![[Compaq]](../../images/compaq.gif)
![[Go to the documentation home page]](../../images/buttons/bn_site_home.gif)
![[How to order documentation]](../../images/buttons/bn_order_docs.gif)
![[Help on this site]](../../images/buttons/bn_site_help.gif)
![[How to contact us]](../../images/buttons/bn_comments.gif)
![[OpenVMS documentation]](../../images/ovmsdoc_sec_head.gif)
| Document revision date: 19 July 1999 | |
|
|
|
|
|
|
| Previous | Contents | Index |
File-backed global sections share the security profile of the associated disk file. Whenever the profile of the backing file is modified, the global section's profile automatically changes. To modify the protection elements of file-backed global sections, you must modify the backing file instead.
The global section class provides the following template profiles. Although the template assigns an owner UIC of [0,0], this value is only temporary. As soon as the object is created, the operating system replaces a 0 value with the value in the corresponding field of the creating process's UIC.
| Type | Template Name | Owner UIC | Protection Code |
|---|---|---|---|
| System | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
| Group | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
The operating system modifies the templates according to the values provided in the prot argument to $CRMPSC. The prot argument is ignored for file-backed sections.
To maintain compatibility with earlier versions of the operating
system, the DEFAULT templates have protection codes allowing world
access. Some applications may need a more restrictive default than the
templates provide. If you do choose to restrict global section access,
be aware that the more restrictive access can cause applications to
fail in ways that are difficult to diagnose.
5.5.4 Privilege Requirements
The SYSGBL privilege is required to create or delete a system global
section. The PFNMAP privilege is necessary to create or delete a page
frame section, and the PRMGBL privilege is required to create or delete
a permanent global section.
5.5.5 Kinds of Auditing Performed
The following types of events can be audited, provided the security administrator enables auditing for the appropriate event class:
| Event Audited | When Audit Occurs |
|---|---|
| Creation | When a page file-backed or a PFN global section is created by the Create and Map Section system service ($CRMPSC). |
| Access | When an existing page file-backed or a PFN global section is accessed with either $CRMPSC or the Map Global Section system service ($MGBLSC). The operating system audits access to a file-backed global section as a file access. |
| Deaccess | At image or process rundown when the process virtual address space is reset or deleted. |
| Deletion | If a process with PRMGBL privilege, PFNMAP privilege, or SYSGBL privilege (in the case of a system global section) deletes a permanent global section, the operating system audits the event through the use of privilege. |
A global section and its security profile need to be reset after every
system boot.
5.6 Logical Name Tables
Logical name assignments are maintained in logical name tables. A
logical name table can be accessible to only one process, or it can be
shareable if its parent table is shareable. All shareable name tables
are listed in the LNM$SYSTEM_DIRECTORY, the system directory table. It
is shareable logical name tables that the operating system protects.
5.6.1 Naming Rules
The name of a logical name table is a string of 1 to 32 characters.
5.6.2 Types of Access
The logical name table class supports the following types of access:
The logical name table class provides the following template profiles. Although the template assigns an owner UIC of [0,0], this value is only temporary. As soon as the object is created, the operating system replaces a 0 value with the value in the corresponding field of the creating process's UIC.
| Template Name | Owner UIC | Protection Code |
|---|---|---|
| DEFAULT | [0,0] | S:RW,O:RW,G:R,W:R |
| GROUP | [0,*] | S:RWCD,O:R,G:R,W |
| JOB | [0,0] | S:RWCD,O:RWCD,G,W |
The operating system allows read and write access to the group logical name tables with GRPNAM privilege and to the system logical name table with SYSNAM privilege.
Deletion of a shared table from the system directory requires SYSNAM privilege, and deletion of a logical name from the group directory requires GRPNAM privilege. Deletion of a parent logical name table results in the deletion of all its descendant logical name tables.
Creation or deletion of an inner-mode logical name or logical name
table requires SYSNAM privilege (or being in an inner mode).
5.6.5 Kinds of Auditing Performed
The following events can be audited, provided the security administrator enables auditing for the event class:
| Event Audited | When Audit Occurs |
|---|---|
| Access | When translating a name, when creating a name or a descendent table, or when deleting a name or a descendent table |
| Creation | During access to a parent table for the right to create a table or when the table itself is created |
A logical name table and its security profile must be reset each time
the system is rebooted.
5.7 Queues
A queue is a set of jobs to be processed. In general, queues are of two
types, generic or execution. No processing takes place in generic
queues. Execution queues hold jobs that will execute on an execution
queue when one is available. Execution queues can be batch queues,
printer queues, server queues, or terminal queues.
5.7.1 Naming Rules
A queue name is a string of 1 to 31 characters, including any
alphanumeric character, the dollar sign ($), or the underscore (_).
5.7.2 Types of Access
The queue class supports the following types of access:
| Read | Gives you the right to see the security elements of a queue or a job in the queue. |
| Submit | Gives you the right to place jobs in the queue. |
| Delete | Gives you the right to delete a job in the queue or modify the elements of a job. |
| Manage | Gives you the right to affect any job in the queue. You can start, stop, or delete a queue and change its status and any elements that are unrelated to security. |
| Control | Gives you the right to modify the protection elements and owner of a queue. |
Note: When a process receives read or delete access
through a protection code, it can operate on only its job in the queue.
However, when granted through an ACL, read and delete access allow a
process to operate on all jobs in the queue.
5.7.3 Template Profile
The queue class provides the following template profile:
| Template Name | Owner UIC | Protection Code |
|---|---|---|
| DEFAULT | [SYSTEM] | S:M,O:D,G:R,W:S |
You need SYSNAM and OPER privileges to stop or start the queue manager.
OPER is necessary to create and delete queues, or to change the
symbiont definition.
5.7.5 Kinds of Auditing Performed
The following events can be audited, provided the security administrator enables auditing for the event class:
| Event Audited | When Audit Occurs |
|---|---|
| Access | When a job is submitted to the queue and when either a job or queue is modified. |
| Creation | When a queue is initialized. |
| Deletion | When a process deletes a job from the queue or when the queue itself is deleted. (To enable auditing for queue deletions, enable auditing for manage [M] access to the queue.) |
If access auditing is enabled for both files and queues, one queue
operation can generate a number of auditing messages because, within a
single operation, the operating system performs several access checks.
For example, before a job is executed on a print queue, the system
checks to see if you have read access to the file, and it checks for
read access again before printing the file.
5.7.6 Permanence of the Object
Queues are permanent objects. They are stored in the system queue
database together with their security profiles.
5.8 Resource Domains
Processes that access shared resources can coordinate access using the services of the lock manager. These services allow processes to associate a name with a resource, such as a file or a data structure, to arbitrate access to that resource, and to exchange limited information through a lock value block. The namespaces that catalog resources on which locks can be taken are called resource domains.
A process must become a member of a resource domain to take and release
locks and to read and write value blocks associated with resources in
that resource domain. A process implicitly joins the system and group
domains, but it explicitly joins other domains through a call to the
$SET_RESOURCE_DOMAIN system service. Access to all locks and value
blocks within a domain is controlled by access to the domain itself.
5.8.1 Naming Rules
A resource domain is identified to $SET_RESOURCE_DOMAIN by a longword
binary value. However, the name of the resource domain object is a
string containing the resource number interpreted in octal surrounded
by brackets [] or angle brackets <>. Alternatively, the name of
the resource domain object can be expressed as an identifier enclosed
in brackets or angle brackets. The identifier must translate to a UIC
value; the group field of the UIC is used as the resource domain number.
5.8.2 Types of Access
The resource domain class supports the following types of access:
| Read | Gives you the right to read lock value blocks in the domain, including the right to use the $GETLKI system service to retrieve it |
| Write | Gives you the right to write to lock value blocks in the domain |
| Lock | Gives you the right to take locks using $ENQ, release locks using $DEQ, and obtain information about the lock database using $GETLKI |
| Control | Gives you the right to modify the protection elements of a resource domain |
The resource domain class provides the following template profile. The template assigns an owner UIC of [n,*] where n is the resource domain's number.
| Template Name | Owner UIC | Protection Code |
|---|---|---|
| DEFAULT | [ n,*] | S:RWL,O:RWL,G:RWL,W |
The SYSLCK privilege allows lock access to the system resource domain
(Domain 0).
5.8.5 Kinds of Auditing Performed
The following events can be audited, provided the security administrator enables auditing for the event class:
| Event Audited | When Audit Occurs |
|---|---|
| Access | When a process calls $SET_RESOURCE_DOMAIN or $ENQ to join a domain |
| Creation | The first time a process joins the resource domain |
| Deaccess | When a process called $SET_RESOURCE_DOMAIN or at image or process rundown |
Both the resource domain and its security elements are saved in
SYS$SYSTEM:VMS$OBJECTS.DAT.
5.9 Security Classes
The security class is the parent of all classes of protected objects. It protects the template profiles associated with the various object classes. Each object in the security class holds the following information:
Chapter 8 discusses how to manage objects in the security class.
5.9.1 Naming Rules
The security class has the following members:
| CAPABILITY | COMMON_EVENT_CLUSTER |
| DEVICE | FILE |
| GROUP_GLOBAL_SECTION | LOGICAL_NAME_TABLE |
| QUEUE | RESOURCE_DOMAIN |
| SECURITY_CLASS | SYSTEM_GLOBAL_SECTION |
| VOLUME |
Security class objects support the following types of access:
| Read | Gives you the right to read a template profile. Template profiles contain the security elements assigned to new objects. |
| Write | Gives you the right to modify the values of a template profile. |
| Control | Gives you the right to modify the security profile of a security class object. Control access implies read and write access. |
The security class object provides the following template profile:
| Template Name | Owner UIC | Protection Code |
|---|---|---|
| DEFAULT | [SYSTEM] | S:RW,O:RW,G:R,W:R |
The following events can be audited, provided the security administrator enables auditing for the event class:
| Event Audited | When Audit Occurs |
|---|---|
| Access | When a process enters the DCL command SET SECURITY or SHOW SECURITY with the /CLASS=SECURITY_CLASS qualifier or when it uses the name SECURITY_CLASS in a call to the system service $SET_SECURITY or $GET_SECURITY |
The security profiles of the security class object and all its members
are stored in the security object database.
5.10 Volumes
A volume object is one or more ODS-2 disk volumes. The object consists of multiple volumes when they are part of a bound volume set. Although you might have access to the directories and files on the volume, you cannot access them if you do not have access to the volume itself.
For access information on tapes and foreign volumes, see the
OpenVMS System Manager's Manual and the Mount utility documentation in the OpenVMS System Management Utilities Reference Manual.
5.10.1 Naming Rules
A volume name can be the volume label, the name of the device on which
the volume is mounted, or a user-specified logical name. Volume label
names can be from 0--12 characters in length.
5.10.2 Types of Access
The volume class supports the following types of access:
| Read | Gives you the right to examine file names and print and copy files on a volume. |
| Write | Gives you the right to modify or write to existing files on a volume. Whether the subject may perform the operation on a specific file is determined by the file's protection. To be meaningful, write access requires read access. |
| Create | Gives you the right to create files on a disk volume and to subsequently modify them. Create access also requires read and write access. |
| Delete | Gives you the right to delete files on a disk volume, provided the user has proper access rights at the directory and file level. Delete access requires read access. |
| Control | Gives you the right to change the protection and ownership elements of the volume. |
| Previous | Next | Contents | Index |
|
|
| privacy and legal statement | ||
| 6346PRO_011.HTML | ||