HPE Community
Operating System - OpenVMS
1827788 Members
2606 Online
109969 Solutions
New Discussion

Re: RIGHTS and OWNERS

 
SOLVED
Go to solution
Clayton_12
Frequent Advisor

‎01-26-2006 03:44 AM

‎01-26-2006 03:44 AM

RIGHTS and OWNERS

I have a user user1 with files . Every now and then she gives world access r access by command
set protection w:r filname

NOw another person user2 is managing the files and gets the error
insufficient privilege or object protection violation when she tries to set the protection

The users do share a common identifier dataac which has RWED to the files.

I tried changing the owner of the files to the identifier dataac. Still no go.
USER 2 can do the command on new files she creates but not on files owned by user1 even though the ACL has DATAaC with RWED priviledges.

How can I set up so user2 can set protewction on user1 files

and vice versa?

Thx
CLayton



0 Kudos
Reply
5 REPLIES 5
Uwe Zessin
Honored Contributor

‎01-26-2006 04:18 AM

‎01-26-2006 04:18 AM

Re: RIGHTS and OWNERS

Use 'ressource identifiers'. Those are identifiers which have the 'ressource' attribute and are granted to a user. The files / directories are 'owned' by the identifier.
.
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎01-26-2006 04:56 AM

‎01-26-2006 04:56 AM

Solution

Re: RIGHTS and OWNERS

Clayton,

if you want USER2 to be able to change the settings of files owned by USER1 you NEED to use ACL, and give CONTROL access.
Since they already both hold the same identifier DATAAC, you can also give CONTROL access to DATAAC. (if no other users, that are not to have that permission, hold the ident).
Probably best also set an ACL on the .DIR file specifying CONTROL, with OPTION=DEFAULT so any files created in that dir automagically get the ACL too.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Joseph Huber_1
Honored Contributor

‎01-26-2006 05:02 AM

‎01-26-2006 05:02 AM

Re: RIGHTS and OWNERS

Yes, make the whole directory tree owned by a resource identifier, and grant the identifier to all users assigned to work on the files.
In AUTHORIZE:
add/ident/attr=resource identifer
grant/ident/attr=resource identifier user

To set the correct protections via ACLs is done with a procedure like the one attached:
@add_group_acl identifier

http://www.mpp.mpg.de/~huber
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎01-26-2006 05:17 AM

‎01-26-2006 05:17 AM

Re: RIGHTS and OWNERS

Yes,

depending exactly on WHAT you want to achieve HOW, the idea of resource identifiers might be a good idea as well.
You loose the individual file ownership, which is probably no issue (guesed by the nature of the question),
Anyway, then upon file creation it automatically gets an ACL which names the creator, and sets the normal OWNER permissions to the creator.

By the way, if the only intention of the original question is that all files in that directory become World accessable, whoever created them, then there is also the possibility of giving the .DIR file a DEFAULT_PROTECTION ACE.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
John Gillings
Honored Contributor

‎01-26-2006 11:40 AM

‎01-26-2006 11:40 AM

Re: RIGHTS and OWNERS

Clayton,
To access a file, you need to access all the directories down the tree. Minimum access for the directory files would be W:E (this grants access to a file with a known name within the directory).

Use auditing to determine where the protection violation is occuring:

$ REPLY/ENABLE=SECURITY
$ SET AUDIT/ALARM/ENABLE=FILE=FAIL=ALL

Now have your user attempt to access the file. The resulting audit message should tell you exactly what's going wrong.
A crucible of informative mistakes
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.