Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

VMS/VAX User permissions

Rey Cuevas
Occasional Visitor

VMS/VAX User permissions

What is the command to view a users permissions? What is the command to change a users permissions?
3 REPLIES
Karl Rohwedder
Honored Contributor

Re: VMS/VAX User permissions

This seems to be a simple questions, but what does 'permissions' mean?
Assuming 'permissions' means access to files:
- you check the security settings of a file with 'DIR file/SECURITY', which shows the classic UIC-based security as well as optional ACL's
- you must then match this with the user's profile (SHOW PROCESS [/RIGHTS/PRIV]
- to change you can either change the file (SET FILE) or the user (e.g. grant additional identifiers)

I recommend reading some VMS documentation to get accustomed to VMS' security model (Guide to system security as a starter).

regards Kalle
Robert Gezelter
Honored Contributor

Re: VMS/VAX User permissions

Rey

I wholeheartedly agree with Karl.

To display the identifiers currently held by a process, the command is SHOW PROCESS/RIGHTS. To display the Access Control List and other protection information about a file, DIRECTORY/SECURITY.

Changing the protection generally requires the use of the SET SECURITY command, which has numerous qualifiers. Granting another identifier to a user involves using the AUTHORIZE utility.

The are also some other, less common ways to use the security identifier system. As does Karl, I strongly recommend a reading of the OpenVMS Guide to System Security, which is available from HP's OpenVMS www site at http://www.hp.com/go/openvms .

There are other sources that describe the OpenVMS security system, but the guide is the basis of most of them (including the chapter I wrote for the Handbook of Information Security, see brochure at http://www.rlgsc.com/hinfosec/hinfosec.html ).

- Bob Gezelter, http://www.rlgsc.com
Richard W Hunt
Valued Contributor

Re: VMS/VAX User permissions

Here is the problem: You are asking this question from the wrong end if you use the traditional meaning of "permissions."

The OpenVMS security reference monitor uses the actor:action:object model.

The user is usually the "actor" and the things on which that user operations are the "objects." The problem with your question is that permissions, in the traditional sense of the word, are NOT actor properties, they are object properties. As such, they differ from object to object (possibly even within the same folder.)

The permissions associated with an OBJECT include the tradition "System, Owner, Group, World" categorization plus Access Control Lists. The only attribute normally associated with the user is a privilege that would allow some level of altering or even bypassing security.

Therefore, the command to view a user's permissions depends on what the user is doing. Correspondingly, the command to change a user's permissions depends on what and how you want to change.

The code is way too long to publish and involves things that I cannot publish without government permission first, but I have a program to answer your question, writting partly in basic and partly in DCL as a scaffold.

When this beast runs, it takes not less than 15 minutes to gather the data and not less than 2 hours to produce the statistical summary report for a system with about 80 small disks and about 800 users. On an Alpha ES40 with 4 CPUs and idle most of the time, with fiber-channel disk connections (KGPSA) and high-speed, fast-rotating disks so latency is rarely an issue. So it is not a trivial problem.

I would consider re-thinking your question to better determine what questions you wish to ask. Perhaps then you could re-frame the question to be more directed to your goals.
Sr. Systems Janitor