 |
» |
|
|
|
File security addresses the question, "Who has what types of access
to which files?" The security system you implement depends on the particular
system, its location, and its applications. At a minimum, you choose
which types of users have access to an account, an MPE group, or a
file and what kind of access they have.
For example, you may decide that any user can read files in an account, but
only certain users can execute its program files. To identify a user's file access | |
To identify a user's file access, use the LISTACCT or LISTGROUP
commands. For example, to display the security of a particular account,
enter: Or, to display the security of a particular group, enter:
LISTGROUP groupname.accountname
|
File access modes describes what kind of access a user has to a file.
The following table defines these modes: Table 8-3 File Access Modes | Code | Descriptions |
|---|
| R | Read access allows users to read files only. | | L | Lock access permits a user to lock a file or prevent concurrent access to it. | | A | Append access allows users to add or append information to files, but prohibits altering information already written. Implies lock access mode. | | W | Write access allows users to add, delete, or change information in files. Also allows users to purge files. Implicitly allows lock and append access modes. | | S | Save access allows users to declare files within a group as permanent. Pertains only to group level. | | X | Execute access allows users to execute or run program files.
|
To define a user's file access | |
Security is established for a file, group, and account by
specifying which types of users have each specific access type.
For example, to allow anyone to run (execute) a program, specify X:ANY. The following table lists user types available to the file access modes. Table 8-4 User Types | User Type | Description of User |
|---|
| ANY | Anyone on the system. Includes all types below. | | AC | Any user in the account. Includes all AL, GU, and CR users in the account. | | AL | Account librarian. A user who can manage certain files within the account, which may include more than one group. | | CR | The creator of the file. | | GU | Group user. Any users allowed access to this group as the logon or home group, including all GL users applicable to the group. | | GL | Group librarian. A user who manages certain files within a home group only.
|
To establish security for a file, group, or account | |
To establish security for a file, group, or account,
use the NEWACCT, ALTACCT, NEWGROUP, and ALTGROUP
commands with the ACCESS parameter.
The following examples illustrate how to establish security with
these commands:
NEWACCT PAYROLL,MGR;PASS=MONEY;ACCESS=(R,X:ANY;W,A,L,:CR)
NEWGROUP INCOME.PAYROLL;ACCESS=(R,X,W,A,L,:ANY)
ALTACCT PAYROLL;ACCESS=(R,X,:AC;W,A,L,:CR)
ALTGROUP INCOME.PAYROLL;ACCESS=(R,X,W,A,L,:GU)
|
To access a file, a user must have capability at the most restrictive
level of security applied to the file (account, group, or file).
If someone fails to meet access criteria for any one of the three
levels of security, that user cannot access the file. File-access restrictions for an account or group are set when
you or the account manager creates them.
The system assigns the following defaults for file access when they
are not explicitly defined: Table 8-5 Default File Access for Accounts | Account | Access Modes | User Types |
|---|
| SYS | R, X | Any | | | A, W, L | AC
| | All other accounts | R, A, W, L, X | AC
|
Table 8-6 Default File Access for Groups | Group | Access Modes | User Types |
|---|
| non-PUB group | R, A, W, S, L, X | GU
| | PUB group | R, X | Any | | | A, L, S, W | AL, GU
|
File-level values default to (R, A, W, L, X: Any). |
