HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Appendix A Assigning Privileges

OPER Privilege (System)

The OPER privilege allows a process to use the Operator Communication Manager (OPCOM) process to reply to user's requests, to broadcast messages to all terminals logged in, to designate terminals as operators' terminals and specify the types of messages to be displayed on these operators' terminals, and to initialize and control the log file of operators' messages. In addition, this privilege lets the user spool devices, create and control all queues, and modify the protection and ownership of all non-file-structured devices.

Grant this privilege only to the operators of the system. These are the users who respond to the requests of ordinary users, who tend to the needs of the system's peripheral devices (mounting reels of tape and changing printer forms), and who attend to all the other day-to-day chores of system operation. (A nonprivileged user can log in on the console terminal to respond to operator requests, for example, to mount a tape.)

The OPER privilege lets a process perform the following tasks:

Task Interface

Modify device protection

SET PROTECTION/DEVICE

Modify device ownership

SET PROTECTION/DEVICE/OWNER

Access the System Management utility

SYSMAN

Perform operator tasks:

 

Issue a broadcast reply

REPLY, $SNDOPR

Cancel a system operator request

REPLY/ABORT, $SNDOPR

Initialize the system operator log file

$SNDOPR

Reply to a pending system operator request

REPLY/TO, REPLY/PENDING, REPLY/INITIALIZE_TAPE, $SNDOPR

Issue a system operator request

REQUEST, $SNDOPR

Enable system operator classes

REPLY/ENABLE, $SNDOPR, $SNDMSG

Disable system operator classes

REPLY/DISABLE, $SNDOPR

Send a broadcast message

$BRKTHRU, $BRDCST

Write an event to the operator log

$SNDOPR

Initialize a system operator log

REPLY/LOG, $SNDOPR

Close the current operator log

REPLY/NOLOG, $SNDOPR

Send a message to an operator

REPLY, $SNDOPR

Enable or disable autostart

$SNDJBC (SJC$_DISABLE_AUTO_START, SJC$_ENABLE_AUTO_START)

Stop all queues

$SNDJBC (SJC$_STOP_ALL_QUEUES_ON_NODE)

Modify the characteristics of devices:

 

Modify device availability

SET DEVICE/[NO]AVAILABLE

Modify device dual-porting

SET DEVICE/[NO]DUAL_PORT

Modify device error logging

SET DEVICE/[NO]ERROR_LOGGING

Modify device spooling

SET DEVICE/[NO]SPOOLED

Modify default definitions of days:

 

Set default day type to PRIMARY

SET DAY/PRIMARY

Set default day type to SECONDARY

SET DAY/SECONDARY

Return day type to DEFAULT

SET DAY/DEFAULT

Modify or override login limits:

 

Modify interactive login limit

SET LOGIN/INTERACTIVE

Modify network login limit

SET LOGIN/NETWORK

Modify batch login limit

SET LOGIN/BATCH

Create and modify queues:

 

Bypass discretionary access to a queue

 

Create a queue

$SNDJBC (SJC$_CREATE_QUEUE)

Define queue characteristics

$SNDJBC (SJC$_DEFINE_CHARACTERISTICS)

Define forms

$SNDJBC (SJC$_DEFINE_FORM)

Delete characteristics

$SNDJBC (SJC$_DELETE_CHARACTERISTICS)

Delete forms

$SNDJBC (SJC$_DELETE_FORM)

Set the base priority of batch processes

$SNDJBC (SJC$_BASE_PRIORITY)

Set the scheduling priority of a job

$SNDJBC (SJC$_PRIORITY)

Start accounting

SET ACCOUNTING/ENABLE, $SNDJBC (SJC$_START_ACCOUNTING)

Stop accounting

SET ACCOUNTING/DISABLE, $SNDJBC (SJC$_STOP_ACCOUNTING)

Operate the LAT device:

 

Transmit LAT solicit information message

$QIO request to a LAT port driver (LTDRIVER)

Set static rating for LAT service

$QIO request to a LAT port driver (LTDRIVER)

Read last LAT response message buffer

$QIO request to a LAT port driver (LTDRIVER)

Change port type from dedicated to application

$QIO request to a LAT port driver (LTDRIVER)

Change port type from application to dedicated

$QIO request to a LAT port driver (LTDRIVER)

Modify tape operations:

 

Specify number of file window-mapping pointers

MOUNT/WINDOWS, $MOUNT

Mount a volume with an alternate ACP

MOUNT/PROCESSOR, $MOUNT

Mount a volume with alternate cache limits

MOUNT/CACHE, $MOUNT

Modify write caching for a tape controller

MOUNT/CACHE, $MOUNT

Modify ODS1 directory FCB cache limit

SET VOLUME/ACCESSED, MOUNT/ACCESSED, $MOUNT

Perform network operations:

 

Connect to an object while executor state is restricted

 

Read network event-logging buffer

NETACP

Modify network volatile database

NETACP

Access the permanent database for an update

DECnet/NML

Connect to a DECnet circuit

$QIO request to the DECnet downline load and loopback class driver (NDDRIVER)

Display the permanent DECnet service password

NCP

Display the volatile DECnet service password

NCP

Control character conversion by terminals:

 

Load terminal fallback table

TFU, $QIO request to the terminal fallback driver (FBDRIVER)

Unload terminal fallback table

TFU, $QIO request to the terminal fallback driver (FBDRIVER)

Establish system default terminal fallback table

TFU, $QIO request to the terminal fallback driver (FBDRIVER)

Control cluster operations:

 

Request expected votes modification

SET CLUSTER/EXPECTED_VOTES

Request MSCP serving of a device

SET DEVICE/SERVED

Request quorum modification

SET CLUSTER/QUORUM

Add an adapter to the failover list

$QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Remove an adapter from the failover list

$QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Set an adapter to be the current adapter

$QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Set the new adapter test interval

$QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Used in combination with other privileges, OPER lets processes perform the following tasks:

Privileges Task Interface

OPER and CMKRNL

Mount a volume with a private ACP

MOUNT/PROCESSOR, $MOUNT

OPER and LOG_IO

Set the system time

SET TIME, $SETIME

OPER and SYSNAM

Start or stop the queue manager

START/QUEUE/MANAGER, STOP/QUEUE/MANAGER, $SNDJBC

OPER and VOLPRO

Initialize a blank tape or override access checks while initializing a blank tape

$INIT_VOL, MOUNT, $MOUNT