| Chapter 31 |
|
31
|
Creating User-Written System Services
|
|
31.1
|
Overview
|
|
31.2
|
Writing a Privileged Routine (User-Written System Service)
|
|
31.3
|
Creating a Privileged Shareable Image (VAX Only)
|
|
31.3.1
|
Creating User-Written Dispatch Routines on VAX Systems
|
|
31.3.2
|
Creating a PLV on VAX Systems
|
|
31.3.3
|
Declaring Privileged Routines as Universal Symbols Using Transfer Vectors on VAX Systems
|
|
31.4
|
Creating a User-Written System Service (Alpha and I64 Only)
|
|
31.4.1
|
Creating a PLV on Alpha and I64 Systems
|
|
31.4.2
|
Declaring Privileged Routines as Universal Symbols Using Symbol Vectors on Alpha and I64 Systems
|
| Chapter 32 |
|
32
|
System Security Services
|
|
32.1
|
Overview of the Operating System's Protection Scheme
|
|
32.2
|
Identifiers
|
|
32.2.1
|
Identifier Format
|
|
32.2.2
|
General Identifiers
|
|
32.2.3
|
System-Defined Identifiers
|
|
32.2.4
|
UIC Identifiers
|
|
32.2.5
|
Facility Identifiers
|
|
32.2.6
|
Identifier Attributes
|
|
32.3
|
Rights Database
|
|
32.3.1
|
Initializing a Rights Database
|
|
32.3.2
|
Using System Services to Affect a Rights Database
|
|
32.3.2.1
|
Translating Identifier Values and Identifier Names
|
|
32.3.2.2
|
Adding Identifiers and Holders to the Rights Database
|
|
32.3.2.3
|
Determining Holders of Identifiers
|
|
32.3.2.4
|
Determining Identifiers Held by a Holder
|
|
32.3.2.5
|
Modifying the Identifier Record
|
|
32.3.2.6
|
Modifying a Holder Record
|
|
32.3.2.7
|
Removing Identifiers and Holders from the Rights Database
|
|
32.3.3
|
Search Operations
|
|
32.3.4
|
Modifying a Rights List
|
|
32.4
|
Persona (Alpha and I64 Only1)
|
|
32.4.1
|
Impersonation Services (Alpha and I64 Only)
|
|
32.4.1.1
|
Using Impersonation System Services
|
|
32.4.2
|
Per-Thread Security (Alpha and I64 Only)
|
|
32.4.2.1
|
Previous Security Model
|
|
32.4.2.2
|
Per-Thread Security Model
|
|
32.4.3
|
Persona Extensions (Alpha and I64 Only)
|
|
32.5
|
Managing Object Protection
|
|
32.5.1
|
Protected Objects
|
|
32.5.2
|
Object Security Profile
|
|
32.5.2.1
|
Displaying the Security Profile
|
|
32.5.2.2
|
Modifying the Security Profile
|
|
32.5.3
|
Types of Access Control Entries
|
|
32.5.3.1
|
Design Considerations
|
|
32.5.3.2
|
Translating ACEs
|
|
32.5.3.3
|
Creating and Maintaining ACEs
|
|
32.6
|
Protected Subsystems
|
|
32.7
|
Security Auditing
|
|
32.8
|
Checking Access Protection
|
|
32.8.1
|
Creating a Security Profile
|
|
32.8.2
|
SYS$CHKPRO System Sevice
|
|
32.8.3
|
SYS$CHECK_ACCESS System Service
|
|
32.9
|
SYS$CHECK_PRIVILEGE
|
|
32.10
|
Implementing Site-Specific Security Policies
|
|
32.10.1
|
Creating Loadable Security Services
|
|
32.10.1.1
|
Preparing and Loading a System Service
|
|
32.10.1.2
|
Removing an Executive Loaded Image
|
|
32.10.2
|
Installing Filters for Site-Specific Password Policies
|
|
32.10.2.1
|
Creating a Shareable Image
|
|
32.10.2.2
|
Installing a Shareable Image
|
| Chapter 33 |
|
33
|
Authentication and Credential Management (ACM) System Service (Alpha and I64 Only)
|
|
33.1
|
Identification, Authentication, and Authorization
|
|
33.2
|
ACME Subsystem Components
|
|
33.3
|
SYS$ACM[W] Call Mechanics
|
|
33.3.1
|
SYS$ACM[W] Function Codes
|
|
33.3.2
|
SYS$ACM[W] Function Modifiers
|
|
33.3.3
|
Status Returned by the SYS$ACM[W] System Service
|
|
33.3.3.1
|
When the Return Status Indicates Failure
|
|
33.3.3.2
|
When the Return Status Indicates Success
|
|
33.3.3.2.1
|
When the Primary Status Indicates an Item Code Failure
|
|
33.3.3.2.2
|
When the Primary Status is ACME$_OPINCOMPL
|
|
33.3.4
|
Item Codes
|
|
33.3.4.1
|
Common vs. ACME-Specific Item Codes
|
|
33.3.4.2
|
Distinguishing Between Input and Output Item Codes
|
|
33.3.4.3
|
Text vs. Nontext Items
|
|
33.3.4.4
|
Single-Valued vs. Multivalued Item Semantics
|
|
33.3.5
|
Item Lists
|
|
33.3.5.1
|
Item List Chains
|
|
33.3.6
|
The ACM Communications Buffer and Itemset
|
|
33.3.7
|
Itemset Entries
|
|
33.3.8
|
Synchronization of Your System Service Calls
|
|
33.4
|
Authentication Techniques
|
|
33.4.1
|
Nondialogue Mode Operation
|
|
33.4.2
|
Dialogue Mode Operation
|
|
33.4.3
|
Login Categories and Classes
|
|
33.4.4
|
Principal Names
|
|
33.4.5
|
Targeting Your System Service Calls
|
|
33.4.5.1
|
DOI Names
|
|
33.4.5.2
|
When to Use DOI_NAME vs. DOI_ID
|
|
33.4.5.3
|
Looking Up DOI and ACME IDs
|
|
33.4.6
|
Determining ACME Information with the Query Function
|
|
33.4.7
|
Reporting an Event
|
|
33.5
|
Authentication Scenarios
|
|
33.5.1
|
Simple User Authentication
|
|
33.5.2
|
Evaluating Status Codes
|
|
33.5.3
|
Password Change Dialogue
|
|
33.5.4
|
Reauthentication of Current User
|
|
33.5.5
|
Manipulating Personas
|
|
33.5.6
|
Using CREPRC on Behalf of a User
|
|
33.6
|
Authentication Examples
|
|
33.6.1
|
Example Using Nondialogue Mode (C)
|
|
33.6.2
|
Example Using Dialogue Mode (Pascal)
|
