HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Propogating ACL's To New Files

 
SOLVED
Go to solution
Robert Atkinson
Respected Contributor

Propogating ACL's To New Files

I'd like to know how to propogate and ACL onto any new files created in a particular directory.

Consider this scenario.

Directory is owner by SYSTEM
ACL on directory grants user 'X' Read+Write
File A.B is created by SYSTEM with default protection of (G:R,W:R)
User 'X' needs Read+Write+Delete access to file A.B by default (i.e. without issuing a separate SET SECURITY command).

Thanks, Rob.
7 REPLIES
Robert Gezelter
Honored Contributor

Re: Propogating ACL's To New Files

Rob,

You want to create ACEs in the directory's Access Control List that specify DEFAULT access.

I have to keep this short now, but I will post again shortly.

- Bob Gezelter, http://www.rlgsc.com
Robert Atkinson
Respected Contributor

Re: Propogating ACL's To New Files

I tried that with something like :-

/ACL=(IDENT=USERX,DEFAULT_PROTECTION,ACCESS=READ+WRITE+DELETE)

...but got an error back. I guess the syntax is wrong somewhere.

Rob.
Karl Rohwedder
Honored Contributor
Solution

Re: Propogating ACL's To New Files

Rob,

you setup an ACE on the parent directoryfile with option DEFAULt, e.g.

$ Set Acl /Object=File -
/Acl=(Ident=USER_X,Access=R+W+D,Option=Default)-
DIREC.DIR

so every file created in DIREC gets this ACE.

It is also possible to specify a default protection schema like:

$ Set Acl /Object=File -
/Acl=(DEFAULT_PROTECTION,-
SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:RE,-
OPTIONS=DEFAULT)

Pls. note that file which already exist in the directory, will not get the ACE, it should be entered manually.

regards Kalle
Robert Atkinson
Respected Contributor

Re: Propogating ACL's To New Files

Cheers Karl - just what I was looking for.

Rob.
Robert Gezelter
Honored Contributor

Re: Propogating ACL's To New Files

Rob,

Sorry for the delay. I was attending to something urgent.

The following test case illustrates what I believe was requested in the post:

$ CREATE/DIRECTORY [.TEMP]

using EDIT/ACL add an ACE to the ACL as follows:
(IDENTIFIER=[1,1],OPTION=DEFAULT,ACCESS=READ)

[I freely admit that this is a nonsense example, bit it does convey the point)

Now, do:

$ COPY NL: [.TEMP]X.X
$ DIRECTORY/ACL [.TEMP]X.X

And the ACL will be correctly defaulted on [.TEMP]X.X

Information on the ACLs and ACEs is, among other places, in Chapter 1 of the "System Utilities Reference Manual", available from the OpenVMS www site at http://www.hp.com/go/openvms

I hope that the above is helpful.

- Bob Gezelter, http://www.rlgsc.com
John Travell
Valued Contributor

Re: Propogating ACL's To New Files

These days should this not be:
$ set security/acl[=(ace[,...])] object-name

JT:
Jan van den Ende
Honored Contributor

Re: Propogating ACL's To New Files

From Kall:

>>>
Pls. note that file which already exist in the directory, will not get the ACE, it should be entered manually.
<<<

For completeness:
$ SET ACL/DEFAULT [.dirspec]*.*.*
is all that needs done "manually"

There also is SET SECURITY, but that also affects ownership & default protectection. Of course, that might well be what you wish.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.