HP OpenVMS Systems Documentation

The following table identifies object classes and the access types they support:

The OpenVMS Guide to System Security provides a full explanation of protected objects and how to modify them.

Table DCLII-20 shows the qualifier categories for the SET SECURITY command. The explanations for the qualifiers following Table DCLII-20 occur in alphabetical order.

Qualifiers

/ACL[=(ace[,...])]

Identifies one or more access control list entries (ACEs) to add, replace, or delete. Enclose each ACE in parentheses and separate multiple ACEs by commas (,). The most common type of entry, the Identifier ACE, has the format (IDENTIFIER=identifier, ACCESS=access-type(+...)). By default, SET SECURITY adds an ACE to the top of the ACL. This behavior changes when you include one of the positional qualifiers: /AFTER, /DELETE, or /REPLACE. Refer to the discussion of ACL ordering in the OpenVMS Guide to System Security.

/AFTER=ace

Positions all ACEs specified with the /ACL qualifier after the ACE named with the /AFTER qualifier.

/BACKUP

Modifies the time value provided with the /BEFORE or the /SINCE qualifier. The /BACKUP qualifier selects files according to the date of their most recent backup (rather than by the creation, expiration, or modification date). By default, SET SECURITY selects files according to their creation date.

/BEFORE[=time]

Selects only those files dated prior to the specified time. You can specify time as absolute time, as a combination of absolute and delta times, or as one of the following keywords: BOOT, LOGIN, TODAY (default), TOMORROW, or YESTERDAY. Specify the /CREATED or the /MODIFIED qualifier to indicate the time attribute to be used as the basis for selection. The /CREATED qualifier is the default.

For complete information on specifying time values, refer to the OpenVMS User's Manual or the online help topic DCL_Tips (subtopic Date_Time).

/BY_OWNER[=uic]

Selects files whose owner's UIC matches the UIC specified. The default UIC is that of the current process.

/CLASS=class-name

Specifies the class of the object whose profile is to be modified. By default, the command assumes the object class is FILE.

/CONFIRM

Controls whether SET SECURITY prompts for verification before performing the operation. Valid responses are YES, NO, TRUE, and FALSE. Answers are not case sensitive and can be abbreviated to one letter. To stop processing the command at any point, type QUIT or press Ctrl/Z. To cancel the verification procedure but to proceed with the command, type ALL.

/COPY_ATTRIBUTE=(keyword[,...])

Specifies a subset of security elements to transfer from a source object to a target object. Valid keywords include the following:

Keyword	Description
ALL (default)	Copy all security elements
ACL	Copy the access control list
OWNER	Copy the owner
PROTECTION	Copy the protection code

Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier. For example, you can create an ACL for an object and then copy its ACL to new objects.

/CREATED

Modifies the time value specified with the /BEFORE or the /SINCE qualifier. The /CREATED qualifier selects files according to the date they were created (rather than by the backup, expiration, or modification date). By default, SET SECURITY selects files according to their creation date.

/DELETE[=ALL]

Deletes ACEs according to the following rules:

• The expression /ACL=aces/DELETE deletes the named ACEs.
• The expression /ACL/DELETE deletes all unprotected ACEs.
• The expression /ACL/DELETE=ALL deletes all ACEs including protected ACEs.
• The expression /ACL=aces/DELETE=ALL deletes the existing ACL (if any) and create a new ACL with the ACEs specifies on the /ACL qualifier.

/DEFAULT

Regenerates the security profile of a file. The default qualifier changes the protection code, the ACL, and the owner elements of a file to what it would be if the file had just been created. The profile is recreated according to the following rules:

• The protection code is propagated from the default protection ACE on the directory (if one exists), or else it is propagated from the process default.
• The ACL is propagated from the parent directory for those ACEs that have the default option.
• The owner is set to the owner of the parent directory.

With subdirectory files, SET SECURITY assigns the owner, protection, and ACL elements of the parent directory.

SET SECURITY does not copy any ACE on the source object if the ACE holds the nopropagate attribute nor does it change any ACE on the target object if the ACE holds the protected attribute. To apply new elements to all versions of the file, specify ;* in the object name. Refer to the OpenVMS Guide to System Security for more information on propagation rules.

/EDIT

Invokes the access control list editor (ACL editor) and allows you to modify an ACL interactively. The ACL editor does not allow the asterisk (*) and the percent sign (%) wildcard characters in an object name. You must specify the object whose ACL you are editing.

The /EDIT qualifier must be the first qualifier on the command line; other qualifiers can include /CLASS and, if the class is SECURITY_CLASS, you can include the /PROFILE qualifier. Whenever an object does not belong to the FILE class, you also need to specify /CLASS.

Refer to the ACL editor in the OpenVMS System Management Utilities Reference Manual for more information.

/EXCLUDE=(filespec[,...])

Excludes the specified files from the SET SECURITY operation. You can include a directory, but not a device, in the file specification. You cannot use relative version numbers to exclude a specific version.

/EXPIRED

Modifies the time specified with the /BEFORE or the /SINCE qualifier. The /EXPIRED qualifier selects files according to their expiration dates rather than by the backup, creation, or modification date. (The expiration date is set with the SET FILE/EXPIRATION_DATE command.) By default, files are selected according to their creation date.

/LIKE=(NAME=source-object-name
[,CLASS=source-object-class] [,PROFILE=TEMPLATE=template-name])

Identifies the object from which SET SECURITY should copy security elements. The /LIKE qualifier replaces an object's existing elements with those of the source object. Nopropagate ACEs are not transferred and protected ACEs on the target object are not deleted. Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier to copy an object's elements. Refer to the OpenVMS Guide to System Security for information about the special handling of protected and nopropagate ACEs.

The object class of the source object defaults to the class of the target object. When the /CLASS qualifier is omitted, the CLASS keyword defaults to FILE.

The PROFILE keyword applies to security class objects. It identifies which template of the security class you want to copy and modify. See /PROFILE for more information.

/LOG

Controls whether the SET SECURITY command displays the name of the object that has been modified by the command. The qualifier is invalid with the /EDIT qualifier.

/MODIFIED

Modifies the time value specified with the /BEFORE or the /SINCE qualifier. The /MODIFIED qualifier selects files according to the dates on which they were last modified, rather than by the backup, creation, or expiration date. By default, files are selected according to their creation date.

/OWNER=identifier

Requires GRPPRV (group privilege) to set the owner to another member of the same group. Requires SYSPRV (system privilege) to set the owner to any user identification code (UIC) outside your group.

Modifies the owner element of an object. Specify the user identification code (UIC) or general identifier in the standard format. Modifying the owner element of a file usually requires privileges. Refer to the OpenVMS Guide to System Security for more information.

/PROFILE=TEMPLATE[=template-name]

Identifies which template profile of a security class object you want to modify. All object classes except FILE have at least one template profile. These template profiles define the basis of the profile of new objects. Use the DCL command SHOW SECURITY/CLASS=SECURITY_CLASS to display template names. When no value is given for template-name, SET SECURITY uses the template named DEFAULT.

Include the /CLASS=SECURITY_CLASS qualifier to identify which profile you want to modify.

/PROTECTION=(ownership[:access][,...])

Cannot be used to change the protection on a file by using DECnet software.

Modifies the protection code of an object. The protection code defines the type of access allowed to users, based on their relationship to the object's owner.

Specify the ownership parameter as system (S), owner (O), group (G), or world (W).

Access types are class specific and are shown in the Description section. For access, use the first letter of the access name. The Examples section provides you with models of protection codes.

/REPLACE=(ace[,...])

Eliminates entries listed with the /ACL qualifier and adds entries listed with the /REPLACE qualifier. SET SECURITY inserts the entries listed with /REPLACE in the position of the last deleted ACE.

/SINCE[=time]

Selects only those files dated on or after the specified time. You can specify time as absolute time, as a combination of absolute and delta times, or as one of the following keywords: BOOT, LOGIN, TODAY (default), TOMORROW, or YESTERDAY. Specify the /CREATED or the /MODIFIED qualifier to indicate the time attribute to be used as the basis for selection. The /CREATED qualifier is the default.

For complete information on specifying time values, refer to the OpenVMS User's Manual or the online help topic DCL_Tips (subtopic Date_Time).

/STYLE=keyword

Specifies the file name format for display purposes.

The valid keywords for this qualifier are CONDENSED and EXPANDED. Descriptions are as follows:

Keyword	Explanation
CONDENSED (default)	Displays the file name representation of what is generated to fit into a 255-length character string. This file name may contain a DID or FID abbreviation in the file specification.
EXPANDED	Displays the file name representation of what is stored on disk. This file name does not contain any DID or FID abbreviations.

The keywords CONDENSED and EXPANDED are mutually exclusive. This qualifier specifies which file name format is displayed in the output message, along with the confirmation if requested.

File errors are displayed with the CONDENSED file specification unless the EXPANDED keyword is specified.

Refer to the OpenVMS Guide to Extended File Specifications for more information.

Examples

$  SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
     Owner: [SYSTEM]
     Protection: (System: RWCD, Owner: R, Group: R, World: R)
     Access Control List:
          (IDENTIFIER=[USER,VARANESE],ACCESS=CONTROL)
$  SET SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE -
_$      /ACL=((IDENTIFIER=CHEKOV,ACCESS=CONTROL), -
_$            (IDENTIFIER=WU,ACCESS=READ+WRITE)) -
_$       /DELETE=ALL -
_$       /PROTECTION=(S:RWCD, O:RWCD, G:R, W:R)
$  SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
     Owner: [SYSTEM]
     Protection: (System: RWCD, Owner: RWCD, Group: R, World: R)
     Access Control List:
          (IDENTIFIER=[USER,CHEKOV],ACCESS=CONTROL)
          (IDENTIFIER=[USER,WU],ACCESS=READ+WRITE)

      

This example shows how to make a straightforward change to the security elements of an object. The first SHOW SECURITY command displays the current settings of the LNM$GROUP logical name table. The SET SECURITY command resets the ACL to allow control access for user Chekov, and to allow read and write access for user Wu. Note that without the /DELETE=ALL qualifier, these ACEs would have been added to the existing ACL rather than superseding it. The protection is also changed to allow read, write, create, and delete access for the owner. The last command displays the results of the changes.

$  SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
     Owner: [SYSTEM]
     Protection: (System: RWCD, Owner: R, Group: R, World: R)
     Access Control List:
          (IDENTIFIER=[USER,FERNANDEZ],ACCESS=CONTROL)
$  SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE
LNM$JOB object of class LOGICAL_NAME_TABLE
     Owner: [USER,WEISS]
     Protection: (System: RWCD, Owner: RWCD, Group, World)
     Access Control List:  <empty>
$  SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
_$      /LIKE=(NAME=LNM$GROUP, CLASS=LOGICAL_NAME_TABLE) -
_$      /COPY_ATTRIBUTES=PROTECTION
$  SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
_$      /ACL=(IDENTIFIER=FERNANDEZ, ACCESS=READ)
$  SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE
LNM$JOB object of class LOGICAL_NAME_TABLE
     Owner: [USER,WEISS]
     Protection: (System: RWCD, Owner: R, Group: R, World: R)
     Access Control List:
          (IDENTIFIER=[USER,FERNANDEZ],ACCESS=READ)

      

This example shows how to copy security access information from one object to another and, at the same time, set some elements explicitly. The first SHOW SECURITY commands display the current settings for the LNM$GROUP and LNM$JOB logical name tables. The SET SECURITY command copies the protection code from the LNM$GROUP logical name table to the LNM$JOB logical name table and adds an ACE to allow read access to another user. The final SHOW SECURITY command shows the effect of the changes.

$  SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS
SECURITY_CLASS object of class SECURITY_CLASS
     Owner: [SYSTEM]
     Protection: (System: RWED, Owner: RWED, Group: R, World: R)
     Access Control List:  <empty>
  Template: DEFAULT
     Owner: [SYSTEM]
     Protection: (System: RWED, Owner: RWED, Group, World: RE)
     Access Control List:   <empty>
$  SET SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS -
_$      /PROFILE=TEMPLATE=DEFAULT -
_$      /PROTECTION=(S:RWE, O:RWE, G:RE)
$  SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS
SECURITY_CLASS object of class SECURITY_CLASS
     Owner: [SYSTEM]
     Protection: (System: RWED, Owner: RWED, Group: R, World: R)
     Access Control List:  <empty>
  Template: DEFAULT
     Owner: [SYSTEM]
     Protection: (System: RWE, Owner: RWE, Group: RE, World: RE)
     Access Control List:  <empty>

      

This example demonstrates how to change the security elements for the template of a security class object. The first command shows the current settings for the SECURITY_CLASS object. The second command changes the DEFAULT template of the SECURITY_CLASS object such that the protection is (S:RWE, O:RWE, G:RE). The change is shown in the display of the last command. The world protection of RE remains unchanged.

$  DIRECTORY/SECURITY
Directory DKA200:[DATA]
FILE001.DAT;1        [SYSTEM]                         (RWED,RWED,RE,)
Total of 1 file.
$  SET SECURITY/CLASS=FILE/PROTECTION=(WORLD:RE)/LOG FILE001.DAT
%SET-I-MODIFIED, DKA200:[DATA]FILE001.DAT;1 modified
$  DIRECTORY/SECURITY
Directory DKA200:[DATA]
FILE001.DAT;1        [SYSTEM]                       (RWED,RWED,RE,RE)
Total of 1 file.
$

      

This example shows how to set UIC-based protection codes on an object. The first DIRECTORY command displays the current security settings on the file FILE001.DAT. The SET SECURITY command changes the protection codes on the file to allow read and execute access for all users. The last command displays the results of the change.

Controls the Security and Registry servers.

Requires the SYSPRV privilege.

Format

SET SERVER server-name

Parameter

server-name

Valid values are: SECURITY_SERVER, REGISTRY_SERVER.

Description

The SET SERVER command provides a system manager with the ability to control the security and registry servers.

Security Server

Specifying this parameter allows you to start, stop, and restart the security server. The security server maintains information stored in the system intrusion and proxy databases.

The system intrusion database is used by LOGINOUT, DECnet/OSI, DECwindows, SHOW INTRUSION, DELETE INTRUSION, and other applications. For more information about the system intrusion database and $DELETE_INTRUSION, $SCAN_INTRUSION, and $SHOW_INTRUSION system services, refer to the OpenVMS System Services Reference Manual. For further information, refer to the OpenVMS Guide to System Security.

The system proxy database is used by AUTHORIZE, DECnet/OSI, DFS, and other applications to access information stored in the nework proxy database. Additional information can be found in the OpenVMS System Management Utilities Reference Manual. See also the $ADD_PROXY, $DELETE_PROXY, $DISPLAY_PROXY, $VERIFY_PROXY system services in the OpenVMS System Services Reference Manual.

Registry Server

Specifying this parameter allows you to start, stop, and restart the registry server. The registry server maintains information stored in the registry database.

The registry database is used by COM, PATHWORKS, and other applications.

For more information about the registry database and the $REGISTRY system service, refer to the OpenVMS System Services Reference Manual. See also the SHOW SERVER command.

Qualifiers

/ABORT

Aborts the registry server on the specified node or nodes in the cluster.

Cannot be used with the /EXIT, /RESTART, or /START qualifiers.

/CLUSTER

Issues the SET command to each registry server in the cluster, setting the registry master server last.

Cannot be used with the /MASTER or /NODE qualifiers.

/EXIT

Stops the detached security server process, or stops the registry server on the specified node or nodes in the cluster.

Cannot be used with the /ABORT, /RESTART, or /START qualifiers.

/LOG

Closes the current registry server log file and creates a new file.

/MASTER

Issues the command to the registry master server only. Requires the SYSLCK privilege.

Cannot be used with the /CLUSTER, /NODE, or /START qualifiers.

/NODE=(node-name[,...])

Issues the SET command to the registry servers on the specified nodes in the order they are entered. The node names must be within the current cluster.

Cannot be used with the /CLUSTER or /MASTER qualifiers.

/RESTART

Restarts the detached security server process, or restarts the registry server on the specified node or nodes in the cluster.

Cannot be used with the /ABORT, /EXIT, or /START qualifiers.

/START

Starts the detached security server process, or starts the registry server on the specified node or nodes in the cluster.

Cannot be used with the /ABORT, /EXIT, or /RESTART qualifiers.

Examples

$ SET SERVER SECURITY_SERVER/RESTART/MASTER
      

This command starts the detached security server process.

$ SET SERVER SECURITY_SERVER/EXIT
      

This command stops the detached security server process.

$ SET SERVER SECURITY_SERVER/RESTART
      

This command restarts the detached security server process.

$ SET SERVER REGISTRY_SERVER/RESTART/MASTER
      

This command restarts the detached registry server on the master server.

$ SET SERVER REGISTRY_SERVER/LOG/CLUSTER
      

This command closes the current log files and opens new files on all systems across the cluster.

$ SET SERVER REGISTRY_SERVER/EXIT/NODE=(KAKADU,CAIRNS)
      

This command stops the detached registry server process on nodes KAKADU and CAIRNS.