HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 14 Using Protected Subsystems

Building the Subsystem

Once managers of the subsystem have the appropriate identifiers and access rights as described in “System Management Requirements”, they can add the necessary ACEs to a subsystem image. Two kinds of ACEs are necessary to construct a subsystem: the application image receives a Subsystem ACE, and the objects managed by the subsystem receive Identifier ACEs. Therefore, building a subsystem requires the following steps:

  1. Create a Subsystem ACE containing the subsystem identifier in the ACLs of the application images. A Subsystem ACE has the following format:

    (SUBSYSTEM,{IDENTIFIER=identifier[,ATTRIBUTES=attributes]})

  2. Grant access to the objects managed by the subsystem. You need to add an Identifier ACE to the ACL of the various objects belonging to the subsystem. Each Identifier ACE contains one of the subsystem identifiers in the following format:

    (IDENTIFIER=identifier, ACCESS=access-type[+...])

In the following example, the subsystem manager uses the DCL command SET SECURITY to associate the subsystem identifier with the images that make up the subsystem. First, the subsystem manager adds a Subsystem ACE with the identifier MEMBERS_SUBSYSTEM to the ACL of the application image MEMBER_LIST.EXE:

$SET SECURITY/ACL=(SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,-
_$ATTRIBUTES=RESOURCE) MEMBER_LIST.EXE

Then the subsystem manager adds an Identifier ACE with the subsystem identifier MEMBERS_SUBSYSTEM to the data files managed by the subsystem:

$SET SECURITY/ACL=(IDENTIFIER=MEMBERS_SUBSYSTEM,-
_$ACCESS=READ+WRITE) MEMBER_DATA*.DAT

The DCL command SHOW SECURITY displays the security attributes of the files. For example:

$SHOW SECURITY MEMBER_LIST.EXE

MEMBER_LIST.EXE object of class FILE

Owner: [STAFF]
Protection: (System: RWED, Owner: RWED, Group, World: RE)
Access Control List: (SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,ATTRIBUTES=RESOURCE)
$SHOW SECURITY MEMBER_DATA*.DAT

MEMBER_DATA_1.DAT object of class FILE

Owner: MEMBERS_SUBSYSTEM
Protection: (System: RWED, Owner: RWED, Group, World)
Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,ACCESS=READ+WRITE)

MEMBER_DATA_2.DAT object of class FILE

Owner: MEMBERS_SUBSYSTEM
Protection: (System: RWED, Owner: RWED, Group, World)
Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,
ACCESS=READ+WRITE)