Updated: 11 December 1998 |
OpenVMS System Manager's Manual
Previous | Contents | Index |
You can initialize a new volume as an ODS-5 volume by entering the INITIALIZE command using the following format. Note that once you initialize the volume, the current contents of the volume are lost.
$ INITIALIZE /STRUCTURE_LEVEL=5 device-name volume-label |
For example:
$ INITIALIZE /STRUCTURE_LEVEL=5 DKA300: DISK1 $ MOUNT DKA300: DISK1 /SYSTEM %MOUNT-I-MOUNTED, DISK1 mounted on _STAR$DKA300: |
The first command initializes the DKA300: device as an ODS-5 volume and assigns the volume-label DISK1. The second command mounts the DISK1 volume as a public volume.
To verify that the volume has been initialized as an ODS-5 volume, you can enter a SHOW DEVICE/FULL command; the system displays messages similar to the following:
$ SHOW DEVICE DKA200:/FULL Disk $10$DKA200:, device type RZ74, is online, allocated, deallocate on dismount, mounted, file-oriented device, shareable. Error count 0 Operations completed 155 . . . Volume Status: ODS-5, subject to mount verification, file high-water marking, write-back caching enabled. |
An alternative method for displaying the volume type is to issue a command and receive a response similar to the following:
$ WRITE SYS$OUTPUT F$GETDVI ("DKA200:","ACPTYPE") F11V2 |
F11V2 indicates that the volume is ODS-2.
If you plan to add the new volume to a volume set, the structure level of the new volume must match that of the volume set. If it does not, the Mount utility displays the following error message:
|
Initializing volumes for users might be necessary in some circumstances:
Protection based on user identification codes (UICs) restricts users' access to volumes. By assigning access types to volumes, you determine the kinds of actions various groups of users can perform on volumes. Section 8.4.1 and Section 8.4.2 explain the differences between UIC-based protection for disk and tape volumes.
For additional access control, you can set access control lists (ACLs) on volumes. Volume ACLs are copied from the VOLUME.DEFAULT security class template. See Section 11.6 for more information about ACLs.
Table 8-9 shows the types of access you can assign to disk and tape volumes.
Access Type | Gives you the right to... |
---|---|
Read | Examine file names, print, or copy files from the volume. System and owner categories always have read access to tape volumes. |
Write | Modify or write to existing files on a volume. The protection of a file determines whether you can perform a particular operation on the file. To be meaningful, write access requires read access. System and owner categories always have write access to tape volumes. |
Create | Create files on a disk volume and subsequently modify them. Create access requires read and write access. This type of access is invalid for tape volumes. |
Delete | Delete files on a disk volume, provided you have proper access rights at the directory and file level. Delete access requires read access. This type of access is invalid for tape volumes. |
Control |
Change the protection and ownership characteristics of the volume.
Users with the VOLPRO privilege always have control access to a disk
volume, with the following exceptions:
Control access is not valid with tapes. |
For more information about specifying protection codes, refer to the OpenVMS Guide to System Security. Chapter 11 discusses protection in general.
The following sections explain how to perform these operations:
Task | Section |
---|---|
Protecting disk volumes | Section 8.4.1 |
Protecting tape volumes | Section 8.4.2 |
Auditing volume access | Section 8.4.3 |
For file-structured ODS-2 volumes, the OpenVMS operating system supports the types of access shown in Table 8-9. The system provides protection of ODS-2 disks at the volume, directory, and file levels. Although you might have access to the directories and files on the volume, without the proper volume access, you are unable to access any part of a volume.
The default access types for the disk volume owner [0,0] are:
S:RWCD, O:RWCD, G:RWCD, W:RWCD.
The system establishes this protection with the default qualifier of the INITIALIZE command (/SHARE). Any attributes that you do not specify are taken from the current default protection.
You can change permanently stored protection information in the following ways:
The following sections explain how to perform these tasks:
Task | Section |
---|---|
Specify protection when you initialize volumes | Section 8.4.1.1 |
Change protection after volumes are mounted | Section 8.4.1.2 |
Display protection | Section 8.4.1.3 |
This section explains how to specify UIC-based volume protection and ISO 9660-formatted media protection when you initialize volumes.
Specifying UIC-Based Protection
You can specify protection in one of the following ways when you initialize volumes:
$ INITIALIZE DUA7: ACCOUNT1/PROTECTION=(S:RWCD,O:RWCD,G:R,W:R) |
Using INITIALIZE Command Qualifiers for Protection
You usually do not change volume protection after you initialize a
volume. By specifying a protection qualifier with the INITIALIZE
command, you can establish the default protection of a volume. (The
default qualifier of the INITIALIZE command is /SHARE, which grants all
types of ownership all types of access.)
Table 8-10 explains the
qualifiers you can use to specify disk volume protection when you
initialize disk volumes.
Qualifier | Explanation |
---|---|
/PROTECTION | The protection you specify with this qualifier overrides any protection you specify with other qualifiers. |
/SYSTEM | All processes have read, write, create, and delete access to the volume, but only system processes can create first-level directories. ([1,1] owns the volume.) See the note following this table. |
/GROUP | System, owner, and group processes have read, write, create, and delete access to the volume. World users have no access. |
/NOSHARE | System and owner processes have read, write, and delete access to the volume. World users have no access. Group users also have no access unless you specify the /GROUP qualifier. |
The /SYSTEM qualifier grants all users complete access. However, users cannot create directories or files unless you perform one of the following actions:
System managers usually choose the second method. |
Table 8-11 shows the UIC and protection that the system sets for disk volumes when you use the default, /SHARE, and other qualifiers with the INITIALIZE command.
Qualifier | UIC | Protection |
---|---|---|
/SYSTEM | [1,1] | S:RWCD,O:RWCD,G:RWCD,W:RWCD |
/SYSTEM/NOSHARE | [1,1] | S:RWCD,O:RWCD,G:RWCD,W:RWCD |
/GROUP | [x,0] | S:RWCD,O:RWCD,G:RWCD,W |
/SHARE (the default) | [x,x] 1 | S:RWCD,O:RWCD,G:RWCD,W:RWCD |
/NOSHARE | [x,x] 1 | S:RWCD,O:RWCD,G,W |
Specifying ISO 9660-Formatted Media Protection
The OpenVMS implementation of ISO 9660 does not include volume or volume set protection. The protection specified for the device on which the media is mounted determines accessibility to the ISO 9660 volumes or volume sets.
By default, the device protection is assigned to ISO 9660 files and directories. When you mount the volume, you can specify additional file protection using the UIC and PERMISSION protection fields included in the Extended Attribute Records (XARs) that might be associated with each file.
You can enable the protection fields by specifying either of the following items:
MOUNT/PROTECTION=XAR |
When you specify the XAR option for a file that has an associated
XAR, the protection fields in the XAR are enabled.
MOUNT/PROTECTION=DSI |
If you specify the DSI option, you enable the XAR permissions Owner
and Group for XARs containing DSI.
For more information about the XAR and DSI options, refer to the
OpenVMS Record Management Utilities Reference Manual.
8.4.1.2 Changing Protection After Disk Volumes Are Mounted
You can change protection by using the SET SECURITY/CLASS=VOLUME command with the /PROTECTION, /OWNER, or /ACL qualifier to change any aspect of the volume security profile.
To change UIC-based protection after a volume is mounted, use the SET SECURITY/CLASS=VOLUME/PROTECTION command. For example:
$ SET SECURITY/CLASS=VOLUME/PROTECTION=(S:RWCD,O:RWCD,G:RC,W:RC) DUA0: |
The protection set in this example allows the system and owner all types of access. Group and world access types can only read files and run programs. Any category not specified in the protection code (S,O,G,W) is unchanged.
To change ACL-based protection after a volume is mounted, use the SET SECURITY/CLASS=VOLUME/ACL command. To change the ACL, for example:
$ SET SECURITY/CLASS=VOLUME/ACL=(IDENTIFIER=DOC,ACCESS=READ+WRITE+EXECUTE) - _$ $1$DSA7: |
This example gives holders of the DOC identifier read, write, and
execute access to the $1$DSA7: volume.
8.4.1.3 Displaying UIC- and ACL-Based Protection
You can use the SHOW SECURITY/CLASS=VOLUME command to display protection. For example:
$ SHOW SECURITY/CLASS=VOLUME $1$DSA27: |
The following example shows the resulting display:
$1$DSA27: object of class VOLUME Owner: [1,1] Protection: (System: RWCD, Owner: RWCD, Group: RWCD, World: RWCD) Access Control List: (IDENTIFIER=[ABC,SADAMS],ACCESS=READ+WRITE+CREATE+DELETE) |
In the display are the name and profile of the VOLUME class object
$1$DSA27. The profile includes the owner UIC, the protection code, and
the access control list (ACL) of the protected object.
8.4.2 Protecting Tape Volumes
The system protects magnetic tapes only at the volume level. You establish protection when you initialize tape volumes; after that, the Mount utility (MOUNT) enforces the protection that you have established.
You can use two levels of protection for tape volumes:
Level of Protection | Description |
---|---|
Guidelines of the ISO standard | The ISO standard, which is the first level of protection, is encoded in the accessibility field of the first volume label written on the magnetic tape. With this protection scheme, you can protect tape volumes in environments where interchange exists between the OpenVMS system and the operating system that is not OpenVMS. |
UIC-based protection scheme supported by system software | This second level of protection is encoded in the second volume label written on the magnetic tape. Only OpenVMS systems check this scheme; it is ignored in any interchange with operating systems that are not OpenVMS. |
Standard-Labeled Tape Protection
The OpenVMS tape file system bases its accessibility protection on the ISO standards. This protection allows an installation routine to use a routine that interprets the contents of the volume- and header-label accessibility field. Refer to the $MTACCESS system service in the OpenVMS System Services Reference Manual for more information about installation routines.
Access Types with Default Protection
When you do not supply a protection code during initialization, all users receive read and write access, explained in Table 8-12.
Access Type | Gives you the right to... |
---|---|
Read | Examine, print, or copy files from the volume. |
Write | Append or write files to the volume. |
The security profile of a tape volume is stored in the ANSI VOL1 and VOL2 labels written on the tape. The VOL2 label contains system-specific information. To override the creation of VOL2 labels, specify the /INTERCHANGE qualifier with the INITIALIZE command or the INIT$_INTERCHANGE itemcode on the $INIT_VOL system service.
The operating system also supports foreign tape volumes.
(Foreign volumes either lack the standard volume label
or have been mounted with the /FOREIGN qualifier.) When a tape volume
is mounted with the /FOREIGN qualifier, users in the system and owner
categories are always given full access (read, write, logical, and
physical), regardless of what is specified in the protection code.
8.4.2.1 Using the /PROTECTION Qualifier with Tape Volumes
If you use the /PROTECTION qualifier when you initialize tape volumes, the protection code is written to a system-specific volume label.
With the /PROTECTION qualifier, the system applies only read (R) and
write (W) access restrictions. (Execute [E] and delete [D] access do
not apply.) The system and the owner always receive both read (R) and
write (W) access to magnetic tapes, regardless of the protection code
you specify.
8.4.2.2 Protecting Tape Volumes for Interchange Environments
You can protect tape volumes for interchange between OpenVMS and other operating systems.
The following list contains guidelines for protecting specific types of magnetic tapes:
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6017PRO_031.HTML
|