HPE Community
Operating System - OpenVMS
1753451 Members
5819 Online
108794 Solutions
New Discussion юеВ

Re: VMS/VAX User permissions

 
Rey Cuevas
New Member

тАО02-13-2008 12:07 AM

тАО02-13-2008 12:07 AM

VMS/VAX User permissions

What is the command to view a users permissions? What is the command to change a users permissions?
0 Kudos
Reply
3 REPLIES 3
Karl Rohwedder
Honored Contributor

тАО02-13-2008 12:18 AM

тАО02-13-2008 12:18 AM

Re: VMS/VAX User permissions

This seems to be a simple questions, but what does 'permissions' mean?
Assuming 'permissions' means access to files:
- you check the security settings of a file with 'DIR file/SECURITY', which shows the classic UIC-based security as well as optional ACL's
- you must then match this with the user's profile (SHOW PROCESS [/RIGHTS/PRIV]
- to change you can either change the file (SET FILE) or the user (e.g. grant additional identifiers)

I recommend reading some VMS documentation to get accustomed to VMS' security model (Guide to system security as a starter).

regards Kalle
Reply
Robert Gezelter
Honored Contributor

тАО02-13-2008 03:34 AM

тАО02-13-2008 03:34 AM

Re: VMS/VAX User permissions

Rey

I wholeheartedly agree with Karl.

To display the identifiers currently held by a process, the command is SHOW PROCESS/RIGHTS. To display the Access Control List and other protection information about a file, DIRECTORY/SECURITY.

Changing the protection generally requires the use of the SET SECURITY command, which has numerous qualifiers. Granting another identifier to a user involves using the AUTHORIZE utility.

The are also some other, less common ways to use the security identifier system. As does Karl, I strongly recommend a reading of the OpenVMS Guide to System Security, which is available from HP's OpenVMS www site at http://www.hp.com/go/openvms .

There are other sources that describe the OpenVMS security system, but the guide is the basis of most of them (including the chapter I wrote for the Handbook of Information Security, see brochure at http://www.rlgsc.com/hinfosec/hinfosec.html ).

- Bob Gezelter, http://www.rlgsc.com
Reply
Richard W Hunt
Valued Contributor

тАО10-20-2008 09:20 AM

тАО10-20-2008 09:20 AM

Re: VMS/VAX User permissions

Here is the problem: You are asking this question from the wrong end if you use the traditional meaning of "permissions."

The OpenVMS security reference monitor uses the actor:action:object model.

The user is usually the "actor" and the things on which that user operations are the "objects." The problem with your question is that permissions, in the traditional sense of the word, are NOT actor properties, they are object properties. As such, they differ from object to object (possibly even within the same folder.)

The permissions associated with an OBJECT include the tradition "System, Owner, Group, World" categorization plus Access Control Lists. The only attribute normally associated with the user is a privilege that would allow some level of altering or even bypassing security.

Therefore, the command to view a user's permissions depends on what the user is doing. Correspondingly, the command to change a user's permissions depends on what and how you want to change.

The code is way too long to publish and involves things that I cannot publish without government permission first, but I have a program to answer your question, writting partly in basic and partly in DCL as a scaffold.

When this beast runs, it takes not less than 15 minutes to gather the data and not less than 2 hours to produce the statistical summary report for a system with about 80 small disks and about 800 users. On an Alpha ES40 with 4 CPUs and idle most of the time, with fiber-channel disk connections (KGPSA) and high-speed, fast-rotating disks so latency is rarely an issue. So it is not a trivial problem.

I would consider re-thinking your question to better determine what questions you wish to ask. Perhaps then you could re-frame the question to be more directed to your goals.
Sr. Systems Janitor
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.