System managers
might choose to enforce one or both of the following restrictions:
Prevent users on a VAX from accessing
files on an ODS-5 volume.
Prevent untested applications from accessing files
on an ODS-5 disk. (You can allow certain users to override this
access control on an ODS-5 volume.)
The system manager can impose either of these restrictions
by using normal OpenVMS discretionary controls. Refer to the HP OpenVMS Guide to System Security for
more information.
The following sections contain examples of restrictions you
can impose.
Preventing VAX Users from Accessing an ODS-5
Volume
Follow
these steps to prevent a user from accessing an ODS-5 volume from
a VAX node:
Define an identifier
(for example, VAX_NODE) to identify users running on an OpenVMS
VAX node, for example:
$ RUN SYS$SYSTEM:AUTHORIZE
UAF> ADD /IDENTIFIER VAX_NODE
%UAF-I-RDBADDMSG, identifier VAX_NODE value %X80010037 added to rights database
On each VAX node, add VAX_NODE to the system rights
list; for example:
$ SET RIGHTS_LIST /ENABLE /SYSTEM VAX_NODE
The /ENABLE
qualifier in the command adds VAX_NODE to the system rights list.
Also add this command to the SYSTARTUP_VMS.COM command procedure.
To prevent anyone on a VAX node from gaining access
to an ODS-5 volume, place an Access Control Entry (ACE)
on the volume that denies access to holders of the VAX_NODE identifier,
for example:
$ SET SECURITY /CLASS=VOLUME ODS5_DISK /ACL=(ID=VAX_NODE,ACCESS=NONE)
Preventing an Untested Application from Accessing
an ODS-5 Volume
Follow
these steps to prevent an untested application from accessing an
ODS-5 volume:
Define an identifier
(for example, ODS5_UNSAFE) to identify applications that you do
not want to access an ODS-5 volume, for example:
UAF> ADD /IDENTIFIER ODS5_UNSAFE /ATTR=SUBSYSTEM
%UAF-I-RDBADDMSG, identifier ODS5_UNSAFE value %X80010039 added to rights database
Attach a protected subsystem ACE to the application
with the ODS5_UNSAFE identifier, for example:
$ SET SECURITY /CLASS=FILE SYS$SYSTEM:APPLICATION.EXE -
_$ /ACL=(SUBSYSTEM,ID=ODS5_UNSAFE)
To each ODS-5 volume, attach an ACE denying access
to the ODS-5 volume to holders of the ODS5_UNSAFE identifier, for
example:
$ SET SECURITY /CLASS=VOLUME ODS5_DISK/ ACL=(ID=ODS5_UNSAFE,ACCESS=NONE)
Optionally, you can override the restriction in the last step
to allow trained users to access untested applications by following
the remaining lettered steps:
Create another
identifier (for example, ODS5_UNTRAINED):
UAF> ADD /IDENTIFIER ODS5_UNTRAINED
%UAF-I-RDBADDMSG, identifier ODS5_UNTRAINED value %X80010038 added to rights database
Assign this identifier to all users, for example:
UAF> GRANT/IDENTIFIER ODS5_UNTRAINED *
%UAF-I-GRANTMSG, identifier ODS5_UNTRAINED granted to *
Instead of Step 3, place an Access
Control Entry (ACE) on the volume that denies access to holders
of the ODS5_UNTRAINED identifier; for example:
$ SET SECURITY /CLASS=VOLUME ODS5_DISK/ -
_$ ACL=(ID=ODS5_UNSAFE+ODS5_UNTRAINED,ACCESS=NONE)
This
command prevents ODS5_UNTRAINED users from accessing the volume
with ODS5_UNSAFE applications.
Remove the identifier from individual users when
you are willing to let them use any application on an ODS-5 volume,
for example:
UAF> REVOKE/IDENTIFIER ODS5_UNTRAINED SHEILA_USER
%UAF-I-REVOKEMSG, identifier ODS5_UNTRAINED revoked from SHEILA_USER
After you complete these steps:
An untrained user can use an untested
application only to access ODS-2 volumes.
A trained user can access ODS-5 volumes with any
application.