Groups of objects that behave in a particular
way and have a common set of attributes are divided into classes.
Files, queues, and volumes are very common examples. As “Classes of Protected Objects” shows,
the operating system supports 11 classes of protected objects.
When you modify the profile of an object, you
need to specify the class of the object; otherwise, the SET SECURITY
command assumes the object is a file.
For example, the following command sequence changes
the profile of an object and uses the /CLASS qualifier to identify
the object LNM$GROUP as a logical name table:
$ SET SECURITY /CLASS=LOGICAL_NAME_TABLE-
_$ /OWNER=ACCOUNTING /PROTECTION=(S:RWCD, O:RWCD, G:R, W:R)-
_$ /ACL=((IDENTIFIER=CHEKOV,ACCESS=CONTROL),-
_$ (IDENTIFIER=WU,ACCESS=READ+WRITE)) LNM$GROUP
|
The SET SECURITY command makes the Accounting
group owner of the logical name table. It changes the protection code
to allow read, write, create, and delete access for the owner and
for system users and to limit group and world users to read access.
Finally, it creates an ACL to allow control access for user Chekov
and to allow read and write access for user Wu.
The SHOW SECURITY command displays the results
of the changes:
$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [ACCOUNTING]
Protection: (System: RWCD, Owner: RWCD, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,CHEKOV],ACCESS=CONTROL)
(IDENTIFIER=[USER,WU],ACCESS=READ+WRITE) |
 |
Table 4-2 Classes of Protected Objects
| Class Name | Definition |
|---|
Capability | A resource to which the system controls
access; currently, the only defined capability is the vector processor. |
Common
event flag cluster | A set of 32
event flags that enable cooperating processes to post event notifications
to each other. |
Device | A class of peripherals connected to a processor that
are capable of receiving, storing, or transmitting data. |
File | Files-11 On-Disk Structure Level 2 or 5 (ODS-2 or
ODS-5) files and directories. |
Group
global section | A shareable memory section potentially
available to all processes in the same group. |
Logical
name table | A shareable
table of logical names and their equivalence names for the system
or a particular group. |
Queue | A set of jobs to be processed in a batch, terminal,
server, or print job queue. |
Resource
domain | A namespace
controlling access to the lock manager's resources. |
Security
class | A data structure containing the
elements and management routines for all members of the security class. |
System
global section | A shareable memory section potentially
available to all processes in the system. |
Volume | A
mass storage medium, such as a disk or tape, that is in ODS-2 or ODS-5
format. Volumes contain files and may be mounted on devices. |
“Descriptions of Object Classes” for a detailed description of each
class.