Compaq PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index

4.3.2.4.1 Procedure for Creating a Personal Share

Follow these steps to create a personal share:

  1. Add a share using the ADD SHARE/PERSONAL command.
  2. Use the SHOW SHARES/TYPE=PERSONAL command to display the share. Include the /FULL qualifier to display the path and permissions. For example:


LANDOFOZ\\TINMAN> ADD SHARE GREATOZ USER1:[USERS] - 
_LANDOFOZ\\TINMAN> /PERSONAL/NOPERMISSIONS/PERMISSIONS=(LION=FULL) 
%PWRK-S-SHAREADD, share "GREATOZ" added on server "TINMAN" 
 
LANDOFOZ\\TINMAN> SHOW SHARES/TYPE=PERSONAL/FULL 
 
Shared resources on server "TINMAN": 
 
Name          Type       Description 
------------  ---------  ------------------------------------------ 
GREATOZ       Personal 
    Path: USER1:[USERS] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions: System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        LION                            Full Control 
     Total of 1 share 
 
LANDOFOZ\\TINMAN> 

After the personal share is created, you can set up the associated directory as the user's home directory. The home directory contains files and programs for the user, and is automatically accessible when the user logs on to the network. For information about setting up home directories, see Section 3.1.10, Specifying Home Directories.

4.3.2.5 Stopping Directory Sharing

You may need to stop sharing a directory when the directory is no longer being used and you want to delete it; for example, when a project requiring the use of shared files is completed. Advise users when you are planning to stop sharing a directory.

For example, to stop sharing the directory GREATOZ, use the ADMINISTER command REMOVE SHARE, as follows:


 
LANDOFOZ\\TINMAN> REMOVE SHARE GREATOZ/NOCONFIRM 
%PWRK-S-SHAREREM, share "GREATOZ" removed from server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

This example removes the share named GREATOZ from the server named TINMAN; no confirmation is required. When you stop sharing a directory, the share name is removed from the share database and no longer appears on the list of available shares. However, the directory and its files are not deleted.

4.3.3 Displaying Information About Shares

You can use the SHOW SHARES command to display the shares provided by a server and to see which shares are available to the network. Before sharing a new directory from the server, first check which shares are currently available.

The following example shows how to display the shared directories for your server:


LANDOFOZ\\TINMAN> SHOW SHARES 
 
Shared resources on server "TINMAN": 
 
Name          Type       Description 
------------  ---------  --------------------------------------- 
NETLOGON      Directory  Logon Scripts Directory 
PWLIC         Directory  PATHWORKS Client License Sftwr 
PWLICENSE     Directory  PATHWORKS Client License Sftwr 
PWUTIL        Directory  Adv. Srv. Client-based Utilities 
USERS         Directory  Users Directory 
 
  Total of 5 shares 
 
LANDOFOZ\\TINMAN> 

The default display does not show administrative shares and personal shares.

You can display information about administrative shares (those that end with $) using the SHOW SHARES/HIDDEN command, as described in Section 4.2, Administrative Shares.

You can display information about personal shares using the SHOW SHARES/TYPE=PERSONAL command.

You can display information about all shares using the SHOW SHARE/TYPE=ALL command.

4.3.3.1 Displaying Information About a Specific Share

You can display information about any share, regardless of the type of share, by specifying the share name, as in the following example:


LANDOFOZ\\TINMAN> SHOW SHARES RAINBOW 
 
Shared resources on server "TINMAN": 
 
Name          Type       Description 
------------  ---------  -------------------- 
RAINBOW       Personal 
 
  Total of 1 share 

4.3.3.2 Displaying Share Permissions

To display share permissions, use the SHOW SHARES command with the /PERMISSIONS qualifier. For example:


LANDOFOZ\\TINMAN> SHOW SHARES/PERMISSIONS 
Shared resources on server "TINMAN": 
Name          Type       Description 
------------  ---------  -------------------------------------------------- 
DICK          Printer    Dick's print share 
    Share Permissions: 
        Everyone                        Full Control 
NETLOGON      Directory  Logon Scripts Directory 
    Share Permissions: 
        Everyone                        Read 
PATHWORKS     Directory  
    Share Permissions: 
        Everyone                        Full Control 
PWLIC         Directory  PATHWORKS Client License Sftwr 
    Share Permissions: 
        Administrators                  Full Control 
        Everyone                        Read 
PWLICENSE     Directory  PATHWORKS Client License Sftwr 
    Share Permissions: 
        Administrators                  Full Control 
        Everyone                        Read 
PWUTIL        Directory  Adv. Srv. Client-based Utilities 
    Share Permissions: 
        Everyone                        Read 
USERS         Directory  Users Directory 
    Share Permissions: 
        Everyone                        Full Control 
 
  Total of 7 shares 
 
LANDOFOZ\\TINMAN> 

4.3.4 Changing Share Properties

You can change the properties of an existing share using the MODIFY SHARE command. You can change the following share properties:

To change the properties of a shared directory, you must be logged on as a member of the Administrators or Server Operators group.

The following example shows how to use the MODIFY SHARE command to add permissions on an existing directory share called GREATOZ and to grant READ access to the user SCARECROW:


LANDOFOZ\\TINMAN> MODIFY SHARE GREATOZ/PERMISSIONS=(SCARECROW=READ) 
%PWRK-S-SHAREMOD, share "GREATOZ" modified on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

4.3.5 Planning File and Directory Access Permissions

Users and groups can be granted or denied access to specific files and subdirectories in a shared directory. A user denied access to a file or directory, either individually or as a member of a group, can connect to the share but cannot perform any operations with the files and directories in the share. You can grant specific unique access permissions for files and directories in shares that users can access. Once a user connects to the resource, the file and directory access permissions control the operations that the user can perform. For information about specifying share permissions, see Section 4.3.2.2, Planning Share Permissions.

You can enable users to set access permissions on their own files and directories. These users can then control whether other users can read, write, or modify files in that directory. To enable users to set access permissions, give them full control using the SET FILE command.

4.3.5.1 File and Directory Access Permissions

Table 4-9, Directory Access Permissions and Actions on Directories, lists the types of access users can have and the permissions to set on directories.

Table 4-9 Directory Access Permissions and Actions on Directories
User Actions NONE LIST READ ADD ADD AND READ CHANGE FULL CONTROL
Display directory file names   X X   X X X
Display directory attributes   X X X X X X
Go to directory subdirectories   X X X X X X
Change directory attributes       X X X X
Create subdirectories and add files       X X X X
Display directory owner and permissions   X X X X X X
Delete the directory           X X
Delete any file or empty subdirectory in a directory             X
Change directory permissions             X
Take ownership of the directory             X

Table 4-10, Directory Access Permissions and Actions on Files, lists the types of access users can have to files and the permissions to set on them.

Table 4-10 Directory Access Permissions and Actions on Files
User Actions NONE LIST READ ADD ADD AND READ CHANGE FULL CONTROL
Display file owner and permissions     X   X X X
Display file data     X   X X X
Display file attributes     X   X X X
Run a program file     X   X X X
Change file attributes           X X
Change data in and append data to the file           X X
Delete the file           X X
Change the file permissions             X
Take ownership of the file             X

4.3.5.2 Setting Permissions on a File or Directory

By default, anyone with a valid network user name and password can log on to a server and connect to a share on that server. However, a user must have the requisite permissions to access the directories and files in the share. You use the SET FILE/PERMISSIONS command to set permissions on a shared directory. You may need to change access permissions if users cannot access the directories or files they need, or if unauthorized users can access them. For information about how a file or directory that does not have explicit permissions inherits the permissions, see Section 4.1.3.1, Inheritance of Directory Permissions, and Section 4.3.5.3, Inheriting Permissions.

Permissions for disk resources are stored on the disk with each resource as an OpenVMS access control list (ACL). Thus, resource permissions are backed up by the OpenVMS Backup utility.

4.3.5.3 Inheriting Permissions

As you create subdirectories and files in shared directories that have existing permissions, those permissions are automatically propagated to the new subdirectories and files. (This assumes the default for the STORE_SECURITY_ACES is in effect; see Section 4.1.3.6, Streamlining Security Information Storage and Lookups, for more information.) However, if you decide to share a directory that contains existing subdirectories and files, the permissions you assign to the new share are not propagated to its subdirectories and files. You can either explicitly set permissions for each subdirectory and file, or you allow their permissions to be inherited.

4.3.6 Specifying File and Directory Access Permissions

When sharing a directory on a server, you specify the name of the groups and users who can access the share, its subdirectories, and its files, and the permissions each group or user has for the share. After the share has been created, you can modify the permissions on the files and directories in the share. The following example shows how to use the SET FILE/PERMISSIONS command to modify permissions. In this example, the command specifies the access permissions for all files with the .C extension in the directory CURTAIN in share GREATOZ.


LANDOFOZ\\TINMAN> SET FILE GREATOZ\CURTAIN\*.C - 
_LANDOFOZ\\TINMAN> MUNCHKINS/PERMISSIONS=READ - 
_LANDOFOZ\\TINMAN> SCARECROW/PERMISSIONS=FULL_CONTROL 
%PWRK-S-FILEMOD, "GREATOZ\CURTAIN\FILE1.C" modified on server "TINMAN" 
 
%PWRK-S-FILESMODIFIED, total of 1 file modified 
LANDOFOZ\\TINMAN> 

As a result, the following permissions are set:

4.3.7 Displaying File and Directory Access Permissions

To display directory and file permissions, use the SHOW FILES/PERMISSIONS command, specifying a share name and its path. For example, with a share called RAINBOW and a file called LOGS.TXT, you can display permissions as follows:


LANDOFOZ\\TINMAN> SHOW FILES RAINBOW\LOG.TXT /PERMISSIONS 
 
Files in: \\TINMAN\RAINBOW 
     LOGS.TXT 
          Permissions: 
              Administrators            Full (All) 
              Everyone                  Change (RWXD) 
              Server Operators          Change (RWXD) 
              SYSTEM                    Full (All) 
 
     Total of 1 file 
 
LANDOFOZ\\TINMAN> 

4.3.8 Using Network Permissions and OpenVMS Protections

If the Advanced Server and OpenVMS security model is enabled, and a network user attempts to access a file or directory, the access must be allowed by two security checks: network permissions, and OpenVMS file and directory protections.

4.3.8.1 OpenVMS Protections

Every file on an OpenVMS system has four protection codes:

To set OpenVMS system file protections, use the OpenVMS command SET PROTECTION.

When a network user attempts to access a file, the following rules determine the way that OpenVMS system protections control the access:

4.3.9 Auditing Directory and File Access

When you assign permissions for a resource, you can also audit use of the resource. The Advanced Server can write an entry to the Security event log whenever a user accesses the resource in a certain way. The audit entry shows the resource, action performed, user who performed it, and date and time of the event.

Events that Advanced Server can audit for directory and file access include:

For more information about auditing and viewing events, see Chapter 6, Monitoring Events and Troubleshooting.

4.3.10 Taking Ownership of Files or Directories

When you create a file or directory, you become its owner. By granting permissions, the owner controls how the file or directory is used. The owner can grant permission to another user to take ownership of a file or directory. Otherwise, you must be logged on as a member of the Administrators group to take ownership. Although an administrator can take ownership, an administrator cannot transfer ownership to others. This preserves security. To make sure that your files are secure, you should check their ownership regularly using the SHOW FILES/OWNER command.

4.3.10.1 Authorizing a User to Take Ownership of a File or Directory

You can specify permission to take ownership of a file or a directory using the following commands:

For example, to authorize the user SCARECROW to take ownership of a file called SIMIANS.DAT that is stored on domain LANDOFOZ in the directory \WITCH\MKEY, enter the following command:


LANDOFOZ\\TINMAN> SET FILE WITCH\MKEY\SIMIANS.DAT - 
_LANDOFOZ\\TINMAN>SCARECROW/PERMISSIONS=FILE_SPECIFIC=TAKE_OWNERSHIP 
%PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified 

4.3.10.2 Taking Ownership of a File or Directory

To take ownership of a file or directory, use the TAKE FILE OWNERSHIP command as follows:


TAKE FILE OWNERSHIP UNCpath [/qualifiers]) 

For example, the following command takes ownership of the file called SIMIANS.DAT that is stored on domain LANDOFOZ in the directory \WITCH\MKEY:


LANDOFOZ\\TINMAN> TAKE FILE OWNERSHIP WITCH\MKEY\SIMIANS.DAT 
%PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified 
 
LANDOFOZ\\TINMAN> 

4.3.11 Managing Shares from a Windows NT Server

You can manage shares on the Advanced Server using a Windows NT Server. When the Windows NT Server performs server administration, the Windows NT server administration tool Server Manager attempts to verify the share path locally before passing the server operation request to the Advanced Server. Any share path that does not conform to the device:\directory convention, where device: is a single letter drive letter, fails the share path verification; therefore, you cannot manage an Advanced Server share from the Windows NT Server Manager if the share path does not conform to the device:\directory convention.

The following sections describe ways to manage an Advanced Server share from the Windows NT Server.

4.3.11.1 Adding a Share from a Windows NT Server

To add an Advanced Server share using a Windows NT Server, use one of the following procedures:


Previous Next Contents Index