You may want to make adjustments to control default behavior. The systemwide default protection code specified by the system parameter RMS_FILE PROT sets the user's default protection to the following:

Assume that the volume protection has been set by the operator to the following:

The file protection on the directory [PROJECT] has been set to the following:

If all the files created in the subdirectory [PROJECT.DIARY] demand more protection, you, or any user who has control access to the directory, could define a specific default protection code for this specific directory with an ACL consisting of a Default Protection ACE, as follows:

The following DCL command would provide the desired default protection:

$ SET SECURITY/ACL=(DEFAULT_PROTECTION,S:RWED,O:RWED)-
_$[PROJECT]DIARY.DIR

Once this ACE is placed on the directory file, files created or modified in the directory are subject to the default protection code. Because these protection codes are only defaults, a user who has control access to a file in the directory can include a specific protection code as a replacement for the default value on the file by using the following DCL commands:

Once the default protection code is replaced, the new code becomes the default and is propagated to subsequent versions of the file.

If you provide a special login command procedure for some of your users, you may want to supplement the systemwide default process protection specified by the system parameter RMS_FILEPROT for this group of users. Add the SET PROTECTION/DEFAULT command to the login command procedure to specify the default process protection, as follows:

SET PROTECTION=(S:RWED,O:RWED,G,W)/DEFAULT

Files created in users' directories receive this default protection code unless explicitly overridden.

To allow for more flexible data management as well as more accurate accounting of disk space, you can set up a directory that is owned by a resource identifier and rely on ACLs to control access to the directory and to files created within it.

The ACL can limit file access to all project members holding the project identifier. To achieve this kind of access restriction, you add an Identifier ACE to define the group's access to files. A second Identifier ACE is added that duplicates the first but holds the Default attribute. It is the Default attribute that ensures the ACE is copied to all files created within the directory. Sometimes a third ACE is necessary---a Default Protection ACE, depending on the default protection code for the directory. A Default Protection ACE establishes the protection code for the directory's files. (As “How the System Determines if a User Can Access a Protected Object”"How the System Determines If a User Can Access a Protected Object" on page 74 explains, if an ACL denies access to a file, it is still possible to gain access through a protection code.)

In addition to limiting the group's access to files, an ACL can control the type of access users have to files that they have created within the common directory. Because the file is created in the resource identifier's directory, the resource identifier owns the file. For users to access files they have created, the operating system normally gives control access to the file's creator plus the access specified in the owner field of the protection code. However, you can modify this behavior by adding a Creator ACE to the directory's ACL. A Creator ACE defines the type of access users have to files they have created in the project's directory.

Setting Up the Resource Identifier

A security administrator used the following command sequence to set up the project identifier PROJECTX and grant it to members of the project. Notice that the identifier is added to the rights database with the resource identifier, and it is also granted to users with the resource identifier. The project identifier needs to carry the Resource attribute so it can own disk space.

$ RUN SYS$SYSTEM:AUTHORIZE UAF> ADD/IDENTIFIER PROJECTX /ATTRIBUTES=RESOURCE UAF> GRANT/IDENTIFIER PROJECTX user1 /ATTRIBUTES=RESOURCE UAF> GRANT/IDENTIFIER PROJECTX user2 /ATTRIBUTES=RESOURCE [vellip]

Setting Up the Directory of a Resource Identifier

When a project- or department-specific identifier is the owner of a directory, the space used by files created in the directory can be charged to the appropriate department or project rather than to the individual who creates them. When users work on multiple projects, they can charge their disk space requirements to the related project rather than to their personal accounts.

In setting up a directory for a resource identifier, you first create the disk quota authorization for the project identifier. For example, the following command invokes the System Management utility (SYSMAN) and assigns the identifier PROJECTX 2000 blocks of disk quota with 200 blocks of overdraft:

$ RUN SYS$SYSTEM:SYSMAN SYSMAN> DISKQUOTA ADD PROJECTX /PERMQUOTA=2000 /OVERDRAFT=200

After setting up the disk quota, you create the project directory. For example, the following DCL command creates the project directory [PROJECTX] and establishes the identifier PROJECTX as its owner:

$ CREATE/DIRECTORY [PROJECTX] /OWNER=[PROJECTX]

Setting Up the ACL

In setting up the directory [PROJECTX], you use an ACL to provide file access to project members. The following example shows how several ACEs are used to define access:

$ SET SECURITY [PROJECTX] /ACL= (- _$ (DEFAULT_PROTECTION,S:RWED,O:RWED,G,W),- [1] _$ (IDENTIFIER=PROJECTX,ACCESS=READ+WRITE+EXECUTE),- [2] _$ (IDENTIFIER=PROJECTX,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE),- _$ (CREATOR,ACCESS=READ+WRITE+EXECUTE+DELETE)) [3]

1. The Default Protection ACE sets up a protection code for files created within the directory. The ACE denies access to group and world users.

2. The first Identifier ACE gives holders of the PROJECTX identifier read, write, and execute access to the directory.

3. The second Identifier ACE guarantees that all files created in the directory will carry the first Identifier ACE.

4. The Creator ACE specifies that a user who creates a file in the PROJECTX directory will receive read, write, execute, and delete access to it.

Thus, when project member Ross creates the file SEPTEMBER-REPORTS.TXT in the [PROJECTX] directory, the file receives the following security profile:

$ SHOW SECURITY/CLASS=FILE [PROJECTX]SEPTEMBER-REPORTS.TXT SEPTEMBER-REPORTS.TXT object of class FILE Owner: [PROJECTX] Protection: (System: RWED, Owner: RWED, Group, World) Access Control List: (IDENTIFIER=CRANDALL,ACCESS=READ+WRITE+EXECUTE+DELETE) (IDENTIFIER=PROJECTX,ACCESS=READ+WRITE+EXECUTE)

Project members are not allowed to delete (or control) files created by others; however, the Creator ACE gives them delete access to files they have created.

Without a Creator ACE, project members each have complete access to files they have created in the directory. For example, Ross would receive the following access to files created in the project directories:

$SHOW SECURITY/CLASS=FILE [PROJECTX]SEPTEMBER-REPORTS.TXT SEPTEMBER-REPORTS.TXT object of class FILE Owner: [ROSS] Protection: (System: RWED, Owner: RWED, Group, World) Access Control List: (IDENTIFIER=ROSS,OPTIONS=NOPROPAGATE, ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) (IDENTIFIER=PROJECTX,ACCESS=READ+WRITE+EXECUTE)

To negate this behavior, you can add a Creator ACE to the ACL that specifies ACCESS=NONE.

To display any class template, use the SHOW SECURITY/CLASS=SECURITY_CLASS command. The following command, for example, displays templates available for logical name tables. The logical name table object has the following three templates:

$SHOW SECURITY/CLASS=SECURITY_CLASS LOGICAL_NAME_TABLE
[vellip]
Template: GROUP
Owner: [TTSY,SYSTEM]
Protection: (System: RWCD, Owner: R, Group: R, World:R)
Access Control List: empty


Template: JOB
Owner: [TTSY,SYSTEM]
Protection: (System: RWCD, Owner: RWCD, Group, World)
Access Control List: empty


Template: DEFAULT
Owner: [TTSY,SYSTEM]
Protection: (System: RW, Owner: RW, Group, World)

      Access Control List: empty

All objects in the security class are protected in the same manner as other objects. For this reason, any SHOW SECURITY display of a security class object begins with the security profile for the object itself. The following display shows a profile for the logical name table object in the security class. The object is owned by the system, and its protection code allows read access to any user category but allows write access only to system and owner categories.

$SHOW SECURITY/CLASS=SECURITY_CLASS LOGICAL_NAME_TABLE

LOGICAL_NAME_TABLE object of class SECURITY_CLASS
Owner: [SYSTEM]
Protection: (System: RW, Owner: RW, Group: R, World: R)
Access Control List: empty

Security administrators and users with control access to a security class object can modify the elements of a given template with the following command:

The following command modifies the MAILBOX template for the device class. It changes the template values from a protection of S:RWPL,O:RWPL,G:RWPL,W:RWPL to a protection that disallows group and world access.

$SET SECURITY/CLASS=SECURITY_CLASS/TEMPLATE=MAILBOX -
_$/PROTECTION=(S:RWPL,ORWPL,G,W) DEVICE

The operating system applies this value to all new mailboxes. To change the protection for each existing mailbox, enter an explicit SET SECURITY command for each existing mailbox. For example:

$SET SECURITY/CLASS=DEVICE -
_$/PROTECTION=(S:RWPL,ORWPL,G,W) mailbox_name

The operating system saves the default object protections specified in security templates, so rebooting the system automatically ensures that all objects created after the reboot are created with the new default protections.

	NOTE: In OpenVMS Version 7.2-1 and earlier, all pseudo-terminal (FT) device protection codes were set by the driver to (S:RWLP,O:RWLP,G,W). In OpenVMS Version 7.3 and later, only device FTA0 is set to this forced protection. This allows the system manager the option of modifying the FTA0 device protection later in the boot process. This new protection is inherited from FTA0 by any new FT devices created thereafter (as well as other settings originating from the SECURITY class DEVICE TERMINAL template profile, such as ACLs). A system manager can either modify FTA0 manually, or change the SYSTARTUP_VMS.COM command procedure. For example: $ SET SECURITY/CLASS=DEVICE - _$ /PROTECTION=(S:RWLP,O:RWLP,G:RW,W:R) FTA0: If the device protection for FTA0 is left unmodified, the behavior is unchanged from versions of OpenVMS prior to Version 7.3. That behavior is that all terminals, except FT pseudo-terminal devices, inherit their device protection and other security characteristics from the TERMINAL template profile. All FTA pseudo-terminal devices inherit their protection from FTA0, which by default is set to (S:RWLP,O:RWLP,G,W). Other settings, such as ACLs, are inherited from the TERMINAL template profile. This ensures compatibility with existing applications.

The DCL command SHOW SECURITY displays all available templates with the site values. “Descriptions of Object Classes”Chapter 5 lists the default system values.