PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index

4.4.1 Creating a Share on PATHWORKS Advanced Server

A share is a shared directory. By sharing a directory, you allows users on the network to access the directory.

Any directory on the server can be shared, including the root directory of a disk device. Users specify the share name when accessing and displaying shares. No two resources on the same server can have the same share name.

When you create a shared directory, you assign access permissions to users and groups. These permissions define the access to the share for the specified users and groups. If you do not specify permissions when you add a share, all users are allowed to access the share.

You can define an OpenVMS system logical name that refers to an OpenVMS physical device. Then you can use the logical name to create the share with the ADD SHARE command. This allows you to move the physical structure to another device, redefine the logical name, and continue to provide access to the structure by the same share name. Users connected to the share will have to reconnect after this change.

4.4.1.1 Preparing to Share a Directory

When you share directories on a server, it is important to be well organized. If many users access the same directory for different purposes and activities, the directory can become a clutter of unrelated files. If you take the time to create separate directories organized by group and function, it will be easier to keep files organized.

Before setting up a shared directory, prepare a list of directories you will need to share on the server. Also prepare a list of the users and groups that will require access to each shared directory and the kinds of permissions they will need. Use the worksheets in the Advanced Server for OpenVMS Concepts and Planning Guide to help you prepare these lists.

When sharing a directory on a server, you specify the names of the users and groups who can access the shared directory by setting share permissions, and who can access the subdirectories and files in the share by setting file and directory access permissions. You can set different permissions for each subdirectory and file in the shared directory.

You can also set up auditing of each type of access and of specific files and directories.

To create a shared directory on the PATHWORKS Advanced Server, you must be logged on as a member of the Administrators or Server Operators group. When adding new shares, the associated OpenVMS directory must already exist.

If a directory to be shared does not exist, you must create it either on OpenVMS or remotely. To create a directory on the OpenVMS system, use the OpenVMS CREATE/DIRECTORY command.

4.4.1.2 Planning Share Permissions

To secure shared directories effectively, keep the following in mind:

The following table shows permissions available for shares and the actions available to users for each permission.

Table 4-6 Share Permissions
You can do the following. No Access Read Access Change Access Full Control
Display subdirectory names and file names   X X X
Display file data and attributes   X X X
Run program files   X X X
Go to subdirectories of the directory   X X X
Create subdirectories and add files     X X
Change data in and append data to files     X X
Change file attributes     X X
Delete subdirectories and files     X X
Change permissions (Windows NT files and directories only)       X
Take ownership (Windows NT files and directories only)       X

4.4.1.3 Creating a Share

You can share an existing OpenVMS directory. When you share a directory, you specify its location on the server, including the disk device and the directory name, and the name for the share.

To share a directory on a server:

Use the ADD SHARE/DIRECTORY command. For example:


LANDOFOZ\\TINMAN> ADD SHARE/DIRECTORY RAINBOW USER1:[SHARED] - 
_LANDOFOZ\\TINMAN> /HOST_ATTRIBUTES=(RMS_FORMAT=STREAM) 
%PWRK-S-SHAREADD, share "RAINBOW" added on server "TINMAN" 

This command adds a directory share named RAINBOW for the directory USER1:[SHARED]. Files created in this directory will be RMS stream-format files. Because the /PERMISSIONS qualifier is not included on the command line, the new share is available to all users.

4.4.1.4 Creating a Personal Share

When a server is upgraded from PATHWORKS V5 for OpenVMS (LAN Manager) to PATHWORKS for OpenVMS (Advanced Server), any V5 personal shares are upgraded and preserved as personal shares. You can also create a personal share for any` user account in a server's OpenVMS user authorization file (UAF). A personal share allows you to share a user's OpenVMS login directory without including it in the list of shares that users can display.

A personal share points to the root directory of a users's OpenVMS account. For example, PATHWORKS Advanced Server user SCARECROW has a personal share that is mapped to the OpenVMS directory [STRAWMAN] on server TINMAN. If the administrator lists the personal shares on TINMAN, the following information appears:


LANDOFOZ\\TINMAN>SHOW SHARE/TYPE=PERSONAL 
 
Shared resources on server "TINMAN": 
 
Name          Type       Description 
------------  ---------  ---------------------------------------------- 
STRAWMAN      Personal   
 
  Total of 1 share 
 

STRAWMAN, the host mapped OpenVMS account, has a login directory defined in the UAF record; for example, DUA1:[000000]STRAWMAN.DIR, or DUA1:[STRAWMAN]. You can use the AUTHORIZE utility to see your server's UAF records. For example:


$ MCR AUTHORIZE 
UAF> SHOW STRAWMAN 
 
Username:     STRAWMAN              Owner: SYSTEM MANAGER 
Account:      SYSTEM                UIC:   [360,44] ([PCSA,STRAWMAN]) 
CLI:          DCL                   Table: DCLTABLES 
Default:      DUA1:[STRAWMAN] 
LGICMD:       LOGIN 
   . 
   . 
   . 

Note

A user with an OpenVMS user account on multiple servers in a domain may have a personal share associated with an account on each server.

When you install the PATHWORKS Advanced Server software on a new system, no personal shares are created by default. You can, however, explicitly create a personal share. Only users in the Administrators group can display and access all the personal shares on a server.

To create a personal share:

  1. Add a share using the ADD SHARE/PERSONAL command.
  2. Use the SHOW SHARES/TYPE=PERSONAL command to display the share. Include the /FULL qualifier to display the path and permissions. For example:


LANDOFOZ\\TINMAN> ADD SHARE GREATOZ USER1:[USERS] - 
_LANDOFOZ\\TINMAN> /PERSONAL/NOPERMISSIONS/PERMISSIONS=(LION=FULL) 
%PWRK-S-SHAREADD, share "GREATOZ" added on server "TINMAN" 
 
LANDOFOZ\\TINMAN> SHOW SHARES/TYPE=PERSONAL/FULL 
 
Shared resources on server "TINMAN": 
 
Name          Type       Description 
------------  ---------  ------------------------------------------ 
GREATOZ       Personal 
    Path: USER1:[USERS] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions: System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        LION                            Full Control 
     Total of 1 share 
 
LANDOFOZ\\TINMAN> 

Note

Users cannot specify personal shares in the UNC path when connecting to or listing resources. To access such a file or run an application from the personal share, users must specify the device name. You can remove this restriction by modifying the personal share, removing the personal share attribute from the share. To do this, remove the share and add it without the /PERSONAL qualifier.

4.4.1.5 Stopping Directory Sharing

You may need to stop sharing a directory when the directory is no longer being used and you want to delete it; for example, when a project requiring the use of shared files is completed. Advise users when you are planning to stop sharing a directory.

To stop sharing a directory:

Use the REMOVE SHARE command. For example:


$ ADMINISTER 
LANDOFOZ\\TINMAN> REMOVE SHARE RAINBOW/SERVER=TINMAN/NOCONFIRM 
%PWRK-S-SHAREREM, share "RAINBOW" removed from server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

This example removes the share named RAINBOW from the server named TINMAN; no confirmation is required. When you stop sharing a directory, the share name is removed from the share database and no longer appears on the list of available shares. The directory and its files are not deleted.

4.4.2 Displaying Information About Shares

You can display the shares provided by a server to see which shares are available to the network. Before sharing a new directory from the server, first check which shares are currently available. To display the shared directories for your server, use the SHOW SHARES command. For example:


LANDOFOZ\\TINMAN> SHOW SHARES 
 
Shared resources on server "TINMAN": 
 
Name          Type       Description 
------------  ---------  --------------------------------------- 
NETLOGON      Directory  Logon Scripts Directory 
PWLIC         Directory  PATHWORKS Client License Software 
PWLICENSE     Directory  PATHWORKS Client License Software 
PWUTIL        Directory  PATHWORKS Client-based Utilities 
USERS         Directory  Users Directory 
 
  Total of 5 shares 
 
LANDOFOZ\\TINMAN> 

Administrative shares (those that end with $) are displayed if you use the SHOW SHARES/HIDDEN command.

To display share permissions:

Use the SHOW SHARES command with the /FULL qualifier. This command displays the PATHWORKS Advanced Server permissions on the share as well as the OpenVMS protections set for the directories and files created under the share. For example:


LANDOFOZ\\TINMAN> SHOW SHARES/FULL 
Shared resources on server "TINMAN": 
Name          Type       Description 
------------  ---------  -------------------------------------------------- 
DICK          Printer    Dick's print share 
    Path: DICK 
    Connections:  Current: 0, Maximum: No limit 
    Share Permissions: 
        Everyone                        Full Control 
        LION                            Manage Documents 
NETLOGON      Directory  Logon Scripts Directory 
    Path: PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions:System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        Everyone                        Read 
PATHWORKS     Directory  
    Path: SYS$COMMON:[PATHWORKS] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions:System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        Everyone                        Full Control 
PWLIC         Directory  PATHWORKS Client License Software 
    Path: PWRK$LMROOT:[LANMAN.SHARES.LICENSE] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions:System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        Administrators                  Full Control 
        Everyone                        Read 
PWLICENSE     Directory  PATHWORKS Client License Software 
    Path: PWRK$LMROOT:[LANMAN.SHARES.LICENSE] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions:System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        Administrators                  Full Control 
        Everyone                        Read 
PWUTIL        Directory  PATHWORKS Client-based Utilities 
    Path: PWRK$LMROOT:[LANMAN.SHARES.WIN] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions:System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        Everyone                        Read 
USERS         Directory  Users Directory 
    Path: PWRK$LMROOT:[LANMAN.ACCOUNTS.USERDIRS] 
    Connections:  Current: 0, Maximum: No limit 
    RMS file format: Stream 
    Directory Permissions:System: RWED, Owner: RWED, Group: RWED, World: RE 
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R 
    Share Permissions: 
        Everyone                        Full Control 
 
  Total of 7 shares 
 
LANDOFOZ\\TINMAN> 

4.4.3 Changing Share Properties

You can change share properties, including:

To change the properties of a shared directory, you must be logged on as a member of the Administrators or Server Operators group.

To modify directory permissions for a group or user:

Use the MODIFY SHARE/PERMISSIONS command. For example, to add permissions on an existing directory share called GREATOZ and to grant READ access to the user SCARECROW, enter the following command:


LANDOFOZ\\TINMAN> MODIFY SHARE GREATOZ/PERMISSIONS=(SCARECROW=READ) 
%PWRK-S-SHAREMOD, share "GREATOZ" modified on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

4.4.4 Planning File and Directory Access Permissions

Users and groups can be granted or denied access to specific files and subdirectories in a shared directory. A user denied access to a file or directory, either individually or as a member of a group, can connect to the share but cannot perform any operations with the files and directories in the share. You can grant specific unique access permissions for files and directories in shares that users can access. Once a user connects to the resource, the file and directory access permissions control the operations that the user can perform. For more information about specifying share permissions, see Section 4.4.1.2, Planning Share Permissions.

You can enable users to set access permissions on their own resources. These users can then control whether other users can read, write, or modify files in that directory. To enable users to set access permissions, give them full control using the SET FILE command.

For each shared directory and shared print queue resource on a server and for each user and group, you, as the Administrator, must make these decisions about access permissions:

Note

Administratively, it is easier to use group permissions than user permissions to grant access.

4.4.4.1 Setting Permissions on a File or Directory

By default, anyone with a valid PATHWORKS Advanced Server user name and password can log on to a server and connect to a share on that server. However, a user must have the requisite permissions to access the directories and files in the share. You use the SET FILE/PERMISSIONS command to set permissions on a shared directory. You may need to change access permissions if users cannot access the directories or files they need, or if unauthorized users can access them. A file or directory that does not have explicit permissions inherits the permissions set on its parent directory.

Permissions for disk resources are stored on the disk with each resource as an OpenVMS Access Control List (ACL). Thus, resource permissions are backed up by the OpenVMS BACKUP utility.

4.4.4.2 Inheriting Permissions

As you create subdirectories and files in shared directories that have existing permissions, those permissions are automatically propagated to the new subdirectories and files. However, if you decide to share a directory that contains existing subdirectories and files, the permissions you assign to the new share are not propagated to its subdirectories and files. You can either explicitly set permissions for each subdirectory and file, or you allow permissions to be propagated to the existing subdirectories and files.

4.4.5 Specifying File and Directory Access Permissions

When sharing a directory on a server, you specify the name of the groups and users who can access the share, its subdirectories, and its files, and the permissions each group or user has for the share. After the share has been created, you can modify the permissions on the share, as described in this section.

To set file and directory access permissions:

Use the SET FILE/PERMISSIONS command.

For example, the following command specifies the following access permissions for all files with the .C extension in the directory CURTAIN in share GREATOZ:


LANDOFOZ\\TINMAN> SET FILE GREATOZ\CURTAIN\*.C - 
_LANDOFOZ\\TINMAN> MUNCHKINS/PERMISSIONS=READ - 
_LANDOFOZ\\TINMAN> SCARECROW/PERMISSIONS=FULL_CONTROL 
%PWRK-S-FILEMOD, "GREATOZ\CURTAIN\FILE1.C" modified on server "TINMAN" 
 
%PWRK-S-FILESMODIFIED, total of 1 file modified 
 
LANDOFOZ\\TINMAN> 

4.4.5.1 Directory Access Permissions

The following table lists the permissions you can specify for a directory using the SET FILE/PERMISSIONS command.

Table 4-7 Directory Access Permissions
Directory Access Permission Description
ADD Allows adding files and subdirectories to a directory. Disallows access to files unless granted by other directory or file permissions.
ADD_AND_READ Allows viewing file names and subdirectory names, changing to the directory's subdirectories, viewing data in files, running applications, and adding files and subdirectories to the directory.
CHANGE Allows viewing file names and subdirectory names, changing to the directory's subdirectories, viewing data in files, running applications, adding files and subdirectories to the directory, changing data in files, and deleting the directory and its files.
FULL_CONTROL Allows viewing file names and subdirectory names, changing to the directory's subdirectories, viewing data in files, running applications, adding files and subdirectories to the directory, changing data in files, deleting the directory and its files, changing permissions on the directory and its files, and taking ownership of the directory and its files.
LIST Allows viewing file names and subdirectory names, and changing to the directory's subdirectories. Disallows access to files unless granted by other directory or file permissions.
NONE Prevents any access to the directory or any of its files.
  Use this permission to exclude individual users from access despite their group memberships. For example, if you assign read and write permissions to a group, you can exclude a specific user in that group by assigning that user the NONE access permission.
READ Allows a user to read or open files, to change directories, and to run applications.

For a user at a DOS client to execute a program file (with a .COM, .EXE, or .BAT extension), the user must have READ permission for both the file and the directory containing it.

Directory-Specific Access Permissions Description
DIRECTORY_SPECIFIC=( access) Grants specific access rights to the directory; access can be one or more of the following:
  When access specified is... The user can...
  CHANGE_PERMISSIONS Change directory permissions.
  DELETE Delete the directory.
  EXECUTE Change to subdirectories in the directory.
  FULL Have all access permissions. Overrides all other access permissions.
  READ View the names of files and subdirectories.
  TAKE_OWNERSHIP Take ownership of the directory.
  WRITE Add files and subdirectories.
File-Specific Access Permissions Description
FILE_SPECIFIC=( access) Grants specific access rights to the files in the directory; access can be one or more of the following:
  When access specified is... The user...
  CHANGE_PERMISSIONS Can change file permissions.
  DELETE Can delete the file.
  EXECUTE Can run the application, if the file is a program file.
  FULL Has complete access to the file and its data.
  NOT_SPECIFIED Has no file-specific access permission. (Cannot be used with any other access permission.)
  READ Can view the file's data.
  TAKE_OWNERSHIP Can take ownership of the file.
  WRITE Can change the file's data.


Previous Next Contents Index