HP 3000 Manuals HP 3000 Manuals
Chapter 4 Protecting Your Files with Capabilities, File Access
Restrictions and Lockwords
File System Security Features
The account structure contains three important, standard file system
security features: capabilities, file access restrictions, and
lockwords.
The recommended file system security feature, "Access Control
Definitions," is described in a previous chapter.
Capabilities
A variety of people use HP 3000 Computer Systems. They range from those
who use the system only to run simple application programs to system
programmers who modify MPE/iX. The user who runs application programs,
for example, needs only to be able to log on, run a particular program or
set of programs, and log off. A system programmer, on the other hand,
needs access to special system functions.
Capabilities are used to control access to parts of the system. In order
to create permanent files, for example, a user must have Save Files
Permanently (SF) capability. To create a session on another terminal
from within a session, a user must have Programmatic Sessions (PS)
capability. Refer to Table 4-1 for a list of all capabilities and
their standard abbreviations, later in this chapter. Refer to appendix A
for a complete description of each capability.
Account, Group, and User Capabilities
Account capabilities are the capabilities available to account users and
groups. Group capabilities are the subset of account capabilities
available to users logged on to a group and to files within the group.
Notice, in Table 4-1 , that only a subset of the capabilities applies
to groups. User capabilities are the subset of account capabilities
available to a particular user. When a user issues an MPE command or an
intrinsic call, the system checks the user's account, group, and user
capabilities against those required for the command or intrinsic.
Files also have capabilities, especially program files. For example, a
user does not need privileged mode (PM) capability to run a privileged
mode program, but the program itself must have PM capability and the
group in which the program file resides must have PM capability.
Listing Capabilities
NOTE If the password is encrypted, the commands LISTUSER, LISTGROUP, and
LISTACCT will only display the password as "*ENCRYPTED*", making a
password truly private to its owner.
Listing Account Capabilities.
Use the LISTACCT command to check the capabilities of an account. To
check the capabilities for the SMITH account enter:
LISTACCT SMITH
The following account information appears on the screen:
______________________________________________________________________
| |
| |
| *************** |
| ACCOUNT: SMITH |
| |
| DISC SPACE: 754115 (SECTORS) PASSWORD: *ENCRYPTED* |
| CPU TIME: 33330 (SECONDS) LOC ATTR: $00000000 |
| CONNECT TIME: 102 (MINUTES) SECURITY-- READ :ANY |
| DISC LIMIT: UNLIMITED WRITE : AC |
| CPU LIMIT: UNLIMITED APPEND :AC |
| CONNECT TIME: UNLIMITED LOCK :ANY |
| MAX PRI: 150 EXECUTE :ANY |
| GROUP UFID: $0000001 $800001050 $00138A20 $00000008 $000001FA |
| USER UFID : $0004001 $800001050 $00138C20 $00000008 $000001FB |
| CAP: AM,AL,GL,DI,CV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM |
| |
______________________________________________________________________
Refer to appendix A for definitions of the capabilities.
The System Manager can list any account on the system; all other users
can list only their own accounts .
Refer to the MPE/iX Commands Reference Manual Volumes 1 and 2
(32650-90003 and 32650-90364) for more information on the LISTACCT
command.
Listing Group Capabilities
Use the LISTGROUP command to display capabilities for one or more groups.
For account managers (AM), the default is all (@) groups within the
user's logon account; for general users, the default is the logon group.
Use wildcard characters to specify more than one group.
To check group capabilities of the group ENGR in the account to which you
are logged on, enter:
LISTGROUP ENGR
The screen displays:
____________________________________________________________________
| |
| |
| ****************** |
| GROUP: ENGR.SMITH |
| |
| DISC SPACE: 5752 (SECTORS) PASSWORD: * * |
| CPU TIME: 102(SECONDS) SECURITY-- READ : GU |
| CONNECT TIME: 0(MINUTES) WRITE : GU |
| DISC LIMIT: UNLIMITED APPEND : GU |
| CPU LIMIT: UNLIMITED LOCK : GU |
| CONNECT TIME: UNLIMITED EXECUTE : GU |
| PRIV VOL : n/a SAVE : GU |
| FILE UFID: $OOOD401 $80001050 $OOOFF620 $00000008 $OOOOOOOA |
| MOUNT REF CNT: n/a |
| HOME VOL SET : MPE_SYS_VOL_SET |
| CAP: IA,BA |
| |
____________________________________________________________________
Refer to appendix A for definitions of the capabilities.
Refer to the MPE/iX Commands Reference Manual Volumes 1 and 2
(32650-90003 and 32650-90364) for more information on the LISTGROUP
command.
Listing User Capabilities.
Use the LISTUSER command to check the capabilities of a user. For
example, to review the capabilities of the user BORIS in the JONES
account, enter:
LISTUSER BORIS
The screen displays:
___________________________________________________________________
| |
| |
| ******************** |
| USER: BORIS.JONES |
| HOME GROUP: DEVELOP PASSWORD: *ENCRYPTED* |
| MAX PRI : 150 LOC ATTR: $00000000 |
| CONNECT TIME: 0(MINUTES) WRITE : GU |
| LOGON CNT : 1 |
| CAP: AM,AL,GL,DI,DV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM |
| |
___________________________________________________________________
Refer to appendix A for definitions of the capabilities.
Users with account manager (AM) capability can list any user in their
account. Other users can list only their logon user.
For more information on the LISTUSER command, refer to the MPE/iX
Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364).