SYSPRV Privilege (All)

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Assigning Privileges

SYSNAM Privilege (All)

TMPMBX Privilege (Normal)

SYSPRV Privilege (All)

The SYSPRV privilege lets a process access protected objectsby the system protection field and also read and modify the owner(UIC), the UIC-based protection code, and the ACL of an object.Even if an object is protected against system access, a processwith SYSPRV privilege can change the object's protection to gain accessto it. Any process with SYSPRV privilege can add, modify, or deleteentries in the system user authorization file (SYSUAF.DAT).

Exercise caution when granting this privilege. Normally, grantthis privilege only to system managers and security administrators.If unqualified users have system access rights, the operating systemand service to others can be easily disrupted. Such disruptionscan include failure of the system, destruction of all system anduser data, and exposure of confidential information.

The SYSPRV privilege also lets a process perform the followingtasks:

Task Interface

Modify a file'sexpiration date
SET FILE/EXPIRATION

Modify thenumber of interlocked queue retries
$QIO request to an Ethernet802 driver (DEBNA/NI)

Set the spin-waittime on the port command register
$QIO request to an Ethernet802 driver (DEBNA)

Set the FROMfield in a mail message
MAIL routines

Access a MAILmaintenance record
MAIL

Modify or deletea MAIL database record
MAIL

Modify thegroup number and password of a local area cluster
CLUSTER_AUTHORIZE componentof SYSMAN

Perform transaction recovery,join a transaction as coordinator, transition a transaction
DECdtm software

Task	Interface
Modify a file'sexpiration date	SET FILE/EXPIRATION
Modify thenumber of interlocked queue retries	$QIO request to an Ethernet802 driver (DEBNA/NI)
Set the spin-waittime on the port command register	$QIO request to an Ethernet802 driver (DEBNA)
Set the FROMfield in a mail message	MAIL routines
Access a MAILmaintenance record	MAIL
Modify or deletea MAIL database record	MAIL
Modify thegroup number and password of a local area cluster	CLUSTER_AUTHORIZE componentof SYSMAN
Perform transaction recovery,join a transaction as coordinator, transition a transaction	DECdtm software

A process whose group UIC is less than or equal to the systemparameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRVor implied SYSPRV, it can also perform the following tasks:

Task Interface

Initializea magnetic tape
$INIT_VOL

Override creationof an owner ACE on a newly created file
$QIO request to F11BXQP

Clear the directorybit in a directory's file header
$QIO request to the F11BXQP,SET FILE/NODIRECTORY

Acquire orrelease a volume lock
$QIO request to F11BXQP

Force mountverification on a volume
$QIO request to F11BXQP

Create a fileaccess window with the no access lock bit set
$QIO request to F11BXQP

Specify nulllock mode for a volume lock
$QIO request to F11BXQP

Access a lockedfile
$QIO request to F11BXQP

Disable diskquotas on volume
$QIO request to F11BXQP

Enable disk quotas on volume
$QIO request to F11BXQP

Task	Interface
Initializea magnetic tape	$INIT_VOL
Override creationof an owner ACE on a newly created file	$QIO request to F11BXQP
Clear the directorybit in a directory's file header	$QIO request to the F11BXQP,SET FILE/NODIRECTORY
Acquire orrelease a volume lock	$QIO request to F11BXQP
Force mountverification on a volume	$QIO request to F11BXQP
Create a fileaccess window with the no access lock bit set	$QIO request to F11BXQP
Specify nulllock mode for a volume lock	$QIO request to F11BXQP
Access a lockedfile	$QIO request to F11BXQP
Disable diskquotas on volume	$QIO request to F11BXQP
Enable disk quotas on volume	$QIO request to F11BXQP

SYSNAM Privilege (All)

TMPMBX Privilege (Normal)