The access control list editor (ACL editor) is a screen-oriented
editor used to create and maintain ACLs. Use the ACL editor to define
an ACL for a protected object or to edit an existing ACL.
You can use either the EDIT/ACL command or the SET SECURITY/EDIT
command to invoke the ACL editor. In the command line, specify the
name of the object whose ACL you want to create or modify. For example,
the following command invokes the ACL editor to create an ACL for
the file INVENTORY.DAT:
$EDIT/ACL INVENTORY.DAT
If the object whose ACL you want to create or modify is not
a file, you must specify the type of object with the /CLASS qualifier.
For example, the following command invokes the ACL editor to create
an ACL for the disk DOCD$:
$EDIT/ACL/CLASS=DEVICE DOCD$
You can invoke the ACL editor to modify an existing ACL or
to create a new ACL on the object. If an object has an ACL, the
ACL will appear on the screen when the ACL editor is invoked.
The ACL editor can be invoked from within a program written
in any OpenVMS common language that generates calls using the OpenVMS
calling standard. Refer to the OpenVMS Utility Routines Manual for more information about
using the callable interface to the ACL editor.
Adding an Identifier ACE
An Identifier ACE controls the types of access allowed to
a particular user or group of users. It has the following format:(IDENTIFIER=identifier[,options][,access])
For example, the following ACE grants user Pat, who is identified
by the UIC identifier [SALES,PAT], read, write, and execute access
to a file. The ACL denies Pat delete and control access because
it omits them from the access statement.
The Default attribute of an Identifier ACE allows users to
define one or more default ACEs for inclusion in the ACLs for newly
created files in a particular directory. Thus, if you wanted all
files in the directory [MALCOLM] to have an ACE that permitted read
and write access to users with the PERSONNEL identifier, you could
include the following ACE in the ACL for the file MALCOLM.DIR:
As a result of this ACE, any file created in the [MALCOLM]
directory has the following ACE:
(IDENTIFIER=PERSONNEL,ACCESS=READ+WRITE)
Refer to the HP OpenVMS Guide to System Security for further discussion of the Default
attribute and its effect on the processing of an ACL.
Setting a Default Protection Code
A Default Protection ACE defines a protection code for all
files that are subsequently created in the directory and in any
subdirectories under that directory, unless protection is specified
for one of those files individually. The ACE does not apply if a
previous version of the file exists (in this case, the previous
file protection is used). This ACE type has the following format:(DEFAULT_PROTECTION[,options],protection-code)
For example, the following ACE specifies that users in the
system and owner categories have read, write, execute, and delete
access to any files subsequently created in the directory, and that
group and world users have no access:
(DEFAULT_PROTECTION,S:RWED,O:RWED,G,W)
The Default Protection ACE does not apply to existing
subdirectories. It applies to subdirectories created after the ACE
is applied to the parent directory.
Generating Security Alarms and Audits
Security ACEs allow you to specify that an event message be
sent when a protected object is accessed in a particular manner.
The security Alarm ACE directs the event message to the security
operator's terminal and the security Audit ACE directs the event
message to the system security audit log file.
Refer to the HP OpenVMS Guide to System Security
for more information
about how to use these types of ACEs.