OpenVMS System Manager's Manual

Document revision date: 15 July 2002

OpenVMS System Manager's Manual

Contents

Index

14.6 Using Queue Options

The following table describes options that you can use with queues:

Options Type of queue Reference

Control of access to queues Batch and output Section 14.6.1

Job retention Batch and output Section 14.6.2

Characteristics Batch and output Section 14.6.3

Control of batch processing Batch Section 14.6.4

Control of job scheduling Output Section 14.6.5

Banner pages Output Section 14.6.6

Forms Output Section 14.6.7

Control of line and page overflow Output Section 14.6.7.8

Suppression of initial form feed Output Section 14.6.7.9

Device control library modules Output Section 14.6.8

Options	Type of queue	Reference
Control of access to queues	Batch and output	Section 14.6.1
Job retention	Batch and output	Section 14.6.2
Characteristics	Batch and output	Section 14.6.3
Control of batch processing	Batch	Section 14.6.4
Control of job scheduling	Output	Section 14.6.5
Banner pages	Output	Section 14.6.6
Forms	Output	Section 14.6.7
Control of line and page overflow	Output	Section 14.6.7.8
Suppression of initial form feed	Output	Section 14.6.7.9
Device control library modules	Output	Section 14.6.8

You can implement options in either of the following ways:

Specify appropriate qualifiers with INITIALIZE/QUEUE when you create a queue.
Specify options after you create a queue by including qualifiers with START/QUEUE or SET QUEUE.

Table 14-1 lists qualifiers you can use to specify queue options, and indicates the type of queue for which you can specify each option.

Table 14-1 Qualifiers for Specifying Queue Options
Qualifier Type of Queue Description For More Information

/AUTOSTART_ON Batch and output Creates an autostart execution queue and specifies the node or nodes (and for output queues, the device or devices) on which the queues can run. Section 14.4.1

/BASE_PRIORITY Batch and output Specifies a base process priority (not the same as the job scheduling priority). For a batch queue, specifies the base priority for processes executing jobs in the queue. For output queues, specifies the base priority of the symbiont process. Section 14.6.4.1

/BLOCK_LIMIT Output Limits the size of print jobs that can be processed on an output execution queue. Section 14.6.5.1

/CHARACTERISTIC
/CHARACTERISTICS Batch and output Specifies one or more characteristics associated with the queue. Section 14.6.3

/CPUDEFAULT Batch Defines the default CPU time limit for batch jobs executed in the queue. Section 14.6.4

/CPUMAXIMUM Batch Defines a maximum CPU time limit for batch jobs executed in the queue. Section 14.6.4

/DEFAULT Output Establishes defaults for certain options of the PRINT command. After you set an option for the queue with the /DEFAULT qualifier, users do not have to specify that option in their PRINT commands. However, they can specify options to override the defaults set on the queues. Possible default options are as follows:

BURST Section 14.6.6

FEED Section 14.6.7.8

FLAG Section 14.6.6

FORM Section 14.6.7

TRAILER Section 14.6.6

/DESCRIPTION Batch and output Specifies a text string to provide users with information about the queue.

/DEVICE Output Specifies the type of output execution queue. The keywords are as follows:
PRINTER (default)
TERMINAL
SERVER

Section 14.7.1.1

/DISABLE_SWAPPING Batch Specifies whether batch jobs executed from a queue can be swapped in and out of memory. Section 14.6.4

/FORM_MOUNTED Output Specifies the mounted form for an output execution queue. Section 14.6.7

/GENERIC Batch and output Creates a generic queue and names the execution queues it feeds. Section 14.4.3.1

/JOB_LIMIT Batch Indicates the number of batch jobs that can be executed concurrently from a batch queue. Section 14.6.4

/LIBRARY Output Specifies the file name for a device control library. Section 14.6.8

/NAME_OF_MANAGER Batch and output Specifies the name of the queue manager with which the queue will be associated. Section 13.8

/NO_INITIAL_FF Output Specifies the qualifier for an output execution queue; suppresses the initial form feed sent to an output execution queue. Section 14.6.7.9

/ON Batch and output Creates a nonautostart execution queue and specifies the node (and, for output queues, the device) on which the queue is to run. Section 14.4.2.1

/OWNER_UIC Batch and output Specifies the user identification code (UIC) for the queue. Section 14.6.1.2

/PROCESSOR Output Specifies the symbiont to be used with an output execution queue. The default is the standard operating system print symbiont PRTSMB. Section 14.4.1

/PROTECTION Batch and output Specifies a protection for the queue. Section 14.6.1.2

/RAD Batch Specifies the RAD number on which to run batch jobs assigned to the queue. Section 14.6.4.8

/RECORD_BLOCKING Output Determines whether the symbiont can concatenate (or block together) output records for transmission to the output device. Section 14.4.1

/RETAIN Batch and output Holds jobs in the queue after they have executed. Section 14.6.2

/SCHEDULE Output Specifies whether pending jobs in a queue are scheduled based on the size of the job. Section 14.6.5

/SEPARATE Output Specifies required job separation or job reset options for an output execution queue. Required options cannot be overridden by the PRINT command. Possible options are as follows:

BURST Section 14.6.6

FLAG Section 14.6.6

RESET Section 14.6.8

TRAILER Section 14.6.6

/WSDEFAULT Batch and output For batch queues, specifies a default working set size for batch jobs executed in the queue. For output queues, specifies a default working set size for the symbiont process.
The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue.
Section 14.6.4

/WSEXTENT Batch and output For batch queues, specifies the working set extent for batch jobs executed in the queue. For output queues, specifies a working set extent for the symbiont process.
The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue.
Section 14.6.4

/WSQUOTA Batch and output For batch queues, specifies the working set quota for batch jobs executed in the queue. For output queues, specifies a working set quota for the symbiont process.
The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue.
Section 14.6.4

**Table 14-1 Qualifiers for Specifying Queue Options**
Qualifier	Type of Queue	Description	For More Information
/AUTOSTART_ON	Batch and output	Creates an autostart execution queue and specifies the node or nodes (and for output queues, the device or devices) on which the queues can run.	Section 14.4.1
/BASE_PRIORITY	Batch and output	Specifies a base process priority (not the same as the job scheduling priority). For a batch queue, specifies the base priority for processes executing jobs in the queue. For output queues, specifies the base priority of the symbiont process.	Section 14.6.4.1
/BLOCK_LIMIT	Output	Limits the size of print jobs that can be processed on an output execution queue.	Section 14.6.5.1
/CHARACTERISTIC /CHARACTERISTICS	Batch and output	Specifies one or more characteristics associated with the queue.	Section 14.6.3
/CPUDEFAULT	Batch	Defines the default CPU time limit for batch jobs executed in the queue.	Section 14.6.4
/CPUMAXIMUM	Batch	Defines a maximum CPU time limit for batch jobs executed in the queue.	Section 14.6.4
/DEFAULT	Output	Establishes defaults for certain options of the PRINT command. After you set an option for the queue with the /DEFAULT qualifier, users do not have to specify that option in their PRINT commands. However, they can specify options to override the defaults set on the queues. Possible default options are as follows:
		BURST	Section 14.6.6
		FEED	Section 14.6.7.8
		FLAG	Section 14.6.6
		FORM	Section 14.6.7
		TRAILER	Section 14.6.6
/DESCRIPTION	Batch and output	Specifies a text string to provide users with information about the queue.
/DEVICE	Output	Specifies the type of output execution queue. The keywords are as follows: PRINTER (default) TERMINAL SERVER	Section 14.7.1.1
/DISABLE_SWAPPING	Batch	Specifies whether batch jobs executed from a queue can be swapped in and out of memory.	Section 14.6.4
/FORM_MOUNTED	Output	Specifies the mounted form for an output execution queue.	Section 14.6.7
/GENERIC	Batch and output	Creates a generic queue and names the execution queues it feeds.	Section 14.4.3.1
/JOB_LIMIT	Batch	Indicates the number of batch jobs that can be executed concurrently from a batch queue.	Section 14.6.4
/LIBRARY	Output	Specifies the file name for a device control library.	Section 14.6.8
/NAME_OF_MANAGER	Batch and output	Specifies the name of the queue manager with which the queue will be associated.	Section 13.8
/NO_INITIAL_FF	Output	Specifies the qualifier for an output execution queue; suppresses the initial form feed sent to an output execution queue.	Section 14.6.7.9
/ON	Batch and output	Creates a nonautostart execution queue and specifies the node (and, for output queues, the device) on which the queue is to run.	Section 14.4.2.1
/OWNER_UIC	Batch and output	Specifies the user identification code (UIC) for the queue.	Section 14.6.1.2
/PROCESSOR	Output	Specifies the symbiont to be used with an output execution queue. The default is the standard operating system print symbiont PRTSMB.	Section 14.4.1
/PROTECTION	Batch and output	Specifies a protection for the queue.	Section 14.6.1.2
/RAD	Batch	Specifies the RAD number on which to run batch jobs assigned to the queue.	Section 14.6.4.8
/RECORD_BLOCKING	Output	Determines whether the symbiont can concatenate (or block together) output records for transmission to the output device.	Section 14.4.1
/RETAIN	Batch and output	Holds jobs in the queue after they have executed.	Section 14.6.2
/SCHEDULE	Output	Specifies whether pending jobs in a queue are scheduled based on the size of the job.	Section 14.6.5
/SEPARATE	Output	Specifies required job separation or job reset options for an output execution queue. Required options cannot be overridden by the PRINT command. Possible options are as follows:
		BURST	Section 14.6.6
		FLAG	Section 14.6.6
		RESET	Section 14.6.8
		TRAILER	Section 14.6.6
/WSDEFAULT	Batch and output	For batch queues, specifies a default working set size for batch jobs executed in the queue. For output queues, specifies a default working set size for the symbiont process. The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue.	Section 14.6.4
/WSEXTENT	Batch and output	For batch queues, specifies the working set extent for batch jobs executed in the queue. For output queues, specifies a working set extent for the symbiont process. The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue.	Section 14.6.4
/WSQUOTA	Batch and output	For batch queues, specifies the working set quota for batch jobs executed in the queue. For output queues, specifies a working set quota for the symbiont process. The value set by this qualifier overrides the value defined in the UAF of any user submitting a job to the queue.	Section 14.6.4

14.6.1 Controlling Access to Queues

Queues are permanent security objects. They are stored in the system queue database together with their security profiles.

As with a file or directory, you can use UIC-based or ACL-based protection to control access to a queue.

Refer to the OpenVMS Guide to System Security for detailed information about establishing system security.

14.6.1.1 Understanding UIC-Based Queue Protection

UIC-based protection restricts the jobs and the users who have access to a queue. Operations that apply to queues are controlled by UIC-based protection in the same way that access to other protected objects (such as files) is controlled.

When you create a queue, the queue is assigned an owner UIC and a protection code. The default owner is [SYSTEM], but you can specify another owner with the /OWNER_UIC qualifier.

The queue class provides the following default UIC-based security profile:

System:Manager,Owner:Delete,Group:Read,World:Submit

Jobs are assigned an owner UIC equal to the UIC of the process that submitted the job, unless the job was submitted with the /USER qualifier. Each job in a queue (and each operation that is performed on a queue) is checked against the UIC of the owner, the protection of the queue, and the privileges of the requester.

All operations are checked as follows:

Operations that apply to... Are checked against...

Jobs The read and delete protection specified for the queue and the owner UIC of the job.

Queues The submit and manage protection specified for the queue and the owner UIC of the queue.

Operations that apply to...	Are checked against...
Jobs	The read and delete protection specified for the queue and the owner UIC of the job.
Queues	The submit and manage protection specified for the queue and the owner UIC of the queue.

The following table lists the types of access that the queue class supports:

Access Type Gives you the right to...

Read See the security elements of a queue or a job in a queue.

Submit Place jobs in the queue.

Delete Delete a job in the queue or modify the elements of a job.

Manage Affect any job in the queue. You can start, stop, or delete a queue and change its status and any elements that are unrelated to security.

Control Modify the protection elements and owner of a queue.

Access Type	Gives you the right to...
Read	See the security elements of a queue or a job in a queue.
Submit	Place jobs in the queue.
Delete	Delete a job in the queue or modify the elements of a job.
Manage	Affect any job in the queue. You can start, stop, or delete a queue and change its status and any elements that are unrelated to security.
Control	Modify the protection elements and owner of a queue.

Note that when a process receives read or delete access through a protection code, it can operate on only its job in the queue. However, when granted through an ACL, read and delete access allow a process to operate on all jobs in the queue.

Privileges Required

You need SYSNAM and OPER privilege to stop or start the queue manager. OPER is necessary to create and delete queues, or to change the symbiont definition.

Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited Audit Occurs When...

Access A job is submitted to the queue and when either a job or queue is modified.

Creation A queue is initialized.

Deletion A process deletes a job from the queue or when the queue itself is deleted. (To enable auditing for queue deletions, enable auditing for manage [M] access to the queue.)

Event Audited	Audit Occurs When...
Access	A job is submitted to the queue and when either a job or queue is modified.
Creation	A queue is initialized.
Deletion	A process deletes a job from the queue or when the queue itself is deleted. (To enable auditing for queue deletions, enable auditing for manage [M] access to the queue.)

For more information about queue security, refer to the OpenVMS Guide to System Security.

14.6.1.2 Setting and Showing UIC-Based Queue Protection

Use the following commands to set and show UIC-based protection on queues:

Command Description

INITIALIZE/QUEUE/PROTECTION=( ownership[:access],...)
START/QUEUE/PROTECTION=( ownership[:access],...)
SET QUEUE/PROTECTION=( ownership[:access],...) Specifies the protection of a queue:

Specify the ownership parameter as system (S), owner (O), group (G), or world (W).
Specify the access parameter as read (R), submit (S), manage (M), or delete (D).

INITIALIZE/QUEUE/OWNER_UIC= uic
START/QUEUE/OWNER_UIC= uic
SET QUEUE/OWNER_UIC= uic Enables you to change the UIC of a queue. The default UIC is [1,4].

SHOW QUEUE/FULL Displays complete information about a queue, including the protection currently set for the queue.

SET SECURITY/CLASS=QUEUE/OWNER= uic Modifies the owner element of a queue. Specify the UIC in the standard format.

SET SECURITY/CLASS=QUEUE/
PROTECTION= ownership[:access] Modifies the protection code of a queue. The protection code defines the type of access allowed to users, based on their relationship to the object's owner.

SHOW SECURITY/CLASS=QUEUE Shows protection currently set for objects of the queue class.

Command	Description
INITIALIZE/QUEUE/PROTECTION=( ownership[:access],...) START/QUEUE/PROTECTION=( ownership[:access],...) SET QUEUE/PROTECTION=( ownership[:access],...)	Specifies the protection of a queue: Specify the ownership parameter as system (S), owner (O), group (G), or world (W). Specify the access parameter as read (R), submit (S), manage (M), or delete (D).
INITIALIZE/QUEUE/OWNER_UIC= uic START/QUEUE/OWNER_UIC= uic SET QUEUE/OWNER_UIC= uic	Enables you to change the UIC of a queue. The default UIC is [1,4].
SHOW QUEUE/FULL	Displays complete information about a queue, including the protection currently set for the queue.
SET SECURITY/CLASS=QUEUE/OWNER= uic	Modifies the owner element of a queue. Specify the UIC in the standard format.
SET SECURITY/CLASS=QUEUE/ PROTECTION= ownership[:access]	Modifies the protection code of a queue. The protection code defines the type of access allowed to users, based on their relationship to the object's owner.
SHOW SECURITY/CLASS=QUEUE	Shows protection currently set for objects of the queue class.

Examples

The following example sets protection on a queue, and then displays full information about the queue:

$ INITIALIZE/QUEUE/GENERIC=(SYS_QUE1,SYS_QUE2)/ PROTECTION=(S:M,O:D,G:R,W:R) - _$ /OWNER_UIC=[1,8]/RETAIN=ERROR SYS_PRINT $ SHOW QUEUE/FULL SYS_PRINT Generic printer queue SYS_PRINT/GENERIC=(SYS_QUE1,SYS_QUE2) - _$ /OWNER=[1,8]/PROTECTION=(S:M,O:D,G:R,W:R)/RETAIN=ERROR

The following example gives the owner manage and delete access to this queue and makes user AGBELL the owner. With manage access, the owner AGBELL can manage the queue, but cannot modify security information.

$ SET SECURITY/CLASS=QUEUE/OWNER=[AGBELL]/PROTECTION=O:MD - _$ TELEPHONE_QUE $ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE TELEPHONE_QUEUE object of class QUEUE Owner: [INVENTORS,AGBELL] Protection: (System: M, Owner: MD, Group: R, World: S) Access Control List: <empty>

14.6.1.3 Understanding ACL-Based Queue Protection

In addition to UIC-based protection, you can associate access control lists (ACLs) with a queue. ACL-based protection provides a more refined level of protection when certain members of a project group require access to a queue, excluding others of the same UIC group or of other groups.

Refer to the OpenVMS Guide to System Security for detailed information about establishing ACLs for protected objects.

14.6.1.4 Setting and Showing ACL-Based Queue Protection

Use the following commands to set and show ACL-based protection on queues:

Command Description

SET SECURITY/ACL=(IDENTIFIER=( identifier, -
_ACCESS= access-type)[,...])CLASS=QUEUE Sets ACL protection on a queue.

SHOW QUEUE/FULL Shows any ACLs set on a queue.

SHOW SECURITY/CLASS=QUEUE Shows any ACLs set on a queue.

Command	Description
SET SECURITY/ACL=(IDENTIFIER=( identifier, - _ACCESS= access-type)[,...])CLASS=QUEUE	Sets ACL protection on a queue.
SHOW QUEUE/FULL	Shows any ACLs set on a queue.
SHOW SECURITY/CLASS=QUEUE	Shows any ACLs set on a queue.

For more information about ACL-based security, refer to the OpenVMS Guide to System Security.

Examples

The SET QUEUE/PROTECTION command in the following example modifies the default protection of queue SYS_QUE1 to prevent access by nonprivileged users. The SET SECURITY/ACL command then restricts access to only those members of a project group who hold the ULTRA_LITE or MINUTES identifiers. Members with the MINUTES identifier have only read and submit access to the queue. The SHOW QUEUE/FULL command displays information, including security information, about the queue.

$ SET QUEUE/PROTECTION=(S,O,G,W) $ SET SECURITY/CLASS=QUEUE SYS_QUE1 - _$/ACL=((IDENTIFIER=ULTRA_LITE, ACCESS=READ+SUBMIT+MANAGE+DELETE), - _$ (IDENTIFIER=MINUTES, ACCESS=READ+SUBMIT)) $ SHOW QUEUE/FULL SYS_QUE1 Batch queue SYS_QUE1, stopped /BASE_PRIORITY=4 /JOB_LIMIT=1 /OWNER=[1,4] /PROTECTION=(S,O,G,W) (IDENTIFIER=ULTRA_LITE,ACCESS=READ+SUBMIT+MANAGE+DELETE) (IDENTIFIER=MINUTES,ACCESS=READ+SUBMIT)

The following example shows how to use ACLs to restrict queue access to members of a particular project group:

$ SET QUEUE/PROTECTION=(S,O,G,W) $ SET SECURITY/CLASS=QUEUE SYS_QUE1 - _$/ACL=((IDENTIFIER=ULTRA_LITE, ACCESS=READ+SUBMIT+MANAGE+DELETE), - _$ (IDENTIFIER=MINUTES, ACCESS=READ))

The following example shows a queue that has only UIC-based protection, and then gives user AGBELL control access with an ACL. Control access allows user AGBELL to modify security information.

$ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE TELEPHONE_QUEUE object of class QUEUE Owner: [INVENTORS,AGBELL] Protection: (System: M, Owner: MD, Group: R, World: S) Access Control List: <empty> $ SET SECURITY/CLASS=QUEUE/ACL=(ID=[AGBELL],ACCESS=CONTROL) TELEPHONE_QUEUE $ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE TELEPHONE_QUEUE object of class QUEUE Owner: [INVENTORS,AGBELL] Protection: (System: M, Owner: MD, Group: R, World: S) Access Control List: (IDENTIFIER=[INVENTORS,AGBELL],ACCESS=CONTROL)

Contents

Index

privacy and legal statement

6017PRO_060.HTML