skip book previous and next navigation links
go up to top of book: HP OpenVMS Guide to System SecurityHP OpenVMS Guide to System Security
go to beginning of part: Security for the System AdministratorSecurity for the System Administrator
go to beginning of chapter: Using Protected SubsystemsUsing Protected Subsystems
go to previous page: System Management RequirementsSystem Management Requirements
go to next page: Enabling Protected Subsystems on a Trusted VolumeEnabling Protected Subsystems on a Trusted Volume
end of book navigation links

Building the Subsystem  



Once managers of the subsystem have the appropriate identifiersand access rights as described in System Management Requirements, they can add the necessary ACEs to a subsystem image.Two kinds of ACEs are necessary to construct a subsystem: the applicationimage receives a Subsystem ACE, and the objects managed by the subsystemreceive Identifier ACEs. Therefore, building a subsystem requiresthe following steps:
  1. Create a SubsystemACE containing the subsystem identifier in the ACLs of the applicationimages. A Subsystem ACE has the following format: (SUBSYSTEM,{IDENTIFIER=identifier[,ATTRIBUTES=attributes]})

  2. Grant access to the objects managed by the subsystem.You need to add an Identifier ACE to the ACL of the various objectsbelonging to the subsystem. Each Identifier ACE contains one ofthe subsystem identifiers in the following format: (IDENTIFIER=identifier, ACCESS=access-type[+...])

In the following example, the subsystem manager uses the DCLcommand SET SECURITY to associate the subsystem identifier withthe images that make up the subsystem. First, the subsystem manageradds a Subsystem ACE with the identifierMEMBERS_SUBSYSTEM to the ACL of the application image MEMBER_LIST.EXE: 

$ SET SECURITY/ACL=(SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,-_$ ATTRIBUTES=RESOURCE) MEMBER_LIST.EXE
Then the subsystem manager adds an Identifier ACE with thesubsystem identifier MEMBERS_SUBSYSTEM to the data files managedby the subsystem:
$ SET SECURITY/ACL=(IDENTIFIER=MEMBERS_SUBSYSTEM,-_$ ACCESS=READ+WRITE) MEMBER_DATA*.DAT
The DCL command SHOW SECURITY displays the security attributesof the files. For example: 
$ SHOW SECURITY MEMBER_LIST.EXEMEMBER_LIST.EXE object of class FILE     Owner: [STAFF]     Protection: (System: RWED, Owner: RWED, Group, World: RE)     Access Control List: (SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,ATTRIBUTES=RESOURCE)
$ SHOW SECURITY MEMBER_DATA*.DATMEMBER_DATA_1.DAT object of class FILE     Owner: MEMBERS_SUBSYSTEM     Protection: (System: RWED, Owner: RWED, Group, World)     Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,ACCESS=READ+WRITE)MEMBER_DATA_2.DAT object of class FILE     Owner: MEMBERS_SUBSYSTEM     Protection: (System: RWED, Owner: RWED, Group, World)     Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,            ACCESS=READ+WRITE)
go to previous page: System Management RequirementsSystem Management Requirements
go to next page: Enabling Protected Subsystems on a Trusted VolumeEnabling Protected Subsystems on a Trusted Volume