Updated: 11 December 1998 |
OpenVMS DCL Dictionary
Previous | Contents | Index |
Allows users to modify the process or system rights list. You must specify either the /DISABLE or the /ENABLE qualifier with the SET RIGHTS_LIST command.
SET RIGHTS_LIST id-name[,...]
id-name[,...]
Specifies identifiers to be added to or removed from the process or system rights list. The id-name parameter is a string of 1 to 31 alphanumeric characters, underscores (_), and dollar signs ($); each name must contain at least one nonnumeric character.
The SET RIGHTS_LIST command modifies identifiers in your current process rights list, the rights list of another process on the system, or the system rights list. Use the following guidelines to determine which privileges are required for each case:
- Adding new identifiers or modifying existing identifiers in your process rights list that do not have the Dynamic attribute requires CMKRNL (change mode to kernel) privilege.
- Modifying the rights list of other processes on the system requires CMKRNL privilege and either GROUP or WORLD privilege.
- Modifying the system rights list requires both CMKRNL and SYSNAM (system logical name) privileges.
- Adding or removing more than ten identifiers using the /ENABLE qualifier or the /DISABLE qualifier in a single command invocation requires CMKRNL privilege. You must specify either the /DISABLE or the /ENABLE qualifier with the SET RIGHTS_LIST command.
This command can also be used to add attributes to existing identifiers.
/ATTRIBUTES=(keyword[,...])
Specifies attributes to be associated with the identifiers. Attributes may be added to new or existing identifiers. The following are valid keywords:
DYNAMIC Allows unprivileged holders of the identifier to remove and to restore the identifier from the process rights list by using the DCL command SET RIGHTS_LIST. NOACCESS Makes any access rights of the identifier null and void. If a user is granted an identifier with the No Access attribute, that identifier has no effect on the user's access rights to objects. This attribute is a modifier for an identifier with the Resource or Subsystem attribute. RESOURCE Allows holders of an identifier to charge disk space to the identifier. Used only for file objects. SUBSYSTEM Allows holders of the identifier to create and maintain protected subsystems by assigning the Subsystem ACE to the application images in the subsystem. Used only for file objects. To remove an attribute from the identifier, add a NO prefix to the attribute keyword. For example, to remove the Resource attribute, specifiy /ATTRIBUTE=NORESOURCE.
The default uses the current processes in the rights database. Use the command SHOW PROCESS/RIGHTS to see the attributes of the current process.
/DISABLE
Removes the identifiers from the process or system rights list. You cannot use the /DISABLE qualifier with the /ENABLE qualifier. Note that removing more than ten identifiers in a single command invocation requires CMKRNL privilege./ENABLE
Adds the identifiers to the process or system rights list. You cannot use the /ENABLE qualifier with the /DISABLE qualifier. Note that adding more than ten identifiers in a single command invocation requires CMKRNL privilege./IDENTIFICATION=pid
Specifies the process identification (PID) value of the process whose rights list is to be modified. The PID is assigned by the system when the process is created. When you specify a PID, you can omit the leading zeros.If you specify the /IDENTIFICATION qualifier, you cannot use the /PROCESS qualifier. By default, if neither the /IDENTIFICATION nor the /PROCESS qualifier is specified, the current process is assumed. You cannot use the /IDENTIFICATION qualifier with the /SYSTEM qualifier.
/PROCESS[=process-name]
Specifies the name of the process whose rights list is to be modified. The process name can contain from 1 to 15 alphanumeric characters.If you specify the /PROCESS qualifier, you cannot use the
/IDENTIFICATION qualifier. By default, if neither the /PROCESS nor the /IDENTIFICATION qualifier is specified, the current process is assumed.You cannot use the /PROCESS qualifier with the /SYSTEM qualifier.
/SYSTEM
Specifies that the desired operation (addition or removal of an identifier) be performed on the system rights list. You cannot use the /SYSTEM qualifier with the /PROCESS or the /IDENTIFICATION qualifier.
#1 |
---|
$ SET RIGHTS_LIST/ENABLE/ATTRIBUTES=RESOURCE MARKETING |
The SET RIGHTS_LIST command in this example adds the MARKETING identifier to the process rights list of the current process. Specifying the RESOURCE attribute allows holders of the MARKETING identifier to charge resources to it.
#2 |
---|
$ SET RIGHTS_LIST/ENABLE/SYSTEM PHYSICS101 %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation $ SET PROCESS/PRIVILEGES=(CMKRNL,SYSNAM) $ SET RIGHTS_LIST/ENABLE/SYSTEM PHYSICS101 |
The SET RIGHTS_LIST command in this example adds the PHYSICS101 identifier to the system rights list. You must have both the CMKRNL (change mode to kernel) and SYSNAM (system logical name) privileges to modify the system rights list.
Defines default values for multiblock and multibuffer counts, network transfer sizes, prolog level, and extend quantity used by OpenVMS Record Management Services (RMS) for file operations.If you set the default value for either the multiblock count or the multibuffer count at 0, RMS tries to use the process default value or the system default value, in that order. If these are set at 0, RMS uses a default value of 1. Defaults are set for sequential, relative, or indexed file organizations on a process-only basis, unless a systemwide basis is requested.
SET RMS_DEFAULT
None.
Multiblocking and multibuffering of file operations can enhance the speed of I/O operations with RMS. The defaults set with the SET RMS_DEFAULT command are applied for all file operations that do not specify explicit multiblock or multibuffer counts.For more information on multiblock and multibuffer operations, refer to the OpenVMS System Services Reference Manual.
For indexed files, the SET RMS_DEFAULT command defines default prolog level options.
For sequential files, the SET RMS_DEFAULT command defines default extensions. If a default extension is not specified in your program, the process or system default is used.
For network operations, the SET RMS_DEFAULT command defines network buffer sizes for transfer.
/BLOCK_COUNT=count
Specifies a default multiblock count (0 to 127) for record I/O operations only, where count is the number of blocks to be allocated for each I/O buffer.For more information on multiblock count, refer to the description of the RAB$B_MBC in the OpenVMS Record Management Services Reference Manual.
/BUFFER_COUNT=count
Specifies a default multibuffer count (0 to 255) for local file operations, where count is the number of buffers to be allocated. If you use the /SYSTEM qualifier to extend the default value systemwide, the maximum default value is 127.When you use the /BUFFER_COUNT qualifier, you can use the /DISK, /INDEXED, /MAGTAPE, /RELATIVE, /SEQUENTIAL, and /UNIT_RECORD qualifiers to specify the types of file for which the default is to be applied. If the /BUFFER_COUNT qualifier is specified without any of these qualifiers, the /SEQUENTIAL qualifier is assumed. If file type is not specified, the default is applied to sequential files.
For more information on multibuffer count, refer to the description of the RAB$B_MBF field in the OpenVMS Record Management Services Reference Manual.
/DISK
Applies the specified defaults to disk file operations. Values applied using the /SEQUENTIAL qualifier take precedence over values applied using the /DISK qualifier./EXTEND_QUANTITY=n
Specifies the number of blocks n to extend a sequential file where n can range from 0 to 65535. If you do not specify the /EXTEND_QUANTITY qualifier, RMS calculates its own extend value. The /EXTEND_QUANTITY qualifier value is used when the program does not specify an extent quantity explicitly./INDEXED
Applies the multibuffer default to indexed file operations./MAGTAPE
Applies the multibuffer default to magnetic tape operations. Values applied using the /SEQUENTIAL qualifier take precedence over values applied using the /MAGTAPE qualifier./NETWORK_BLOCK_COUNT=count
Specifies a default block count (0 to 127) for network access to remote files, where count is the number of blocks to be allocated for each I/O buffer.For remote file access, the buffer size is negotiated between RMS and the remote system's file access listener (FAL) with the smaller of the two sizes being selected.
Thus, the /NETWORK_BLOCK_COUNT value places an upper limit on the network buffer size that is used. It also places an upper limit on the largest record that may be transferred to or from a remote file. The largest record must be less than or equal to 512*network_block_count. (The network_block_count is in block units and the record is in byte units.)
If you omit the value or specify a value of 0, RMS uses the systemwide block count value. If this value is also 0, RMS uses a size of one block.
/PROLOG=n
Specifies a default prolog level for indexed files where acceptable values for n are 0, 2, or 3. If 0 (default) is specified, RMS sets an appropriate prolog level./RELATIVE
Applies the multibuffer default to relative file operations./SEQUENTIAL (default)
Applies the multibuffer default to sequential file operations. The /SEQUENTIAL qualifier overrides values applied using either the /DISK, the /MAGNETIC TAPE, or the /UNIT RECORD qualifier.The /SEQUENTIAL qualifier is the default if you do not specify either the /RELATIVE or the /INDEXED qualifier.
/SYSTEM
Requires CMKRNL (change mode to kernel) privilege.Applies specified defaults on a systemwide basis to all file operations.
System-wide settings are implemented as system parameters. For a system-wide setting to survive a system reboot, it must be written to the system parameter file by using SYSGEN.
/UNIT_RECORD
Applies the multibuffer default to file operations on unit record devices. Values applied using the /SEQUENTIAL qualifier take precedence over values applied using the /UNIT_RECORD qualifier.
#1 |
---|
$ SET RMS_DEFAULT/BLOCK_COUNT=24 $ SHOW RMS_DEFAULT MULTI- | MULTIBUFFER COUNTS | NETWORK BLOCK | Indexed Relative Sequential | BLOCK COUNT | Disk Magtape Unit Record | COUNT Process 24 | 0 0 0 0 0 | 0 System 16 | 0 0 0 0 0 | 8 Prolog Extend Quantity Process 0 0 System 0 0 |
The SET RMS_DEFAULT command in this example sets the multiblock count for disk file I/O at 24 for user programs that do not set the multiblock count explicitly. The command applies only to the current process.
#2 |
---|
$ SET RMS_DEFAULT/BUFFER_COUNT=8/MAGTAPE $ SHOW RMS_DEFAULT MULTI- | MULTIBUFFER COUNTS | NETWORK BLOCK | Indexed Relative Sequential | BLOCK COUNT | Disk Magtape Unit Record | COUNT Process 24 | 0 0 0 8 0 | 0 System 16 | 0 0 0 0 0 | 8 Prolog Extend Quantity Process 0 0 System 0 0 |
The SET RMS_DEFAULT command in this example defines the default multibuffer count for I/O magnetic tape operations at 8.
#3 |
---|
$ SET RMS_DEFAULT/BUFFER_COUNT=7/NETWORK_BLOCK_COUNT=16/SYSTEM $ SHOW RMS_DEFAULT MULTI- | MULTIBUFFER COUNTS | NETWORK BLOCK | Indexed Relative Sequential | BLOCK COUNT | Disk Magtape Unit Record | COUNT Process 24 | 0 0 0 8 0 | 0 System 16 | 0 0 7 7 7 | 16 Prolog Extend Quantity Process 0 0 System 0 0 |
The SET RMS_DEFAULT command in this example defines the systemwide default multibuffer count at 7 for all sequential file operations on disk, magnetic tape, and unit record devices. The command also sets the network block count at 16.
#4 |
---|
$ SET RMS_DEFAULT/EXTEND=50/INDEXED/BUFFER_COUNT=5 $ SHOW RMS_DEFAULT MULTI- | MULTIBUFFER COUNTS | NETWORK BLOCK | Indexed Relative Sequential | BLOCK COUNT | Disk Magtape Unit Record | COUNT Process 24 | 5 0 0 8 0 | 0 System 16 | 0 0 7 7 7 | 16 Prolog Extend Quantity Process 0 50 System 0 0 |
The SET RMS_DEFAULT command in this example sets the default multibuffer count for I/O operations on indexed files at 5. It also defines the default extend quantity for sequential I/O operations at 50 blocks. These defaults apply only to disk operations for user programs that do not set the multiblock count explicitly. These defaults are limited to the current process.
#5 |
---|
$ SET RMS_DEFAULT/PROLOG=2 $ SHOW RMS_DEFAULT MULTI- | MULTIBUFFER COUNTS | NETWORK BLOCK | Indexed Relative Sequential | BLOCK COUNT | Disk Magtape Unit Record | COUNT Process 24 | 5 0 0 8 0 | 0 System 16 | 0 0 7 7 7 | 16 Prolog Extend Quantity Process 2 50 System 0 0 |
The SET RMS_DEFAULT command in this example specifies Prolog 2 as default for indexed files for the current process.
Modifies the security profile of an object.
SET SECURITY object-name
object-name
Specifies the name of an object, such as a file or device, whose security profile is to be modified. An object is identified by an object name and a class name. The default class name is FILE.An object name of the FILE class (explicitly or implicitly specified) can include an asterisk (*) or a percent sign (%) wildcard character, but wildcard characters are not allowed in any class other than FILE. SET SECURITY does not operate on remote files and devices, alias directory entries, or directory names in UIC format (for example, [14,5]).
The SET SECURITY command modifies the security profile of an object. Such a profile contains the following elements:
- An access control list editor (ACL editor)
- A protection code, which defines access to objects based on the categories of system, owner, group, and world.
- An owner. The system uses the owner element to interpret the protection code.
There are three different ways to use the command.
- You can provide new values explicitly with the qualifiers /ACL, /PROTECTION, and /OWNER. (For extensive ACL work, use /EDIT to invoke the ACL editor.)
- You can copy from another object's profile with the /LIKE qualifier.
- If the object is of the FILE class, you can reset its profile to the default setting with the /DEFAULT qualifier.
In order to modify a security profile, you need control access to the object. An ACL grants control access explicitly whereas a protection code grants it implicitly to anyone belonging to the owner or system categories. If an object profile is modified while the object is being accessed, the existing access is unaffected.
The following table identifies object classes and the access types they support.
Object Class Access Types CAPABILITY (VAX only) Use, Control COMMON_EVENT_FLAG_CLUSTER Associate, Delete, Control DEVICE Read, Write, Physical, Logical, Control FILE (including directory file) Read, Write, Execute, Delete, Control GROUP_GLOBAL_SECTION Read, Write, Execute, Control ICC_ASSOCIATION 1 Open, Access, Control LOGICAL_NAME_TABLE Read, Write, Create, Delete, Control QUEUE Read, Submit, Manage, Delete, Control RESOURCE_DOMAIN Read, Write, Lock, Control SECURITY_CLASS Read, Write, Control, Logical I/O, Physical I/O SYSTEM_GLOBAL_SECTION Read, Write, Execute, Control VOLUME Read, Write, Create, Delete, Control
The OpenVMS Guide to System Security provides a full explanation of protected objects and how to modify them.
Table DCLII-21 shows the qualifier categories for the SET SECURITY command. The explanations for the qualifiers following Table DCLII-21 occur in alphabetical order.
General Qualifiers |
ACL-Modifying Qualifiers | Security Class Qualifier | File-Specific Qualifiers | Transfer Qualifiers |
---|---|---|---|---|
/ACL
/CLASS /LOG /OWNER /PROTECTION |
/AFTER
/DELETE /EDIT /REPLACE |
/PROFILE |
/BACKUP
/BEFORE /BY_OWNER /CONFIRM /CREATED /DEFAULT /EXCLUDE /EXPIRED /MODIFIED /SINCE /STYLE |
/COPY_ATTRIBUTE
/LIKE |
/ACL[=(ace[,...])]
Identifies one or more access control list entries (ACEs) to add, replace, or delete. Enclose each ACE in parentheses and separate multiple ACEs by commas (,). The most common type of entry, the Identifier ACE, has the format (IDENTIFIER=identifier, ACCESS=access-type(+...)). By default, SET SECURITY adds an ACE to the top of the ACL. This behavior changes when you include one of the positional qualifiers: /AFTER, /DELETE, or /REPLACE. Refer to the discussion of ACL ordering in the OpenVMS Guide to System Security./AFTER=ace
Positions all ACEs specified with the /ACL qualifier after the ACE named with the /AFTER qualifier./BACKUP
Modifies the time value provided with the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier selects files according to the date of their most recent backup (rather than by the creation, expiration, or modification date). By default, SET SECURITY selects files according to their creation date./BEFORE[=time]
Selects only those files dated prior to the specified time. You can specify time as absolute time, as a combination of absolute and delta times, or as one of the following keywords: BOOT, LOGIN, TODAY (default), TOMORROW, or YESTERDAY. Specify the /CREATED or the /MODIFIED qualifier to indicate the time attribute to be used as the basis for selection. The /CREATED qualifier is the default.For complete information on specifying time values, refer to the OpenVMS User's Manual or the online help topic DCL_Tips (subtopic Date_Time).
/BY_OWNER[=uic]
Selects files whose owner's UIC matches the UIC specified. The default UIC is that of the current process./CLASS=class-name
Specifies the class of the object whose profile is to be modified. By default, the command assumes the object class is FILE./CONFIRM
Controls whether SET SECURITY prompts for verification before performing the operation. Valid responses are YES, NO, TRUE, and FALSE. Answers are not case sensitive and can be abbreviated to one letter. To stop processing the command at any point, type QUIT or press Ctrl/Z. To cancel the verification procedure but to proceed with the command, type ALL./COPY_ATTRIBUTE=(keyword[,...])
Specifies a subset of security elements to transfer from a source object to a target object. Valid keywords include the following:
Keyword Description ALL (default) Copy all security elements ACL Copy the access control list OWNER Copy the owner PROTECTION Copy the protection code Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier. For example, you can create an ACL for an object and then copy its ACL to new objects.
/CREATED
Modifies the time value specified with the /BEFORE or the /SINCE qualifier. The /CREATED qualifier selects files according to the date they were created (rather than by the backup, expiration, or modification date). By default, SET SECURITY selects files according to their creation date./DELETE[=ALL]
Deletes ACEs according to the following rules:
- The expression /ACL=aces/DELETE deletes the named ACEs.
- The expression /ACL/DELETE deletes all unprotected ACEs.
- The expression /ACL/DELETE=ALL deletes all ACEs including protected ACEs.
- The expression /ACL=aces/DELETE=ALL deletes the existing ACL (if any) and create a new ACL with the ACEs specifies on the /ACL qualifier.
/DEFAULT
Regenerates the security profile of a file. The default qualifier changes the protection code, the ACL, and the owner elements of a file to what it would be if the file had just been created. The profile is recreated according to the following rules:
- The protection code is propagated from the default protection ACE on the directory (if one exists), or else it is propagated from the process default.
- The ACL is propagated from the parent directory for those ACEs that have the default option.
- The owner is set to the owner of the parent directory.
With subdirectory files, SET SECURITY assigns the owner, protection, and ACL elements of the parent directory.
SET SECURITY does not copy any ACE on the source object if the ACE holds the nopropagate attribute nor does it change any ACE on the target object if the ACE holds the protected attribute. To apply new elements to all versions of the file, specify ;* in the object name. Refer to the OpenVMS Guide to System Security for more information on propagation rules.
/EDIT
Invokes the access control list editor (ACL editor) and allows you to modify an ACL interactively. The ACL editor does not allow the asterisk (*) and the percent sign (%) wildcard characters in an object name. You must specify the object whose ACL you are editing.The /EDIT qualifier must be the first qualifier on the command line; other qualifiers can include /CLASS and, if the class is SECURITY_CLASS, you can include the /PROFILE qualifier. Whenever an object does not belong to the FILE class, you also need to specify /CLASS.
Refer to the ACL editor in the OpenVMS System Management Utilities Reference Manual for more information.
/EXCLUDE=(filespec[,...])
Excludes the specified files from the SET SECURITY operation. You can include a directory, but not a device, in the file specification. You cannot use relative version numbers to exclude a specific version./EXPIRED
Modifies the time specified with the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier selects files according to their expiration dates rather than by the backup, creation, or modification date. (The expiration date is set with the SET FILE/EXPIRATION_DATE command.) By default, files are selected according to their creation date./LIKE=(NAME=source-object-name
Identifies the object from which SET SECURITY should copy security elements. The /LIKE qualifier replaces an object's existing elements with those of the source object. Nopropagate ACEs are not transferred and protected ACEs on the target object are not deleted. Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier to copy an object's elements. Refer to the OpenVMS Guide to System Security for information about the special handling of protected and nopropagate ACEs.
[,CLASS=source-object-class] [,PROFILE=TEMPLATE=template-name])The object class of the source object defaults to the class of the target object. When the /CLASS qualifier is omitted, the CLASS keyword defaults to FILE.
The PROFILE keyword applies to security class objects. It identifies which template of the security class you want to copy and modify. See /PROFILE for more information.
/LOG
Controls whether the SET SECURITY command displays the name of the object that has been modified by the command. The qualifier is invalid with the /EDIT qualifier./MODIFIED
Modifies the time value specified with the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier selects files according to the dates on which they were last modified, rather than by the backup, creation, or expiration date. By default, files are selected according to their creation date./OWNER=identifier
Requires GRPPRV (group privilege) to set the owner to another member of the same group. Requires SYSPRV (system privilege) to set the owner to any user identification code (UIC) outside your group.
Previous Next Contents Index
Copyright © Compaq Computer Corporation 1998. All rights reserved.
Legal9996PRO_058.HTML