Restricting File Access

Associated with each account, group, and individual file is a list of file access restrictions. Access restrictions apply to disk files only. Their restrictions are based on the following:

File access modes, such as reading, writing, saving, executing, locking, and appending.
User types, such as account librarians, group librarians, and account members for whom certain access modes are allowed.

The access restrictions for any file describe who can access it and in what manner.

Access Modes

Table 4-2 “File Access Modes” lists file access modes, the codes used to reference them, and their meanings.

Table 4-2 File Access Modes

Access Modes	Mnemonic Code	Meaning
READ	R	Allows users to read files.
LOCK	L	Permits a user to prevent concurrent access to a file. Specifically, it permits the use of the `FLOCK` and `FUNLOCK` intrinsics, and the exclusive-access option of the `HPFOPEN` and `FOPEN` intrinsics, all described in the MPE/iX Intrinsics Reference Manual (32650-90028).
APPEND	A	Allows users to add information and disk extents to files, but prohibits them from altering or deleting information already written. This access mode implicitly allows the LOCK (L) access modes described above.
WRITE	W	Allows users general writing access, permitting them to add, delete, or change any information in files. This includes removing entire files from the system with the `PURGE` command. WRITE (W) access also implicitly allows the LOCK (L) and APPEND (A) access modes described previously.
SAVE	S	Allows users to declare files within a group as permanent, and to rename such files. This includes the ability to create new permanent files with the `BUILD` command.
EXECUTE	X	Allows users to run programs stated in files with the `RUN` command or the `CREATE` and `CREATEPROCESS` intrinsics.

User Types

Table 4-3 “User Types” lists user types, the codes used to reference them, and their complete descriptions.

Table 4-3 User Types

User Type	Mnemonic Code	Meaning
Any user	ANY	Any user defined in the system. This includes all categories defined below.
Account librarian user	AL	User with account librarian capability, who can manage files within the account which may include more than one group.
Group librarian user	GL	User with group librarian capability, who can manage certain files within a home group only.
Creating user	CR	The user who created this file.
Group user	GU	Any user allowed to access this group as the logon or home group, including all GL users applicable to this group.
Account member	AC	Any user authorized access to the system under this account. This includes all AL, GU, and CR users under this account.

Users with system manager or account manager capability bypass the standard file access restrictions. A system manager has unlimited access to any file in the system, but can save files only in the system manager's own account. An account manager has unlimited access to any file in the account, except one with a negative file code. The account manager must have privileged mode (PM) capability to access a file with a negative file code.

A file's group and account as well as your capabilities determine whether you have access to the file. For example, group librarian capability gives you special access to files in your home group. You do not have special access to files in other groups.




	NOTE: As soon as an ACD is attached to a file all other file matrix restrictions are ignored.

Specifying File Access Restrictions

When a user tries to access a file, the system checks the account-level, group-level, and file-level file access restrictions. Those restrictions must give the user access rights at all three levels. If the user fails to pass the security check at any level, the system denies the user access to the file.

Account file access restrictions are set when an account is created. You set group file access restrictions when you create a group. As the creator of a file, you can change its file-level access restrictions with the ALTSEC command.

When you specify file access restrictions at a certain level, you list the file access modes available to each type of user. This listing has a special format. For example, at the account level, you might assign READ and EXECUTE access to any user and APPEND, WRITE, and LOCK access only to account users. These sample file security provisions have the following format:

   (R,X:ANY;A,W,L:AC)

In this example, READ and EXECUTE access are permitted to any user. APPEND, WRITE, and LOCK access are permitted to account members only.

Account-Level File Security

The system manager sets the access restrictions that apply to all files within a given account when creating the account. A system manager can change the initial restrictions at any time.

At the account level, the system recognizes two user types and five access modes. The account-level user types are:

Any user (ANY)
Account member (AC)

The five account level access modes are:

READ (R)
LOCK (L)
APPEND (A)
WRITE (W)
EXECUTE (X)

Refer to Table 3-1 “File Access Modes” for access mode descriptions and to Table 3-2 “User Categories” for user type descriptions.

If the file access restrictions for an account are not explicitly stated, the system assigns the following default restrictions:

For the SYS account, READ and EXECUTE access are permitted to all users. APPEND, WRITE, and LOCK access are limited to account members. Symbolically, these access restrictions are expressed as follows: (R,X:ANY;A,W,L:AC).
For all other accounts, READ, APPEND, WRITE, LOCK, and EXECUTE access are limited to account members (R,A,W,L,X:AC).

Group-Level Security

The account manager sets the file access restrictions that apply to all files within a group when creating the group. They can be equal to or more restrictive than the provisions specified at the account level. The group's file access restrictions can also be less restrictive than those of the account; such provisions effectively equate the group restrictions with the account restrictions, because a user who fails a security check at the account level is denied access at that point. The account manager can change initial group file access restrictions at any time.

At the group level, the system recognizes five user types and six access modes. Access modes can be assigned to user types in any combination.

The five group-level user types are:

Any user (ANY)
Account librarian (AL)
Group librarian (GL)
Group user (GU)
Account member (AC)

The group level file access modes are:

READ (R)
LOCK (L)
APPEND (A)
WRITE (W)
SAVE (S)
EXECUTE (X)

Refer to Table 3-1 “File Access Modes” for access mode descriptions and to Table 3-2 “User Categories” for user type descriptions.

If you do not specify group file access restrictions, the following default restrictions apply:

For a public group (named PUB) whose files are normally accessible in some way by all users within the account, READ and EXECUTE access are permitted to any user; APPEND, WRITE, SAVE, and LOCK access are limited to account librarian users and group users (including group librarians) (R,X:ANY;A,W,S,L:AL,GU).
For a public group (named PUB) of an account (named SYS), the following default restrictions apply: (R,X,L:ANY;W,A,S:AL,GU).
For all other groups in the account, READ, APPEND, WRITE, SAVE, LOCK, and EXECUTE access are limited to group users (R,A,W,S,L,X:GU).

File-Level Security

When you create a file, it has the default file-level security provisions assigned by MPE and the provisions assigned by the account and the group to which it belongs. Only the creator of a file may use the ACCESS= option of ALTSEC on a file. An Account Manager or System Manager can change the file-level security provision with the ALTSEC command by adding an ACD or changing and ACD. All access modes and all user types apply at the file level. Refer to Table 3-1 “File Access Modes” and Table 3-2 “User Categories” for their descriptions.

If no security provisions are explicitly specified by the creating user, READ, APPEND, WRITE, LOCK, and EXECUTE access are permitted to all users (R,A,W,L,X:ANY), for all files, by default.

Default File Access Restrictions

Because the total security for a file always depends on security at all three levels, a file not explicitly protected from a certain access mode may benefit from the default protection at a higher level. For example, the default access restrictions at the file level allow the file to be read by any user, but the restrictions at the group level allow access only to group users. Thus, the file can be read only by a group user. In summary, the default file access restrictions at the account, group, and file levels combine to result in overall default file access restrictions as shown in Table 4-4 “Default File Access Restrictions”.

Table 4-4 Default File Access Restrictions

File	File Reference	Access Permitted	Save Access To Group
Any file in public group of system account	`filename.``PUB.SYS`	(R,X:ANY; W:AL, GU)	AL, GU
Any file in any group in system account	`filename. groupname``.SYS`	(R,W,X:GU)	GU
Any file in public group of any account	`filename.``PUB``accountname`	(R, X:AC; W:AL, GU)	AL, GU
Any file in any group in any account	`filename.groupname. accountname`	(R,W,X:GU)	GU

In other words, when the default security provisions are in force at all levels, the standard user with default user attributes, has:

Unlimited access (in all modes) to all files in the logon group and the home group.
READ and EXECUTE access (only) to all files in the PUB group of the individual's account, and in the SYS account's PUB group.