HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 14 Using Protected Subsystems

System Management Requirements

Although an unprivileged user can build and manage a protected subsystem, you need to be involved at two points in the process: at the beginning to create the necessary identifiers for the subsystem and at the end to mount the volume with the protected subsystem.

You need to perform the following tasks:

  1. Ensure the SUBSYSTEM attribute is enabled on all volumes, which contain protected subsystems. To do this, you can use either the MOUNT command or the SET command as shown in the following example:

    $ MOUNT/SUBSYSTEM $DKA0: WORK1

    If the device is already mounted without the /SUBSYSTEM qualifier, you can set the subsystem attribute using the SET command as follows:

    SET VOLUME/SUBSYSTEM $DKA0:

  2. Create identifiers for the subsystem, each with the Subsystem attribute. The Subsystem attribute empowers the identifier's holder to manage the subsystem.

  3. Grant these subsystem identifiers with Subsystem attributes to the people who will serve as managers of the subsystem. This enables them to assign the subsystem identifier to the images that make up the subsystem.

  4. Give the subsystem managers control access to application images. They need control access so they can add Subsystem ACEs to the image ACLs.

  5. Give the subsystem managers control access to existing resources that are to be managed by the protected subsystem.

    Although subsystem managers may need control access to key system resources, the ACL on the objects limits their access rights to only those resources. This may not be as dangerous as installing an image with SYSPRV.

The following example shows how you can set up identifiers and the necessary application access so that users can manage a membership list:

Example 14-1 Setting Up Identifiers and Application Access for Managing Membership List

$SET DEFAULT SYS$SYSTEM
$RUN AUTHORIZE
UAF>ADD/IDENTIFIER MEMBERS_SUBSYSTEM-               [1]
_UAF>/ATTRIBUTES=(SUBSYSTEM,RESOURCE)
UAF>GRANT/IDENTIFIER MEMBERS_SUBSYSTEM -            [2]
_UAF>/ATTRIBUTES=(SUBSYSTEM,RESOURCE) LOUIS
UAF>GRANT/IDENTIFIER MEMBERS_SUBSYSTEM -
_UAF>/ATTRIBUTES=(SUBSYSTEM,RESOURCE) WU
$SET SECURITY/ACL=(IDENTIFIER=MEMBERS_SUBSYSTEM,-   [3]
_$ACCESS=CONTROL) MEMBER_LIST.EXE
  1. Use AUTHORIZE to create a subsystem identifier called MEMBERS_SUBSYSTEM. Notice that this identifier carries the Subsystem attribute.

  2. Make Louis and Wu holders of the identifier so they can manage the subsystem.

  3. Give Louis and Wu control access to the subsystem image MEMBER_LIST.EXE.

Note that you create the subsystem identifier MEMBERS_SUBSYSTEM with the Resource attribute. This allows disk space to be charged to the identifier MEMBERS_SUBSYSTEM and not the individuals accessing the subsystem. (When using the Resource attribute, be careful to set the appropriate ACLs on directories [see “Setting Up the ACL”].)