 |
» |
|
|
|
Changes the access permissions of an object by altering the
access control definition (ACD). ACDs are the main method of controlling access to files, hierarchical
directories, and devices. ACDs are automatically assigned to hierarchical
directories and to files existing in hierarchical directories. You can change access permissions for any of the following: You can also use ALTSEC
to change the access masks of files. The file status change time
stamp is updated by ALTSEC.
You cannot use the ALTSEC
command to change access permissions for MPE groups, accounts, or
the root directory. Syntax | |
ALTSEC objectname [ ,{FILENAME LDEV DEVCLASS } ] |
[ ;[ ACCESS=] (fileaccess[ ;[ fileaccess] [ ;...] ] )] |
[{ ;NEWACD= ;ADDPAIR= ;REPPAIR= } { (acdpair [ ;acdpair] [ ;...] ) ^filereference } ] |
[ ;DELPAIR= { (userspec [ ;userspec] [ ;...] ) ^filereference } ] |
[ { ;REPACD=} { (acdpair ;acdpair [ ;...] ) ^filereference objectname } ] |
[ ;COPYACD= objectname { ,FILENAME ,LDEV } ] [ ;DELACD] [ ;MASK] |
Parameters | |
- objectname
Specifies the actual file designator, directory
name, logical device number, or device class whose security provisions
you want to alter. Either MPE or hierarchical file system (HFS) file
name Syntax may be used for the actual file designator of the file
or directory whose access permissions are to be altered. You can only use wildcard characters with MPE Syntax files
that reside in a group. A logical device number must be a numeric value configured
on the system, or an @ sign, that indicates all devices on the system.
A device class name must be configured on the system. File equations are ignored during resolution of the object
name to avoid having accidental file equation references cause unintentional
changes to an object's access permissions. MPE Syntax You can include MPE file name Syntax but not RFA
information. If the object is an MPE Syntax file, its format is: filename[/lockword][.groupname[.acctname]] |
You may specify file lockwords for files protected by active
lockwords unless the objects are also protected by a current ACD.
In a batch job, if a lockword exists on a file, you must specify
it. In a session, if a lockword exists and is omitted, MPE/iX will
prompt you for it. HFS Syntax You must begin file designators using HFS file name
Syntax with either a dot (.) or a slash (/). The maximum length
is 255 characters (including the "./" or "/"). The objectname parameter is followed
by one of the three type identifiers
listed below. - FILENAME
Indicates that objectname
refers to either a file or directory. This is the default if a type
identifier is not specified. - LDEV
Indicates that objectname
refers to a logical device number. - DEVCLASS
Indicates that objectname
refers to a device class.
- ACCESS
Optional keyword that indicates a fileaccess
specification follows. This option affects security at the file
level only. If the file is protected by an ACD, the ACD overrides
the file access mask. - fileaccess
File access mask specifications, entered as follows: { R L A W X } [,...] : { ANY AC GU AL GL CR } [,...] |
The R, L, A, W, and X specify modes
of access by types of users (ANY, AC, GU, AL, GL, CR) as follows: R = READ
L = LOCK
A = APPEND
W = WRITE
X = EXECUTE |
LOCK allows
opening the file with dynamic locking option. APPEND
implicitly specifies LOCK.
WRITE implicitly
specifies APPEND
and LOCK. You
may specify two or more modes if you
separate them by commas. The user types are specified as follows: ANY = Any user
AC = Member of this account only
GU = Member of this group only
AL = Account librarian user only
GL = Group librarian user only
CR = Creator |
You may specify two or more user types if you separate them
by commas. The default is R,L,W,A,X:ANY. The colon (:)
separating one or more modes from one
or more user types is required punctuation in the specification
of fileaccess. - NEWACD
Creates a new ACD for the specified object. NEWACD
is used when an ACD does not currently exist. It must be followed
by valid ACD pair(s) as described below. - REPACD
Indicates "replace ACD". Use REPACD
to replace an entire existing ACD for the specified object, or to
copy an ACD from an existing objectname
to the specified objectname where objectname
refers to a file. (You cannot use REPACD
to copy ACDs between devices.) The REPACD
parameter must be followed by valid ACD pair(s) as described below. - ADDPAIR
Adds a new ACD pair to an existing ACD. It must
be followed by valid ACD pair(s) as described below. - REPPAIR
Replaces an existing ACD pair in an existing ACD.
You must follow this with a valid ACD pair(s) as described below.
A new ACD pair will replace an existing ACD pair if it has the same
user and account name. - acdpair
An access control definition pair. Like the fileaccess
parameter this consists of a modes part
and a userspec part. The modes
part is separated from the userspec part
by a colon (:). Acceptable modes for
files are: R : read file access
W : write file access
L : lock file access
A : append file access
X : execute file access
NONE : no access
RACD : copy or read the ACD permission |
Acceptable modes for directories
are: CD : create directory entries access
DD : delete directory entries access
RD : read directory entries access
TD : traverse directory entries access
NONE : no access
RACD : copy or read the ACD permission |
File ACD pairs may contain R, W, L, A, X, NONE, and RACD.
Directory ACD pairs may contain CD, DD, RD, TD, NONE, and RACD. The userspec part consists of a fully qualified
user name (username.accountname) the file owner represented as $OWNER the file group represented as $GROUP the file group mask represented as $GROUP_MASK @.accountname, which
represents all users in the account accountname @.@, which represents all users in the system You cannot use wildcards in any other manner within a user
specification.
A typical ACD consisting of three ACD pairs might look like
this: (R,W:ENGR.MFG;R,W,RACD:@.MRKT;R:@.@) |
This ACD would allow Read and Write access to the ENGR
user of the MFG
account; Read and Write access to any user of the MRKT
account along with the ability to read or copy the ACD; and Read
access to any user in any account. - ^ filereference
A file containing one or more ACD pairs. ACD pairs
must be separated by semi-colons and may be placed on separate lines.
A single ACD pair may not span more than
one line. The file name must be preceded by the ^ sign (caret symbol)
to indicate that the designated file contains the ACD definition.
This is known as an indirect file. The ALTSEC
command fails if the indirect file does not contain a syntactically
correct ACD. ACD pairs may be on separate lines, but a pair may
not span lines. Parentheses are optional when defining an acdpair
within an indirect file. The file reference may be specified using MPE or HFS file
name Syntax. For example: filename [/lockword] [.group [.account]] If the file has an active lockword, you must be specify it.
ACDs override lockwords. Lockwords can only be specified in file
references using MPE name Syntax. Unqualified file names are relative
to the current working directory. - DELPAIR
(Indicates "delete pair"). Use to delete one or
more ACD pairs in an existing ACD). DELPAIR
must be followed by a valid userspec. - userspec
Username and accountname, the same as the userspec
described above in acdpair. A wildcard
(@) may be used for the username or both the username and accountname
together. A wildcard may not be specified
for the accountname unless it is also specified for the username. - COPYACD
(Indicates "copy ACD"). Use COPYACD
to copy an ACD from an existing objectname
to the specified objectname. ACDs can
be copied only between like objects. You must specify FILENAME or LDEV.
FILENAME is the
default. You cannot copy an ACD from
a device class (DEVCLASS),
although you may copy to all devices
on the system by specifying the @
sign as the target device. - DELACD
(Indicates "delete ACD"). Use DELACD
to delete all ACD pairs from the specified objectname.
ACDs may be removed only from devices and files in MPE groups. The
file access matrix controls access to a file when an ACD is deleted. - MASK
(Indicates "recalculate MASK"). Use MASK
to recalculate the ACD file group class mask ($GROUP_MASK) access
permissions.
Operation Notes | |
You use the ALTSEC
command to alter security provisions for files, hierarchical directories,
devices, and device classes by manipulating an object's access control
definition (ACD) or its access mask. All of these objects may have
ACDs, but only files have access masks which can be changed using
this command. An object's ACD may be altered using this command
with the ACD keywords NEWACD,
REPACD, COPYACD,
ADDPAIR, REPPAIR,
DELPAIR, DELACD,
and MASK. A file's access mask may be altered using either the ACCESS
keyword or an access specification without a keyword. Using the
ACCESS keyword
is a recommended practice to help distinguish between file access
mask and ACD operations. Only the owner of a file can use the ALTSEC
command to change a file's access mask. Object owners and users
with appropriate privilege can use this command to manipulate an
object's ACD. Files and hierarchical directories have their owner's
identity and a file group ID (GID) stored in their file labels.
System managers have the appropriate privilege to manipulate the
ACDs for all objects. Account managers for the account matching
an object's GID have appropriate privilege. Devices are owned by
system managers. The ability to manipulate an ACD or file mask is
not affected by the object access currently granted to a user. File ACDs override file lockwords and the file access matrix.
ACDs permit more precise access control than the file access matrix
by allowing access permissions to specific users. MPE/iX allows
you to specify a maximum of 40 ACD pairs for a particular object.
Since a large number of ACD pair specifications overflows the command
line buffer, you must enter large numbers of ACD specifications
may be entered through an indirect file. The ALTSEC
command fails if you attempt to alter the access permissions for
a permanent disk file whose group's home volume set is not mounted. Release 5.0 requires ACDs on the following files: All hierarchical directories All files under hierarchical directories All files directly under MPE/iX groups where the
file GID does not match the GID of the accound and group in which
the file is located. One way this occurs would be if you rename
a file from an MPE group outside the account to another MPE group.
Required ACDs cannot be removed with the ALTSEC command even
by users with SM or AM capability. File Access Matrix Examples | |
To view the file access matrix, use LISTFILE,4. You have created a file named FDATA,
and want to change its file access matrix access permissions to
grant write access to only yourself. Enter: ALTSEC FDATA;ACCESS=(W:CR) |
To change file access permissions for the FPROG
program file to allow all group users to execute programs, but only
account and group librarian users to read or write to the file,
enter: ALTSEC FPROG;ACCESS=(X:GU;R,W:AL,GL) |
ACD Examples | |
To view ACD information, use the LISTFILE,-2
command. This form of the LISTFILE
command displays only ACD information. You have created a file named FDATA,
and want to assign a new ACD to FDATA,
granting write access to a user named FRIEND.ACCT.
Enter: ALTSEC FDATA;NEWACD=(W:FRIEND.ACCT) |
As the creator of a file, you can access the file by default,
so you don't need to grant yourself access through an ACD. Users
with appropriate privileges are always permitted to access files
protected by ACDs. To extend the ACD for the FDATA
file so that all users on the system can read it, and all users
within your account ACCT
can also write to it, enter: ALTSEC FDATA;ADDPAIR=(R:@.@;W,R:@.ACCT) |
If you decide that users outside your account ACCT
should not have read access to the file FDATA
any longer, enter: ALTSEC FDATA;DELPAIR=(@.@) |
This does not delete all ACD pairs, only the ACD pair matching
@.@. To delete the entire ACD, enter: To replace the entire ACD, enter: ALTSEC FDATA;REPACD=(W:FRIEND.ACCT) |
You want to copy the ACD associated with LDEV 5 to all devices
in device class TERM: ALTSEC TERM,DEVCLASS;COPYACD=5,LDEV |
ACDs may be copied only between objects of the same type. You want to grant users in account ACCT
all access to directory Mydir1: ALTSEC ./Mydir1;ADDPAIR=(CD,DD,RD,TD,RACD:@.ACCT) |
You want to grant read and write access to yourself and read
access for other members of your group to an HFS Syntax file named
a_file_of_Mine: ALTSEC ./a_file_of_Mine;REPPAIR=(RACD,R,W:$OWNER;
RACD,R:$GROUP,$GROUP_MASK;NONE:@.@) |
To add a new ACD to file PROGNAME
allowing all users on the system to execute it, but only users in
account ACCT
to write to it enter: ALTSEC PROGNAME;NEWACD=(X:@.@;W,X:@.ACCT) |
To add a new ACD pair to an ACD which already exists for file
PROGNAME which
will allow the user ENGR
of the LAB account
to read, write, lock, append, execute and read the ACD information
enter: ALTSEC PROGNAME;ADDPAIR=(R,W,X,RACD:ENGR.LAB) |
Note that L and A (lock and append) need not be specified
because they are implied with W (write). To add an ACD that prevents any user except OPERATOR.SYS
(and any user with SM capability) from accessing LDEV 7 (a tape
drive), enter: ALTSEC 7,LDEV;NEWACD=(R,W:OPERATOR.SYS) |
Note in the last example that X is not used because it makes
no sense to execute a tape drive. It
also makes no sense to lock or append
a tape drive but W tacitly provides L and A anyway. To eliminate any ACD that may be in effect for device class
LP, and to prevent any user except MGR.FINANCE
from writing to a printer in device class LP, enter: ALTSEC LP,DEVCLASS;DELACD
ALTSEC LP,DEVCLASS;NEWACD=(W:MGR.FINANCE) |
Related Information | |
- Commands
LISTF,
LISTFILE, RELEASE,
SECURE, SHOWDEV,
and the fileaccess parameter for the
ALTACCT, ALTGROUP,
NEWACCT and NEWGROUP
commands. - Manuals
None
|
