- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Advance Server ACL Protection Policy
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2007 01:56 AM
тАО11-02-2007 01:56 AM
From the VMS side, I'm going to make the individual users the owners of the directories and files.
So that PWRK can access the data, I've set an ACL on the directories as :-
(IDENTIFIER=[PWRK$DEFAULT],ACCESS=READ+WRITE+EXECUTE)
The issue I can see is that when PWRK creates a file from the Windows side, it will be the owner, so the user won't be able to control the file.
What I'm looking for is a working example of how to set this sort of security up.
Thanks, Rob.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2007 02:04 AM
тАО11-02-2007 02:04 AM
Re: Advance Server ACL Protection Policy
Do you have for each Windows-users a corresponding VMS user or are you using hostmaps?
regards Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2007 02:15 AM
тАО11-02-2007 02:15 AM
Re: Advance Server ACL Protection Policy
- VMS is PDC in domain DS10
- VMS user: KALLE, Domain user KALLE
- no hostmap
creating a testfile leads to PRWK$DEFAULT as owner
- adding a hostmap: addhostmap kalle kalle
creating a testfile leads to KALLE as owner
regards Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2007 02:19 AM
тАО11-02-2007 02:19 AM
Re: Advance Server ACL Protection Policy
Rob.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-03-2007 01:27 AM
тАО11-03-2007 01:27 AM
Re: Advance Server ACL Protection Policy
As Karl said, hostmaps should do what you want. It's been a while for me, but some high level things that might help you understand what's going on:
Two relevant types of Account Mapping:
Implicit mapping is the default but it is configurable. Implicit host mapping is established when there is an exact match between the Windows NT user name and the OpenVMS user name. This behavior is controlled by the Registry parameter HOSTMAPUSEVMSNAMES. Implicit mapping takes the lowest precedence.
Explicit mapping takes the highest precedence and occurs when you specifically set a hostmap using the ADMINISTER command ADD HOSTMAP:
$ ADMIN ADD HOSTMAP
These are the relationships that are stored in the LSA database. If I recall correctly, there is a pre-defined explictit mapping of Guest to PWRK$GUEST. The use of explicit hostmaps is controlled by the parameter HOSTMAPUSEDATABASE in the Registry.
If there is no explicit setting and no implicit match, then the HOSTMAPDEFAULT registry parameter takes effect. The default setting for that parameter indicates that the OpenVMS user account PWRK$DEFAULT is used.
I think there are other registry parameters that allow you to fine tune all of this. I know there is one or more related to trusts and which domains you allow implicit maps from.
This is a high level synopsis. It's been 5 years now since I was the project leader for Advanced Server Engineering. I make no promises that I've remembered this stuff completely or accurately. In other words, it might be a good idea to find the documentation that talks about this stuff and read up on it before you go much further.
And of course, if you have more questions, ask away...
Best Regards,
Brad McCusker
Software Concepts International
www.sciinc.com
Software Concepts International
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-05-2007 12:11 AM
тАО11-05-2007 12:11 AM
Re: Advance Server ACL Protection Policy
Assuming I'm going to use hostmapping, and the files will be owned and created by the end user, do I need to give PWRK$DEFAULT access to the directories, or does PWRK run with SYSPRV/BYPASS?
If PWRK does need a specific ACL, what's the best way to ensure this is propogated down to new files/directories?
Thanks, Rob.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-05-2007 02:25 AM
тАО11-05-2007 02:25 AM
Re: Advance Server ACL Protection Policy
doe LMSRV process runs with a lot of privs, including BYPASS.
regards Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-05-2007 02:38 AM
тАО11-05-2007 02:38 AM
Re: Advance Server ACL Protection Policy
Directory OPS$DATA:[000000]
ROBERT.DIR;1 65/725 20-MAR-2001 09:30:51.03 [SYSOPER,RAA] (RWE,RWE,E,)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)
Directory OPS$DATA:[ROBERT]
AA.DIR;1 1/145 5-NOV-2007 13:38:21.95 [SYSOPER,RAA] (RWED,RWED,RWED,RE)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)
Directory OPS$DATA:[ROBERT.AA]
BB.DIR;1 1/145 5-NOV-2007 13:40:16.77 [SYSOPER,RAA] (RWED,RWED,RWED,RE)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)
BB__2ETXT.TXT;1 0/0 5-NOV-2007 13:40:23.17 [SYSOPER,RAA] (RWE,RWE,E,)
Files are being created with the correct default protection from the ACL, but directories are created with the system default protection.
I have something niggling in the back of my mind that says there's a special keyword to do ACL protection on directories?
Rob.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-05-2007 03:42 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-05-2007 08:07 AM
тАО11-05-2007 08:07 AM
Re: Advance Server ACL Protection Policy
BYPASS isn't needed because the PWRKS ACEs grant/restrict access from the Adv.Server side. It's no different than setting any other ACE granting specific access to one user (or rights-holder) on an otherwise restricted resource, but the ACE does have specific requirements that are best left up to ADMIN.
The Security Model you select in "ADMIN/CONFIG -> Advanced..." will determine whether or not the other RMS protections are to be considered by the Adv.Server side.
If you use "Advanced Server only" then just the PWRK ACE is used by your Windows clients. I always set Windows' access protection from ADMIN, and VMS/RMS protection from the VMS side, and I don't tinker with one side from the other.
File ownership is seen differently from Windows than from VMS if the "AS only" model is used. AS uses hostmaps to "understand" file ownership for a file with no PWRKS ACE (among other things.)
Using the "Advanced Server and OpenVMS" model adds unnecessary complications (IMHO.)