HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Part II Security for the User

Chapter 4 Protecting Data

Table of Contents

Contents of a User's Security Profile
Per-Thread Security
Persona Security Block Data Structure (PSB)
Previous Security Model
Per-Thread Security Model
User Identification Code (UIC)
Rights Identifiers
Privileges
Security Profile of Objects
Definition of a Protected Object
Contents of an Object's Profile
Owner
Protection Code
Access Control List (ACL)
Displaying a Security Profile
Modifying a Security Profile
Specifying an Object's Class
Access Required to Modify a Profile
How the System Determines if a User Can Access a Protected Object
Controlling Access with ACLs
Using Identifier Access Control Entries (ACEs)
Granting Access to Particular Users
Preventing Users from Accessing an Object
Limiting Access to a Device
Limiting Access to an Environment
Ordering ACEs Within a List
Establishing an Inheritance Scheme for Files
Displaying ACLs
Adding ACEs to an Existing ACL
Deleting an ACL
Deleting ACEs from an ACL
Replacing Part of an ACL
Restoring a File's Default ACL
Copying an ACL
Controlling Access with Protection Codes
Format of a Protection Code
Types of Access in a Protection Code
Processing a Protection Code
Changing a Protection Code
Enhancing Protection for Sensitive Objects
Providing a Default Protection Code for a Directory Structure
Restoring a File's Default Security Profile
Understanding Privileges and Control Access
How Privileges Affect Protection Mechanisms
Using Control Access to Modify an Object Profile
Object-Specific Access Considerations
Auditing Protected Objects
Kinds of Events the System Audits
Enabling Auditing for a Class of Objects
Adding Security-Auditing ACEs

This chapter extends the discussion of security design introduced in “OpenVMS Security Model”. It describes how the operating system controls the way a user process or an application can access a protected object.

To summarize, the operating system controls access to any object that contains shareable information. These objects are known as protected objects. Devices, volumes, logical name tables, files, common event flag clusters, group and system global sections, resource domains, queues, capabilities, and security classes fall into this category. An accessing process carries credentials in the form of rights identifiers, and all protected objects list a set of access requirements specifying who has a right to access the object in a given manner.

This chapter:

“Descriptions of Object Classes” describes the unique features of each class of protected object.