Protecting Volumes

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS System Manager's Manual, Volume 1:...

Managing Storage Media

Initializing Volumes

Mounting Volumes

Protecting Volumes

Protection based on user identification codes (UICs) restricts users' access to volumes. By assigning access types to volumes, you determine the kinds of actions various groups of users can perform on volumes. Protecting Disk Volumes and Protecting Tape Volumes explain the differences between UIC-based protection for disk and tape volumes.

For additional access control, you can set access control lists (ACLs) on volumes. Volume ACLs are copied from the VOLUME.DEFAULT security class template. See Creating Access Control Lists for more information about ACLs.

Access Types for Disk and Tape Volumes shows the types of access you can assign to disk and tape volumes.

Table 9 Access Types for Disk and Tape Volumes
Access Type Gives you the right to...

Read
Examine file names, print, or copy files from the volume. System and owner categories always have read access to tape volumes.

Write
Modify or write to existing files on a volume. The protection of a file determines whether you can perform a particular operation on the file. To be meaningful, write access requires read access. System and owner categories always have write access to tape volumes.

Create
Create files on a disk volume and subsequently modify them. Create access requires read and write access. This type of access is invalid for tape volumes.

Delete
Delete files on a disk volume, provided you have proper access rights at the directory and file level. Delete access requires read access. This type of access is invalid for tape volumes.

Control
Change the protection and ownership characteristics of the volume. Users with the VOLPRO privilege always have control access to a disk volume, with the following exceptions:
Mounting a file-structured volume as foreign requires control access or VOLPRO privilege.

Mounting a volume containing protected subsystems requires SECURITY privilege.

Control access is not valid with tapes.

**Table 9** **Access Types for Disk and Tape Volumes**
Access Type	Gives you the right to...
Read	Examine file names, print, or copy files from the volume. System and owner categories always have read access to tape volumes.
Write	Modify or write to existing files on a volume. The protection of a file determines whether you can perform a particular operation on the file. To be meaningful, write access requires read access. System and owner categories always have write access to tape volumes.
Create	Create files on a disk volume and subsequently modify them. Create access requires read and write access. This type of access is invalid for tape volumes.
Delete	Delete files on a disk volume, provided you have proper access rights at the directory and file level. Delete access requires read access. This type of access is invalid for tape volumes.
Control	Change the protection and ownership characteristics of the volume. Users with the VOLPRO privilege always have control access to a disk volume, with the following exceptions: Mounting a file-structured volume as foreign requires control access or VOLPRO privilege. Mounting a volume containing protected subsystems requires SECURITY privilege. Control access is not valid with tapes.

For more information about specifying protection codes, refer to the OpenVMS Guide to System Security . Security Considerations discusses protection in general.

The following sections explain how to perform these operations:

Task Section

Protecting disk volumes
Protecting Disk Volumes

Protecting tape volumes
Protecting Tape Volumes

Auditing volume access
Auditing Volume Access

Task	Section
Protecting disk volumes	Protecting Disk Volumes
Protecting tape volumes	Protecting Tape Volumes
Auditing volume access	Auditing Volume Access

Protecting Disk Volumes

For file-structured ODS-2 volumes, the OpenVMS operating system supports the types of access shown in Access Types for Disk and Tape Volumes. The system provides protection of ODS-2 disks at the volume, directory, and file levels. Although you might have access to the directories and files on the volume, without the proper volume access, you are unable to access any part of a volume.

The default access types for the disk volume owner [0,0] are:

S:RWCD, O:RWCD, G:RWCD, W:RWCD.

The system establishes this protection with the default qualifier of the INITIALIZE command (/SHARE). Any attributes that you do not specify are taken from the current default protection.

Ways to Specify Protection

You can change permanently stored protection information in the following ways:

Use ACLs. The entire security profile (owner UIC, protection code, and ACL) is stored on the volume. If you change the volume security profile for a volume mounted clusterwide, the change is distributed to all nodes in the cluster. If you dismount and remount a volume, the security profile for the volume is preserved.

Use the DCL command SET SECURITY to modify the default security profile after a volume is mounted, including UIC- and ACL-based protection.

Use protection qualifiers with the DCL command INITIALIZE to specify UIC-based protection when you initialize a volume.

You can also specify protection when you mount disk volumes, but you ordinarily do not do so because the protection that you specify is in effect only while the volume is mounted. For details, refer to the MOUNT command in the HP OpenVMS DCL Dictionary.

Use the DCL command SET VOLUME after you mount a volume to change UIC-based volume protection.

The following sections explain how to perform these tasks:

Task Section

Specify protection when you initialize volumes
Specifying Protection When You Initialize Disk Volumes

Change protection after volumes are mounted
Changing Protection After Disk Volumes Are Mounted

Display protection
Displaying UIC- and ACL-Based Protection

Task	Section
Specify protection when you initialize volumes	Specifying Protection When You Initialize Disk Volumes
Change protection after volumes are mounted	Changing Protection After Disk Volumes Are Mounted
Display protection	Displaying UIC- and ACL-Based Protection

Specifying Protection When You Initialize Disk Volumes

This section explains how to specify UIC-based volume protection and ISO 9660-formatted media protection when you initialize volumes.

Specifying UIC-Based Protection

You can specify protection in one of the following ways when you initialize volumes:

Use the /PROTECTION qualifier with the INITIALIZE command. For example:
```
$ INITIALIZE DUA7: ACCOUNT1/PROTECTION=(S:RWCD,O:RWCD,G:R,W:R)  
```
This example specifies a protection code for the disk volume ACCOUNT1 on the DUA7: device. The UIC of the volume is set to your process UIC.

Use one or more of the qualifiers shown in INITIALIZE Command Qualifiers for Protection with the INITIALIZE command. However, the protection that you set using the /PROTECTION qualifier overrides any of the defaults set when you use any other qualifier.

Using INITIALIZE Command Qualifiers for Protection

You usually do not change volume protection after you initialize a volume. By specifying a protection qualifier with the INITIALIZE command, you can establish the default protection of a volume. (The default qualifier of the INITIALIZE command is /SHARE, which grants all types of ownership all types of access.)

INITIALIZE Command Qualifiers for Protection explains the qualifiers you can use to specify disk volume protection when you initialize disk volumes.

Table 10 INITIALIZE Command Qualifiers for Protection
Qualifier Explanation

/PROTECTION
The protection you specify with this qualifier overrides any protection you specify with other qualifiers.

/SYSTEM
All processes have read, write, create, and delete access to the volume, but only system processes can create first-level directories. ([1,1] owns the volume.) See the note following this table.

/GROUP
System, owner, and group processes have read, write, create, and delete access to the volume. World users have no access.

/NOSHARE
System and owner processes have read, write, and delete access to the volume. World users have no access. Group users also have no access unless you specify the /GROUP qualifier.

**Table 10** **INITIALIZE Command Qualifiers for Protection**
Qualifier	Explanation
/PROTECTION	The protection you specify with this qualifier overrides any protection you specify with other qualifiers.
/SYSTEM	All processes have read, write, create, and delete access to the volume, but only system processes can create first-level directories. ([1,1] owns the volume.) See the note following this table.
/GROUP	System, owner, and group processes have read, write, create, and delete access to the volume. World users have no access.
/NOSHARE	System and owner processes have read, write, and delete access to the volume. World users have no access. Group users also have no access unless you specify the /GROUP qualifier.

The /SYSTEM qualifier grants all users complete access. However, users cannot create directories or files unless you perform one of the following actions:

Change the protection on the newly created master file directory (MFD), [000000]000000.DIR;1 to allow users to create their own directories under this parent directory.

Under the master file directory, create user directories that give users write access so that they, in turn, can create their own directories.

System managers usually choose the second method.

Protection Granted with INITIALIZE Command Qualifiers shows the UIC and protection that the system sets for disk volumes when you use the default, /SHARE, and other qualifiers with the INITIALIZE command.

Table 11 Protection Granted with INITIALIZE Command Qualifiers
Qualifier UIC Protection

/SYSTEM
[1,1]
S:RWCD,O:RWCD,G:RWCD,W:RWCD

/SYSTEM/NOSHARE
[1,1]
S:RWCD,O:RWCD,G:RWCD,W:RWCD

/GROUP
[x,0]
S:RWCD,O:RWCD,G:RWCD,W

/SHARE (the default)
[x,x]¹
S:RWCD,O:RWCD,G:RWCD,W:RWCD

/NOSHARE
[x,x]
S:RWCD,O:RWCD,G,W

**Table 11** **Protection Granted with INITIALIZE Command Qualifiers**
Qualifier	UIC	Protection
/SYSTEM	[1,1]	S:RWCD,O:RWCD,G:RWCD,W:RWCD
/SYSTEM/NOSHARE	[1,1]	S:RWCD,O:RWCD,G:RWCD,W:RWCD
/GROUP	[x,0]	S:RWCD,O:RWCD,G:RWCD,W
/SHARE (the default)	[x,x]¹	S:RWCD,O:RWCD,G:RWCD,W:RWCD
/NOSHARE	[x,x]	S:RWCD,O:RWCD,G,W

Specifying ISO 9660-Formatted Media Protection

The OpenVMS implementation of ISO 9660 does not include volume or volume set protection. The protection specified for the device on which the media is mounted determines accessibility to the ISO 9660 volumes or volume sets.

By default, the device protection is assigned to ISO 9660 files and directories. When you mount the volume, you can specify additional file protection using the UIC and PERMISSION protection fields included in the Extended Attribute Records (XARs) that might be associated with each file.

You can enable the protection fields by specifying either of the following items:

XAR mount option, using the following format:MOUNT/PROTECTION=XARWhen you specify the XAR option for a file that has an associated XAR, the protection fields in the XAR are enabled.

DIGITAL System Identifier (DSI) mount option, using the following format:MOUNT/PROTECTION=DSIIf you specify the DSI option, you enable the XAR permissions Owner and Group for XARs containing DSI.

For more information about the XAR and DSI options, refer to the OpenVMS Record Management Utilities Reference Manual .

Changing Protection After Disk Volumes Are Mounted

You can change protection by using the SET SECURITY/CLASS=VOLUME command with the /PROTECTION, /OWNER, or /ACL qualifier to change any aspect of the volume security profile.

Changing UIC-Based Protection

To change UIC-based protection after a volume is mounted, use the SET SECURITY/CLASS=VOLUME/PROTECTION command. For example:

$ SET SECURITY/CLASS=VOLUME/PROTECTION=(S:RWCD,O:RWCD,G:RC,W:RC) DUA0:

The protection set in this example allows the system and owner all types of access. Group and world access types can only read files and run programs. Any category not specified in the protection code (S,O,G,W) is unchanged.

Changing ACL-Based Protection

To change ACL-based protection after a volume is mounted, use the SET SECURITY/CLASS=VOLUME/ACL command. To change the ACL, for example:

$ SET SECURITY/CLASS=VOLUME/ACL=(IDENTIFIER=DOC,ACCESS=READ+WRITE+EXECUTE) -
_$ $1$DSA7:

This example gives holders of the DOC identifier read, write, and execute access to the $1$DSA7: volume.

Displaying UIC- and ACL-Based Protection

You can use the SHOW SECURITY/CLASS=VOLUME command to display protection. For example:

$ SHOW SECURITY/CLASS=VOLUME $1$DSA27:

The following example shows the resulting display:

$1$DSA27: object of class VOLUME
     Owner: [1,1]
     Protection: (System: RWCD, Owner: RWCD, Group: RWCD, World: RWCD)
     Access Control List:
          (IDENTIFIER=[ABC,SADAMS],ACCESS=READ+WRITE+CREATE+DELETE)

In the display are the name and profile of the VOLUME class object $1$DSA27. The profile includes the owner UIC, the protection code, and the access control list (ACL) of the protected object.

Protecting Tape Volumes

The system protects magnetic tapes only at the volume level. You establish protection when you initialize tape volumes; after that, the Mount utility (MOUNT) enforces the protection that you have established.

You can use two levels of protection for tape volumes:

Level of Protection Description

Guidelines of the ISO standard
The ISO standard, which is the first level of protection, is encoded in the accessibility field of the first volume label written on the magnetic tape. With this protection scheme, you can protect tape volumes in environments where interchange exists between the OpenVMS system and the operating system that is not OpenVMS.

UIC-based protection scheme supported by system software
This second level of protection is encoded in the second volume label written on the magnetic tape. Only OpenVMS systems check this scheme; it is ignored in any interchange with operating systems that are not OpenVMS.

Level of Protection	Description
Guidelines of the ISO standard	The ISO standard, which is the first level of protection, is encoded in the accessibility field of the first volume label written on the magnetic tape. With this protection scheme, you can protect tape volumes in environments where interchange exists between the OpenVMS system and the operating system that is not OpenVMS.
UIC-based protection scheme supported by system software	This second level of protection is encoded in the second volume label written on the magnetic tape. Only OpenVMS systems check this scheme; it is ignored in any interchange with operating systems that are not OpenVMS.

Standard-Labeled Tape Protection

The OpenVMS tape file system bases its accessibility protection on the ISO standards. This protection allows an installation routine to use a routine that interprets the contents of the volume- and header-label accessibility field. Refer to the $MTACCESS system service in the HP OpenVMS System Services Reference Manual for more information about installation routines.

Access Types with Default Protection

When you do not supply a protection code during initialization, all users receive read and write access, explained in Access Types for Tape Volume Protection.

Table 12 Access Types for Tape Volume Protection
Access Type Gives you the right to...

Read
Examine, print, or copy files from the volume.

Write
Append or write files to the volume.

**Table 12** **Access Types for Tape Volume Protection**
Access Type	Gives you the right to...
Read	Examine, print, or copy files from the volume.
Write	Append or write files to the volume.

The security profile of a tape volume is stored in the ANSI VOL1 and VOL2 labels written on the tape. The VOL2 label contains system-specific information. To override the creation of VOL2 labels, specify the /INTERCHANGE qualifier with the INITIALIZE command or the INIT$_INTERCHANGE itemcode on the $INIT_VOL system service.

Foreign Volume Protection

The operating system also supports foreign tape volumes. (Foreign volumes either lack the standard volume label or have been mounted with the /FOREIGN qualifier.) When a tape volume is mounted with the /FOREIGN qualifier, users in the system and owner categories are always given full access (read, write, logical, and physical), regardless of what is specified in the protection code.

Using the /PROTECTION Qualifier with Tape Volumes

If you use the /PROTECTION qualifier when you initialize tape volumes, the protection code is written to a system-specific volume label.

With the /PROTECTION qualifier, the system applies only read (R) and write (W) access restrictions. (Execute [E] and delete [D] access do not apply.) The system and the owner always receive both read (R) and write (W) access to magnetic tapes, regardless of the protection code you specify.

Protecting Tape Volumes for Interchange Environments

You can protect tape volumes for interchange between OpenVMS and other operating systems.

The following list contains guidelines for protecting specific types of magnetic tapes:

With tapes processed on any operating system that supports a version of the ANSI standard later than Version 3, the system processes accessibility information in the first volume label.

To process magnetic tapes created on a HP operating system other than the OpenVMS operating system Version 4.0 or later, a user must have VOLPRO privilege and must explicitly override the check on the protection as follows:

The tape file system allows you to specify values for the fields in which other HP operating systems currently write their protection information. Except under the conditions described in the last bulleted item, the OpenVMS operating system does not process these fields. Thus, you can use these fields to store the protection values for another operating system without affecting the system protection characteristics on that particular volume.

Auditing Volume Access

You can enable auditing for the volume object class; the system then audits disk volume access, with the following exceptions:

The system does not audit volume creation or deletion.

The system does not audit access for tapes, ODS-1, or foreign-mounted volumes.

Footnotes

1 x,x is the UIC of the process that performs the initialization.

( Number takes you back )

Initializing Volumes

Mounting Volumes