[an error occurred while processing this directive]
HP OpenVMS Systems Documentation |
HP OpenVMS System Management Utilities Reference Manual
July 2006
This document describes reference information for System Management utilities used with the OpenVMS Alpha and I64 operating systems.
Revision/Update Information:
This manual supersedes the HP OpenVMS System Management Utilities Reference Manual,
Software Version:
OpenVMS I64 Version 8.3
© Copyright 2006 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Printed in the US
ZK6048 The HP OpenVMS documentation set is available on CD-ROM.
PrefaceThe HP OpenVMS System Management Utilities Reference Manual contains reference information about the utilities that are used to manage the OpenVMS Alpha and I64 operating systems. This manual describes each system management utility and provides examples for frequently used commands and qualifiers. In addition to system management utilities, a description and usage summary of the AUTOGEN command procedure is presented in this reference manual. All commands follow the standard rules of grammar as specified in the HP OpenVMS DCL Dictionary. For information on how to use these system management utilities and AUTOGEN, please refer to the HP OpenVMS System Manager's Manual. Intended AudienceThis manual is intended for system managers and users of the system management utilities for the OpenVMS Alpha and I64 operating systems. Document StructureEach part of this manual, with the exception of the section on the AUTOGEN command procedure, provides reference information for a system management utility. Related DocumentsFor more information on the system management utilities, refer to the following documents:
For additional information about HP OpenVMS products and services, visit the following World Wide Web address:
Reader's CommentsHP welcomes your comments on this manual. Please send comments to either of the following addresses:
How To Order Additional DocumentationFor information about how to order additional documentation, visit the following World Wide Web address:
ConventionsVMScluster systems are now referred to as OpenVMS Cluster systems. Unless otherwise specified, references to OpenVMS Clusters or clusters in this document are synonymous with VMSclusters. The contents of the display examples for some utility commands described in this manual may differ slightly from the actual output provided by these commands on your system. However, when the behavior of a command differs significantly between OpenVMS Alpha and I64, that behavior is described in text and rendered, as appropriate, in separate examples. The following conventions are also used in this manual:
Chapter 1
|
$ EDIT/ACL INVENTORY.DAT |
You can use either the EDIT/ACL command or the SET SECURITY/EDIT command to invoke the ACL editor. For more information about the SET SECURITY command, see the HP OpenVMS DCL Dictionary and the HP OpenVMS Guide to System Security.
By default, the ACL editor creates and modifies ACLs for files. To create an ACL for an object other than a file (for example, to create an ACL for a queue), you must specify the object class when you invoke the ACL editor. For example, the following command invokes the ACL editor to create an ACL for the disk DAPR:
$ EDIT/ACL/CLASS=DEVICE DAPR |
If an ACL for the object you specify already exists, the ACL editor displays the ACL. You can then use keypad editing commands to add, replace, or delete one or more ACEs in the ACL (see Section A.1). To exit from a completed editing session, press Ctrl/Z. To end an editing session without incorporating any of your edits, press the GOLD key (PF1) and then press Ctrl/Z.
For a description of keypad editing commands supplied by the ACL editor, see Appendix A. For information about how to modify the ACL editor by modifying ACL section files, see Appendix B.
In addition to invoking the ACL editor directly or by entering commands at the DCL prompt ($), you can modify an ACL by using the callable interface to the ACL editor (the ACLEDIT$EDIT routine). For information about how to use the ACLEDIT$EDIT routine, see the HP OpenVMS Utility Routines Manual. |
This section describes the entry and display format for the following access control entries (ACEs):
The HP OpenVMS Guide to System Security describes how to use each of these ACEs. You can also
use other types of ACEs. For example, applications can use an
Application ACE to store application-specific information associated
with a file. For a description of the internal format used to store an
ACE, refer to the HP OpenVMS Programming Concepts Manual.
Alarm ACE
Specifies the access criteria that cause an alarm message to be sent to all security operator terminals.ACL alarms are enabled by default; however, alarms are not written to the system security audit log file. If you have existing files or resources protected by Alarm ACEs and you want messages to be recorded in the log file, replace the Alarm ACEs with Audit ACEs.
(ALARM=SECURITY [,OPTIONS=attributes], ACCESS=access-type[+access-type...])
options
Specify any of the following attributes:
Default Indicates that an ACE is to be included in the ACL of any files created within a directory. When the entry is propagated, the Default attribute is removed from the ACE of the created file. This attribute is valid for directory files only. Hidden Indicates that this ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. To delete or modify a hidden ACE, you must use the SET SECURITY command. Users need the SECURITY privilege to display a hidden ACE with the DCL commands SHOW SECURITY or DIRECTORY/SECURITY. SECURITY privilege is also required to modify or delete a hidden ACE with the DCL command SET SECURITY. The ACL editor displays the ACE only to show its relative position within the ACL, not to facilitate editing of the ACE. To create a hidden ACE, an application can invoke the $SET_SECURITY system service.
Protected Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
- By using the ACL editor
- By specifying the ACE explicitly when deleting it
Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE.
- By deleting all ACEs, both protected and unprotected
Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs.
The following commands do not delete protected ACEs:
SET SECURITY/ACL/DELETE
SET SECURITY/LIKE
SET SECURITY/DEFAULTNopropagate Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands. None Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field. access
Specify any access that is valid for the object class. refer to the HP OpenVMS Guide to System Security for a listing of valid access types. For an Alarm ACE to have any effect, you must include the keywords SUCCESS, FAILURE, or both with the access types. For example, if the auditing criterion is a failure to obtain write access to an object, specify the following Alarm ACE:
(ALARM=SECURITY, ACCESS=WRITE+FAILURE)
Specifies the access criteria that cause an audit message to be written to the system security audit log file. A message is recorded by default. A message is recorded only if ACL audits are enabled with the DCL command SET AUDIT/AUDIT/ENABLE=ACL.
(AUDIT=SECURITY [,OPTIONS=attributes], ACCESS=access-type[+access-type...])
options
Specify one of the following attributes:
Default Indicates that an ACE is to be included in the ACL of any files created within a directory. When the entry is propagated, the Default attribute is removed from the ACE of the created file. This attribute is valid for directory files only. Hidden Indicates that this ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. To delete or modify a hidden ACE, you must use the SET SECURITY command. Users need the SECURITY privilege to display a hidden ACE with the DCL commands SHOW SECURITY or DIRECTORY/SECURITY. SECURITY privilege is also required to modify or delete a hidden ACE with the DCL command SET SECURITY. The ACL editor displays the ACE only to show its relative position within the ACL, not to facilitate editing of the ACE. To create a hidden ACE, an application can invoke the $SET_SECURITY system service.
Protected Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
- By using the ACL editor
- By specifying the ACE explicitly when deleting it
Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE.
- By deleting all ACEs, both protected and unprotected
Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs.
The following commands do not delete protected ACEs:
SET SECURITY/ACL/DELETE
SET SECURITY/LIKE
SET SECURITY/DEFAULTNopropagate Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands. None Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field. access
Specify any access that is valid for the object class. For a listing of valid access types, see the HP OpenVMS Guide to System Security. For an Audit ACE to have any effect, you must include the keywords SUCCESS, FAILURE, or both with the access types. For example, if the auditing criterion is a failure to obtain write access to an object, specify the following Audit ACE:
(AUDIT=SECURITY,ACCESS=WRITE+FAILURE)
Adds an extra ACE to the ACL for a file created within the directory to which you assign the Creator ACE. The Creator ACE applies only when the following conditions exist:
- The file being created is not owned by the user identification code (UIC) of the process creating the file.
- The process creating the file does not have system privileges.
For example, both of these conditions exist when a process holding a general identifier with the Resource attribute creates a file in a directory owned by that identifier. In this situation, the system adds an extra ACE at the top of the new file's ACL. If a Creator ACE exists in the ACL for the parent directory, the system propagates the access specified in the Creator ACE to the new ACE. If a directory lacks a Creator ACE, the system assigns an extra ACE with a combination of control access and ownership access. A Creator ACE with ACCESS=None suppresses the addition of the extra ACE.
The Creator ACE applies to directory files only.
Refer to the HP OpenVMS Guide to System Security for more information.
(CREATOR [,OPTIONS=attribute[+attribute...]],ACCESS=access-type[+access-type...])
options
Specify any of the following attributes:
Protected Protects the ACE against casual deletion. Protected ACEs can be deleted only in the following ways:
- By using the ACL editor
- By specifying the ACE explicitly when deleting it
Use the command SET SECURITY/ACL=(ace)/DELETE to specify and delete an ACE.
- By deleting all ACEs, both protected and unprotected
Use the command SET SECURITY/ACL/DELETE=ALL to delete all ACEs.
The following commands do not delete protected ACEs:
SET SECURITY/ACL/DELETE
SET SECURITY/LIKE
SET SECURITY/DEFAULTNopropagate Indicates that the ACE cannot be copied by operations that usually propagate ACEs. For example, the ACE cannot be copied by the SET SECURITY/LIKE or SET SECURITY/DEFAULT commands. None Indicates that no attributes apply to an entry. Although you can create an ACL entry with OPTIONS=None, the attribute is not displayed. Whenever you specify additional attributes with the None attribute, the other attributes take precedence. The None attribute is equivalent to omitting the field. access
Specify access types that are valid for files (read, write, execute, delete, and control).
Next | Contents | Index |