 |
» |
|
|
|
Capabilities are privileges that can be assigned to users, accounts,
groups, and programs.
Capabilities specify what users can do on the system by implementing four
types of control: user control, file control, program control,
and resource control.
These categories of control are not mutually exclusive.
For example, DI is a
capability to run certain diagnostic programs on the system.
Although classified as a user-control capability,
it also deals with program control. The system manager or account manager has the capability to assign
these privileges or to take them away. The system manager
can assign any privileges to anyone on the system. The account manager
(the person accessing an account with account manager (AM) capability),
can assign capabilities, not exceeding their own, to anyone in the account. The table below summarizes capabilities. The A, G, U, and P
columns in indicate capabilities that can be
allowed to the account (A), group (G), user (U), and program (P) entities. Table 8-2 Capabilities | Capability | Type of Control | A | G | U | P | Description |
|---|
| AL | User | x | | x | | Account librarian allows access to files within the user's account. | | AM | User | x | | x | | Account manager allows access to all files, groups, and user information within the account. | | BA | User/
Program | x | x | x | x | Batch access allows logon with the JOB command. | | CS | File/
Device | x | | x | | Communications subsystems allows exclusive access to a communications device. | | CV | File/
Device | x | | x | | Create volumes is needed to create, alter, and delete mountable volume sets. | | DI | User | x | | x | | Diagnostician allows a user to run certain device and CPU diagnostics or verification programs. | | DS | Program | x | x | x | x | Data segments lets users and programs create and manage extra data segments. | | GL | User | x | | x | | Group librarian allows access to all files within the user's group. | | IA | User/
Program | x | x | x | x | Interactive access allows a user to log on with HELLO. | | LG | User | x | | x | | User logging allows enabling of the logging facility. | | UV | File/Device | x | | x | | Use volumes allows access to nonsystem domain volumes. | | MR | Program | x | x | x | x | Multiple RINs lets a user or program acquire more than one resource identification number (RIN) for a single process. | | NA | User | x | | x | | Network administrator allows use of NMMGR.PUB.SYS to configure NS and LAN and to administer the resulting network.
| | ND | File/
device | x | | x | | Nonshareable devices allows use of nonshareable devices such as the tape drive. | | NM | User | x | | x | | Node manager allows the use of NMMGR.PUB.SYS to configure and manage nodes in a LAN. | | OP | User | x | | x | | Operator allows access to files, groups, user information, and support functions and commands. | | PH | Program | x | x | x | x | Process handling allows direct creation of other processes by executing the user process, so that a program can have a number of concurrently running processes. | | PM | User/
Program | x | x | x | x | Privileged mode gives a user or program access to all resources. | | PS | User/
Program | x | | x | | Programmatic sessions allows use of the STARTSESS command and the STARTSESS intrinsic. | | SF | File/
device | x | | x | | Save files allows users to save files permanently. | | SM | User | x | | x | | System manager allows complete access to the system.
|
When you create accounts, groups, and users, they each receive certain
default capabilities: Accounts are assigned AL, AM, BA, GL, IA, ND, SF capability Groups and programs are assigned BA and IA capability Users are assigned BA, IA, ND and SF capability
You may assign accounts and users all of the capabilities, but you can assign
groups and programs only BA, DS, IA, MR, PH, and PM capability. To assign capabilities | |
To assign capabilities to accounts, groups, users, and programs,
use the NEWACCT, NEWGROUP, and NEWUSER commands.
For example, if you are the system manager or the account manager of
the PAYROLL account, enter the following to assign capabilities
to a new user named GEORGE:
NEWUSER GEORGE.PAYROLL;CAP=IA,BA,ND,SF,
|
To alter capabilities | |
Alter capabilities for existing accounts, groups, and users with
the ALTACCT, ALTGROUP, and ALTUSER commands. For example, to add the group librarian (GL) and
account manager (AM) capabilities
to your new user named GEORGE in the PAYROLL account, enter:
ALTUSER GEORGE.PAYROLL;CAP=IA,BA,ND,SF,GL,AM,OP,PM,DI
|
Or, you can add the GL and AM capabilities to his account by entering
the command this way:
ALTUSER GEORGE.PAYROLL;CAP= +GL
|
To keep track of user events | |
You can have MPE/iX keep track of user events in a log file.
A new log file begins automatically every time you reboot, but you
can also start a new log file as necessary. To keep a certain type of log, you use the LOG configurator in SYSGEN
to change its status to "ON". For more information, read chapter 5 of
this manual. |
