HP 3000 Manuals HP 3000 Manuals
Securing Disk Files
File security addresses the question, "Who has what types of access to
which files?" The security system you implement depends on the particular
system, its location, and its applications. At a minimum, you choose
which types of users have access to an account, an MPE group, or a file
and what kind of access they have. For example, you may decide that any
user can read files in an account, but only certain users can execute its
program files.
To identify a user's file access
To identify a user's file access, use the LISTACCT or LISTGROUP commands.
For example, to display the security of a particular account, enter:
LISTACCT accountname
Or, to display the security of a particular group, enter:
LISTGROUP groupname.accountname
File access modes describes what kind of access a user has to a file.
The following table defines these modes:
Table 8-3. File Access Modes
--------------------------------------------------------------------------------------------
| | |
| Code | Descriptions |
| | |
--------------------------------------------------------------------------------------------
| | |
| R | Read access allows users to read files only. |
| | |
--------------------------------------------------------------------------------------------
| | |
| L | Lock access permits a user to lock a file or prevent concurrent access to it. |
| | |
--------------------------------------------------------------------------------------------
| | |
| A | Append access allows users to add or append information to files, but |
| | prohibits altering information already written. Implies lock access mode. |
| | |
--------------------------------------------------------------------------------------------
| | |
| W | Write access allows users to add, delete, or change information in files. |
| | Also allows users to purge files. Implicitly allows lock and append access |
| | modes. |
| | |
--------------------------------------------------------------------------------------------
| | |
| S | Save access allows users to declare files within a group as permanent. |
| | Pertains only to group level. |
| | |
--------------------------------------------------------------------------------------------
| | |
| X | Execute access allows users to execute or run program files. |
| | |
--------------------------------------------------------------------------------------------
To define a user's file access
Security is established for a file, group, and account by specifying
which types of users have each specific access type. For example, to
allow anyone to run (execute) a program, specify X:ANY.
The following table lists user types available to the file access modes.
Table 8-4. User Types
--------------------------------------------------------------------------------------------
| | |
| User | Description of User |
| Type | |
| | |
--------------------------------------------------------------------------------------------
| | |
| ANY | Anyone on the system. Includes all types below. |
| | |
--------------------------------------------------------------------------------------------
| | |
| AC | Any user in the account. Includes all AL, GU, and CR users in the account. |
| | |
--------------------------------------------------------------------------------------------
| | |
| AL | Account librarian. A user who can manage certain files within the account, |
| | which may include more than one group. |
| | |
--------------------------------------------------------------------------------------------
| | |
| CR | The creator of the file. |
| | |
--------------------------------------------------------------------------------------------
| | |
| GU | Group user. Any users allowed access to this group as the logon or home |
| | group, including all GL users applicable to the group. |
| | |
--------------------------------------------------------------------------------------------
| | |
| GL | Group librarian. A user who manages certain files within a home group only. |
| | |
--------------------------------------------------------------------------------------------
To establish security for a file, group, or account
To establish security for a file, group, or account, use the NEWACCT,
ALTACCT, NEWGROUP, and ALTGROUP commands with the ACCESS parameter. The
following examples illustrate how to establish security with these
commands:
NEWACCT PAYROLL,MGR;PASS=MONEY;ACCESS=(R,X:ANY;W,A,L,:CR)
NEWGROUP INCOME.PAYROLL;ACCESS=(R,X,W,A,L,:ANY)
ALTACCT PAYROLL;ACCESS=(R,X,:AC;W,A,L,:CR)
ALTGROUP INCOME.PAYROLL;ACCESS=(R,X,W,A,L,:GU)
To access a file, a user must have capability at the most restrictive
level of security applied to the file (account, group, or file). If
someone fails to meet access criteria for any one of the three levels of
security, that user cannot access the file.
File-access restrictions for an account or group are set when you or the
account manager creates them. The system assigns the following defaults
for file access when they are not explicitly defined:
Table 8-5. Default File Access for Accounts
-----------------------------------------------------------------------------------------------
| | | |
| Account | Access Modes | User Types |
| | | |
-----------------------------------------------------------------------------------------------
| | | |
| SYS | R, X | Any |
| | | |
| | A, W, L | AC |
| | | |
-----------------------------------------------------------------------------------------------
| | | |
| All other accounts | R, A, W, L, X | AC |
| | | |
-----------------------------------------------------------------------------------------------
Table 8-6. Default File Access for Groups
-----------------------------------------------------------------------------------------------
| | | |
| Group | Access Modes | User Types |
| | | |
-----------------------------------------------------------------------------------------------
| | | |
| non-PUB group | R, A, W, S, L, X | GU |
| | | |
-----------------------------------------------------------------------------------------------
| | | |
| PUB group | R, X | Any |
| | | |
| | A, L, S, W | AL, GU |
| | | |
-----------------------------------------------------------------------------------------------
File-level values default to (R, A, W, L, X: Any).