assigned an owner UIC and a protection code. The default owner is [SYSTEM], but you can specify another owner with the /OWNER_UIC qualifier.
The queue class provides the following default UIC-based security profile:
System:Manager,Owner:Delete,Group:Read,World:Submit |
Jobs are assigned an owner UIC equal to the UIC of the process that submitted the job, unless the job was submitted with the /USER qualifier. Each job in a queue (and each operation that is performed on a queue) is checked against the UIC of the owner, the protection of the queue, and the privileges of the requester.
All operations are checked as follows:
Operations that apply to... | Are checked against... |
---|---|
Jobs | The read and delete protection specified for the queue and the owner UIC of the job. |
Queues | The submit and manage protection specified for the queue and the owner UIC of the queue. |
The following table lists the types of access that the queue class supports:
Access Type | Gives you the right to... |
---|---|
Read | See the security elements of a queue or a job in a queue. |
Submit | Place jobs in the queue. |
Delete | Delete a job in the queue or modify the elements of a job. |
Manage | Affect any job in the queue. You can start, stop, or delete a queue and change its status and any elements that are unrelated to security. |
Control | Modify the protection elements and owner of a queue. |
Note that when a process receives read or delete access through a protection code, it can operate on only its job in the queue. However, when granted through an ACL, read and delete access allow a process to operate on all jobs in the queue.
You need SYSNAM and OPER privilege to stop or start the queue manager. OPER is necessary to create and delete queues, or to change the symbiont definition.
The following events can be audited, provided the security administrator enables auditing for the event class:
Event Audited | Audit Occurs When... |
---|---|
Access | A job is submitted to the queue and when either a job or queue is modified. |
Creation | A queue is initialized. |
Deletion | A process deletes a job from the queue or when the queue itself is deleted. (To enable auditing for queue deletions, enable auditing for manage [M] access to the queue.) |
For more information about queue security, refer to the OpenVMS Guide to System Security.
14.6.1.2 Setting and Showing UIC-Based Queue Protection
Use the following commands to set and show UIC-based protection on queues:
Command | Description |
---|---|
INITIALIZE/QUEUE/PROTECTION=(
ownership[:access],...)
START/QUEUE/PROTECTION=( ownership[:access],...) SET QUEUE/PROTECTION=( ownership[:access],...) |
Specifies the protection of a queue:
|
INITIALIZE/QUEUE/OWNER_UIC=
uic
START/QUEUE/OWNER_UIC= uic SET QUEUE/OWNER_UIC= uic |
Enables you to change the UIC of a queue. The default UIC is [1,4]. |
SHOW QUEUE/FULL | Displays complete information about a queue, including the protection currently set for the queue. |
SET SECURITY/CLASS=QUEUE/OWNER= uic | Modifies the owner element of a queue. Specify the UIC in the standard format. |
SET SECURITY/CLASS=QUEUE/
PROTECTION= ownership[:access] |
Modifies the protection code of a queue. The protection code defines the type of access allowed to users, based on their relationship to the object's owner. |
SHOW SECURITY/CLASS=QUEUE | Shows protection currently set for objects of the queue class. |
$ INITIALIZE/QUEUE/GENERIC=(SYS_QUE1,SYS_QUE2)/ PROTECTION=(S:M,O:D,G:R,W:R) - _$ /OWNER_UIC=[1,8]/RETAIN=ERROR SYS_PRINT $ SHOW QUEUE/FULL SYS_PRINT Generic printer queue SYS_PRINT/GENERIC=(SYS_QUE1,SYS_QUE2) - _$ /OWNER=[1,8]/PROTECTION=(S:M,O:D,G:R,W:R)/RETAIN=ERROR |
$ SET SECURITY/CLASS=QUEUE/OWNER=[AGBELL]/PROTECTION=O:MD - _$ TELEPHONE_QUE $ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE TELEPHONE_QUEUE object of class QUEUE Owner: [INVENTORS,AGBELL] Protection: (System: M, Owner: MD, Group: R, World: S) Access Control List: <empty> |
In addition to UIC-based protection, you can associate access control lists (ACLs) with a queue. ACL-based protection provides a more refined level of protection when certain members of a project group require access to a queue, excluding others of the same UIC group or of other groups.
Refer to the OpenVMS Guide to System Security for detailed information about establishing
ACLs for protected objects.
14.6.1.4 Setting and Showing ACL-Based Queue Protection
Use the following commands to set and show ACL-based protection on queues:
Command | Description |
---|---|
SET SECURITY/ACL=(IDENTIFIER=(
identifier, -
_ACCESS= access-type)[,...])CLASS=QUEUE |
Sets ACL protection on a queue. |
SHOW QUEUE/FULL | Shows any ACLs set on a queue. |
SHOW SECURITY/CLASS=QUEUE | Shows any ACLs set on a queue. |
For more information about ACL-based security, refer to the OpenVMS Guide to System Security.
$ SET QUEUE/PROTECTION=(S,O,G,W) $ SET SECURITY/CLASS=QUEUE SYS_QUE1 - _$/ACL=((IDENTIFIER=ULTRA_LITE, ACCESS=READ+SUBMIT+MANAGE+DELETE), - _$ (IDENTIFIER=MINUTES, ACCESS=READ+SUBMIT)) $ SHOW QUEUE/FULL SYS_QUE1 Batch queue SYS_QUE1, stopped /BASE_PRIORITY=4 /JOB_LIMIT=1 /OWNER=[1,4] /PROTECTION=(S,O,G,W) (IDENTIFIER=ULTRA_LITE,ACCESS=READ+SUBMIT+MANAGE+DELETE) (IDENTIFIER=MINUTES,ACCESS=READ+SUBMIT) |
$ SET QUEUE/PROTECTION=(S,O,G,W) $ SET SECURITY/CLASS=QUEUE SYS_QUE1 - _$/ACL=((IDENTIFIER=ULTRA_LITE, ACCESS=READ+SUBMIT+MANAGE+DELETE), - _$ (IDENTIFIER=MINUTES, ACCESS=READ)) |
$ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE TELEPHONE_QUEUE object of class QUEUE Owner: [INVENTORS,AGBELL] Protection: (System: M, Owner: MD, Group: R, World: S) Access Control List: <empty> $ SET SECURITY/CLASS=QUEUE/ACL=(ID=[AGBELL],ACCESS=CONTROL) TELEPHONE_QUEUE $ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE TELEPHONE_QUEUE object of class QUEUE Owner: [INVENTORS,AGBELL] Protection: (System: M, Owner: MD, Group: R, World: S) Access Control List: (IDENTIFIER=[INVENTORS,AGBELL],ACCESS=CONTROL) |
Previous | Next | Contents | Index |
privacy and legal statement | ||
6017PRO_060.HTML |