Shrloc,
First, if these three nodes are in a single VMS cluster, the suggestion to "Mount the disk /NOWRITE on the development machine" will not work if the disk is mounted for write access on another node in the cluster.
If you try, you will get the following message:
%MOUNT-F-INCONWRITE, inconsistent /(NO)WRITE option. Cluster mounted /WRITE
------------------
As said by others, all members of a single VMSCluster should share the same SYSUAF and RIGHTSLIST files (actually many more files should be shared; if you have a common system disk that is the default condition). While you can get it to "work" with multiple files, there are many opportunities for security problems. And there is little benefit to be gained by separate SYSUAF and RIGHTSLIST files.
The cluster is the security domain. There is no way to contain privileges to a single node. You may have the illusion of granting privilege on a single node of a cluster, but you will be fooling yourself.
What did you mean by "the Manager who created it did not use ACL or bother to establish unique UICs."? If multiple users have the same UIC, they will be treated identically from an object protection standpoint. When you have multiple SYSUAF files, coordinating them becomes much more work than it is worth.
If your developers need privilege, and you want to make it impossible for them to affect production, then they should not be in the same cluster. In that case, pull the third node out of the cluster and use DECnet or FTP to copy the files between the two security domains.
That said, for many environments, development can be done within the same cluster as production.
John Gillings warned about READALL being an class ALL privilege. That used to be true, but I don't believe READALL privilege is as dangerous as it used to be, I don't believe it still implies CONTROL privilege. At least I am not able to modify protection on a file owned by another user from a process with only TMPMBX, NETMBX and READALL privilege. (VMS 8.3 Alpha)
READALL does not give any special ability to restore files that I can find. If someone has an example of a READALL granting write or control access to files, please provide an example. It does allow the backup dates to be written (at least by backup when the backup/record operation is used). I was not able to modify the backup date of a file owned by another user using DFU set file/backup=
when my process had only READALL.
Here's what the latest OpenVMS Version 7.3-2 (2003) security manual says:
-----------------------------
READALL Privilege (Objects)
The READALL privilege lets the process bypass existing restrictions that would otherwise prevent the process from reading an object. However, unlike the BYPASS privilege, which permits writing and deleting, READALL permits only the reading of objects and allows updating of such backup-related file characteristics as the backup date. See the HP OpenVMS System Management Utilities Reference Manual and the HP OpenVMS System Manager's Manual for a discussion of backup operations.
READALL is intended to be an adequate privilege for backing up volumes, so grant this privilege to operators so they can perform system backups.
-----------------------------
But there is no reason or need to give developers READALL privilege. Create an identifier, for example DEVELOPER, and then grant READ access to the directories you want the developers to have read-only access to with an ACL. Then grant the DEVELOPER identifier to the developers.
Hoff, Andy Bustamante, Jan van den Ende and John Gillings had good info.
Heed the advice to read the fine manuals.
http://h71000.www7.hp.com/doc/731final/6489/6489pro.html OpenVMS User's Manual
http://h71000.www7.hp.com/doc/82final/aa-pv5mj-tk/aa-pv5mj-tk.html HP OpenVMS System Manager's Manual, Volume 1: Essentials
http://h71000.www7.hp.com/doc/732final/aa-q2hlg-te/aa-q2hlg-te.html HP OpenVMS Guide to System Security
Jon
P.S. see attachment for an example of a possible way to set up a directory that can be updated by an otherwise non-privileged user that has a resource identifier PROD_REL granted (with the RESOURCE attribute). The files will be readable for process that is granted the DEVELOPER identifier.
it depends
