 |
» |
|
|
|
Introduction | |
Lesson 2 presents information on: defining capability and access attributes adding, modifying, and deleting account groups verifying program capabilities with VERSION
To help you keep track of the files in your account, MPE/iX allows account managers to create individual groups with specified attributes and capabilities. These capabilities include listing information on all groups within the account, creating and altering groups, and assigning users to specific groups. Figure 2-2 Managing Groups
![[Managing Groups]](img/f0104.gif)
Group Assignments (account manager) | |
With several users using one account, many account managers choose to assign individual users to specific groups. They also use the PUB group for files of interest to all users. If you are the only user of your account, you may want to consider setting up individual groups for different projects or purposes. No limit exists on the number of groups that you may have in a single account. Listing Groups in an Account | |
A quick way to list the groups within an account is to use the REPORT command. Enter that command now on your terminal to see which groups are currently in your account. Here's a sample of what you might see on a terminal screen:
Account FileSpace Sector CPU-Seconds Connect-Minutes
/Group Count Limit Count Limit Count Limit
ACCTx 1000 ** 234 ** 2093 **
/CLASS 950 ** 6 ** 90 **
/PROJECT 0 ** 8 ** 3 **
/PUB 50 ** 220 ** 2000
**
|
| | | |  | NOTE: For general users, the REPORT command displays only the information about their current group. | | | | |
The names of the account groups are listed in the far left column. Additional columns of information state the amount of file space occupied by the group, the cumulative total CPU time used by persons using that group, as well as their cumulative connect time to the system. | Q1-5 | Which of the groups in the display above has done the following?
| | | Used the most cpu time taken the largest portion of file space been connected for the least amount of time
|
Group Attributes | |
Each group is assigned certain attributes selected by the account manager or by the system (default). These attributes can be assigned when the group is created or modified. You can see all of the attributes if you read about NEWGROUP in the help facility (HELP NEWGROUP PARMS) or in the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364). Two of the most important attributes are capabilities and file access. Group Capability Attributes | |
Group capability attributes are very similar to those for accounts and account users. The default capabilities for groups are IA (interactive access) and BA (batch access). | Q1-7 | How many of the following attributes can you identify? | | | (Need help? Check under NEWGROUP in the help facility.) | | | PH = | | | IA = | | | BA = | | | PM = | | | MR = | | | DS = |
A capability cannot be assigned to a group if the capability has not been assigned to the account in which the group resides. Use the LISTGROUP command again, and review the information displayed for your account groups. Capabilities are listed at the end of the left column as CAP. Which of the group(s) in your account have default capability attributes (BA, IA)? Which group has process handling capability (PH) in addition to default capabilities? Group File Access Attributes | |
File access attributes specify the mode of access that a type of user can have. When a group is created, each type of file access is noted with a single letter abbreviation as follows:
R = Read
L = Lock
A = Append
W = Write (implies A and L)
X = Execute
S = Save
As you remember from the first lesson, user types are also identified with an abbreviation. | Q1-8 | How many of the following attributes can you identify? | | | How many of the following user
abbreviations can you identify? (Need help?
Use the help facility for the NEWGROUP command.) | | | ANY = | | | AC = | | | GU = | | | AL = | | | GL = | | | CR = |
Use the LISTGROUP command and look again at the information provided for the groups in your account. File access information is displayed on the right side. Which user(s) have read (R) and execute (X) access to the PUB group? Which users have write (W) access to the PROJECT group? Here is a timesaver for account managers. To list only a single group, use the LISTGROUP command followed by the group name. For example, how would you list only the information for the PUB group? The command LISTGROUP PUB lists information only for the PUB group. If you have a large number of groups in your account, you will find it more efficient to use this command when you want information on a specific group. | | | | | NOTE: General users may list information only for their current group. A minimum of account manager capability is required to list information for any other group(s) in the account. | | | | |
Access Control Definitions | |
Access codes provide one level of security. They provide security for accounts and groups. Another level of security works on individual files. It allows you to protect specific files (or collections of files). This second level of security is called access control definitions (ACD). ACDs are provided to meet the requirements of National Computer Security Center. You might not encounter--or need to use--ACDs unless your organization needs special security for your files. But, because you or someone in your organization can set ACDs for the files on your system, you should be aware of what they are. You can create ACDs for any file that you (your username.accountname) have created. With an ACD, you can prevent others from using, copying, or even looking at one of your files. Account managers (AM) can create ACDs for any file in the account that they manage. System managers (SM) can create ACDs for any file on the computer system that they manage. This means that you cannot use an ACD to protect a file from use by your account manager or your system manager. There are several ways to create ACD protection for a file. The way the most people will use is the ALTSEC command. The ALTSEC command is a shorthand way of saying "alter security." It creates or changes or removes ACD security provisions for a file. Suppose that you have logged on as JOHN.BUDGET,TAXES (user JOHN in the group TAXES in the BUDGET account). You want to protect a file called TAXRETRN. You could do this:
ALTSEC TAXRETRN;NEWACD=(R,W:JOHN.BUDGET)
|
You have just given yourself (JOHN.BUDGET) permission to read (look at) and write (to change) this file. At the same time, you have denied everyone else permission to use this file in any way. | | | | | NOTE: If you are the owner (the creator) of the file TAXRETRN, you do not have to give yourself permission to use the file. The owner of this file, the user who logs on as JOHN.BUDGET, automatically has full access to the file. In fact, you--the owner of a file--cannot take away your own access to that file. | | | | |
Before you attach an ACD to a file, be sure that you are not accidentally denying access to someone who should have access. There are seven kinds of "permission" you can assign to a file when you decide to protect the file with an ACD. Table 2-1 ACD Permissions | | Meaning | Permission |
|---|
| R | Read | The user who has this permission can look at or copy the file. | | W | Write | The user who has this permission can add information anywhere in the file. This implies the ability to change existing information. | | A | Append | The user who has this permission can add information to the file, but only at the very end of the file. Append permission does not give a user the ability to change existing information. | | L | Lock | The user who has this permission can "lock" the file. Locking a file prevents two or more people from making changes to a file at the same time. This situation--concurrent access of a file--can arise if two or more people are updating (changing) information in the same file at the same time. This is less likely to happen with text files, but it can happen with database files. Whose changes are going to be the "real" changes to the file? Locking the file allows only one person at a time to make changes and ensures that two or more people are not competing for the same file at the same time. | | X | Execute | The user who has this permission can run (execute) the program file to which this ACD is attached. Execute has no meaning for text and data files. | | NONE | None | The user who has this permission has no permission to use the file at all. | | RACD | Read/Copy | Read and copy the ACD permission file. The user who has this permission can copy the ACD security provision associated with the the file. |
An ACD has two parts. One part describes the access permission attached to a file. The other part describes the user, or users, who will have this access:
ALTSEC TAXRETRN;NEWACD=(R,W:JOHN.BUDGET)
|
The first part of this ACD attaches Read and Write permission to the file TAXRETRN.
ALTSEC TAXRETRN;NEWACD=(R,W:JOHN.BUDGET)
|
The second part of this ACD gives the permission to the user JOHN.BUDGET. Users who are not mentioned in this ACD definition do not have any access to the file. (Account managers and system managers automatically have access to files: account managers "own" all of the files in their account(s); system managers "own" all of the files on their system.) Notice that the two parts are separated by a colon ( : ). You can make several ACD assignments at once, as in this example:
ALTSEC TAXRETRN;NEWACD=(R,W:JOHN.BUDGET;R:MARIA.BUDGET; |&|
NONE:MARK.BUDGET,@.SALES;)
|
Notice that each pair of assignments is separated by a semi-colon. The inclusion of @.SALES means that all of the users who can log on to the SALES account have access to this file. (@.@ means all of the users on a system.) You might decide later that another user should also have access to TAXRETRN. Perhaps user BOB.ACCTNG will need to be able to look at TAXRETRN. To do that use the ALTSEC command again, this time with the ;ADDPAIR keyword. Do this:
ALTSEC TAXRETRN;ADDPAIR=(R:BOB.ACCTNG)
|
Excluding or Removing Permission to Use a FileSomeone might decide that the user MARIA.ACCTNG really should not have access to the file. To exclude this user from access to the file, enter this:
ALTSEC TAXRETRN;DELPAIR=(MARIA.ACCNTG)
|
You might need to remove all access control definitions from a file. To do that with TAXRETRN, enter this: Now all ACD restrictions are removed from TAXRETRN. More information in using ALTSECT to manage ACDs can be found in the MPE/iX Commands Reference Manual (32650-90003), which you may order from your sales representative. Group Passwords (account manager) | |
If you ever forget a group password, you can use the LISTGROUP command with the PASS parameter to list the group's password to the screen. Try that command now for the PROJECT group. Adding a New Group (account manager) | |
If you have account manager (AM) capability or higher, you may add a new group to your account. The command that you use to do this is: Exercise 1-2: Using NEWGROUP (account manager)The purpose of this exercise is to illustrate how to create account groups with default attributes as well as those with attributes that you specify. The NEWGROUP command with its parameters is listed below.
NEWGROUP name;PASS=password;CAP=capabilities;ACCESS=(attributes:users)
|
Notice. Each of the attributes, PASS, CAP, ACCESS, specifies one or more values preceded by an equal sign: (PASS=xxxx;CAP=xx,xx). Access codes are enclosed in parentheses and separated by commas: ACCESS=(R,L,A:GL). For example, to ensure that only the account librarian (AL) would have read (R) and execute (X) access to files in a group, you would enter ACCESS=(R,X:AL). Use the NEWGROUP command to create a group called STOP with default attributes. Use the LISTGROUP command to list the attributes of this group. What default capabilities have been assigned? What default file access and user codes have been assigned? What command would you use to check on this group's password?
| | | | | NOTE: Any mistakes that you may make can be corrected with the ALTGROUP command, which is covered later in this lesson. | | | | |
Create a new group called GO with the following attributes:
Password: Fast
Capabilities: Interactive access (IA), batch access (BA),and
process handling (PH)
File Access: Default
Use the LISTGROUP command to verify the new group and its password. Use the NEWGROUP command to create another group SLOW with the following attributes:
Password: Down
Capabilities: Default
File Access: read (R), lock (L), append (A), write (W),
execute (X), save (S) for the group librarian
(GL) only.
Use the LISTGROUP command to check on the new group.
********** End of Exercise 1-2 ********** Altering Group Attributes (account manager) | |
The ALTGROUP command is used to change group attributes; however, like the NEWGROUP command, the ALTGROUP command also requires account manager level capability or higher for its use.
ALTGROUP groupname;attribute=
|
The ALTGROUP command can be used to change any attributes, provided that these attributes do not exceed the limits for your account. To change any attributes to default, list the attribute followed by an equal sign. For example, to change the file access attributes to default on the PROJECT group, use this command: Exercise 1-3: Using ALTGROUP (account manager)Use the ALTGROUP command to do the following: Change the password on the PROJECT group to PJ. (If you have forgotten the password, use the PASS parameter with the LISTGROUP command.) Change the capabilities on the GO group to default. Change the file access capabilities on the SLOW group to read, write, append, and execute for any user of the group. Remove the password for the SLOW group.
Check the groups that you created in the previous exercise and modify their attributes for additional practice. Use the LISTGROUP command to check on each of the groups.
********** End of Exercise 1-3 ********** Exercise 1-4: Using ALTSEC Use the ALTSEC command to give yourself Read and Write permission for one of the files that you have created. use the ALTSEC command to give another user Read permission for this file.
********** End of Exercise 1-4 ********** Purging a Group (account manager) | |
In order to delete a group from your account, use the PURGEGROUP command followed by the group name. Enter this now. The PURGEGROUP command can have devastating consequences. It erases the group and all files included therein. The system prompts you:
PURGE GO TO BE PURGED? (YES/NO)
|
Enter the word and press RETURN to complete the deletion. Use the PURGEGROUP command to delete the STOP and SLOW groups. Using the MKACCT Command File to Create Accounts, Groups, and Users | |
There is an alternative to using MPE/iX commands to create the accounts, groups, and users on your system. The command file MKACCT (MKACCT.MPEXL.SYS) provides you with an easy, interactive method of creating your account structure. Figure 2-3 “Sample Worksheet” shows a sample worksheet that can be used to plan your structure or to record the structure that you have created. It shows how you might plan a new account that you wish to create. This sort of information will help you in deciding (and remembering) the kind of account structure that you want to create. Figure 2-3 Sample Worksheet
ACCOUNT Name: PRACTICE______ Password: NOW__________
Manager: MGR___________ Password: FY91_________
Group: TAXES_________ Password: TX1992_______
Group: BUGET_________ Password: _____________
Group: ______________ Password: _____________
Group: ______________ Password: _____________
User: BARB__________ Password: _____________
Home Group: TAXES________
LOGON: HELLO BARB__________.PRACTICE______,_____________
(user) (account) (group)
User: JIM___________ Password: _____________
Home Group: PUB__________
LOGON: HELLO JIM___________.PRACTICE______,_____________
(user) (account) (group)
User: ______________ Password: _________ ____
Home Group: _____________
LOGON: HELLO ______________._______________,_____________
(user) (account) (group)
User: ______________ Password: _____________
Home Group: ____________
LOGON: HELLO ______________._______________,_____________
(user) (account) (group)
User: ______________ Password: _____________
Home Group: _____________
LOGON: HELLO ______________._______________,_____________
(user) (account) (group)
|
To create an account, groups and usersYou must be logged on as MANAGER.SYS to use the MKACCT command file. Follow the MKACCT online (on screen) instructions, or use the instructions provided here to guide you along. | | | |  | CAUTION: If you are taking notes as you create users, group, accounts and passwords, remember that it is the system manager's responsibility to keep this information secure. | | | | |
Log on as MANAGER.SYS.
Type MKACCT.MPEXL at the system prompt, and press Return. The following MKACCT information appears on your screen: **********************************************************************
* MKACCT allows you to create: ACCOUNTS, GROUPS, and USERS. *
* *
* ACCOUNTS contain GROUPS and USERS. GROUPS contain your files. *
* The next screen shows a picture of an account structure. *
* *
* All USERS in the same ACCOUNT can share files, but each USER *
* should have a GROUP where their own files reside. *
* *
* USER, ACCOUNT and GROUP names are needed to logon to your system, *
* for example: *
* *
* :hello USER.ACCOUNT,GROUP or *
* :hello MANAGER.SYS,PUB *
* *
* Each USER should be assigned a HOME GROUP, so that a group name is *
* not needed when the user logs on. For example, the home group for *
* MANAGER.SYS is PUB so that the system manager can logon as: *
* *
* :hello MANAGER.SYS *
**********************************************************************
|
Press the Return key to continue. The next screen shows you a diagram of the account structure: how files belong in groups, and groups belong in an account: After viewing a diagram of an account structure, MKACCT asks if you want to create a new account> If you want to create an account, respond YES.
Do you want to create a new {{account}} (Yes,No,Exit)?
|
Again you are given three options to respond to this prompt. If you type NO, MKACCT will ask you if you want to add groups or users to an existing account. For more information on this topic, see the following task, "Using MKACCT to add groups or users to accounts." If you type EXIT, MKACCT will stop and ask you to confirm your intention of stopping MKACCT. If you type YES, MKACCT will start the process for creating an account.
When you are ready to create an account, type YES, or press Return, at this prompt. You must respond to a sequence of prompts requesting a name for the account, a name for the account manager, and a password for the account and account manager. Passwords are optional; however, the lack of passwords diminish the security on your system. The following example displays the sequence of prompts that appear, along with sample user responses.
Do you want to create a new {{account}} (Yes,No,Exit)?Yes Return
Every ACCOUNT must be named and must include a manager (USER).
Every account and manager should have a password. Accounts
and user without passwords are not secure.
If there are any problems, you will be asked to repeat the
process.
Please enter a name for this ACCOUNT: SALES Return
Please enter a password for account SALES: FY91 Return
Please enter a manager name for account SALES: YUKI Return
Please enter a password for account manager YUKI: KINU2 Return
|
After entering a password for the account manager, a screen similar to the following will appear:
The following account and user will be created:
Account name :SALESh
Account password :FY91
Manager name :YUKI
Manager password :KINU2
Create the ACCOUNT (Yes,No,Exit)?
|
Type YES, or press Return. Doing so will finalize the creation of the account, the account's password, the account manager, and the account manager's password. MKACCT then asks, "Do you want to create a new group in the ACCTNAME account (Yes,No,Exit)?". To create a new group, type YES, or press Return, at this prompt. The MKACCT process for creating groups is similar to creating accounts. You must provide a group name and password (optional) when prompted. Answer YES when the "Create this group (Yes,No,Exit)?" prompt appears to finalize the creation of the group. MKACCT will continue to prompt you for new group names until you type NO at the "Do you want to create a new group...?" prompt. You do not need to create a PUB group. MKACCT does this automatically. MKACCT then asks, "Do you want to create a new user in the ACCTNAME account (Yes,No,Exit)?". To create a new user, type YES, or press Return, at this prompt. The MKACCT process for creating users is similar to creating accounts and groups. You must provide a user name and password (optional). You will be asked if you want to see a list of groups in your new account. Answer accordingly. You will be asked to provide a home group for the user. Specifying a home group is optional; however, without a home group, the user must specify a group name each time they log on. Answer YES when the "Create this user (Yes,No,Exit)?" prompt appears to finalize the creation of the group. MKACCT will continue to prompt you for new user names until you type NO or EXIT at the "Do you want to create a new user...?" prompt. If you respond NO, MKACCT returns you to the prompt where you can start the process of creating another new account again. To exit the MKACCT command file, type EXIT at any prompt that ends with the (Yes,No,Exit)? options. A screen similar to the following appears:
**************************************************************
* MKACCT has kept a record of your work. It produced two *
* files in the PUB group that you may want to examine now *
* or sometime later. These files contain all of the work *
* that you have done by using MKACCT. *
* *
* *
* CMDLOG Contains the MPE/XL commands that were needed at *
* each step along the way to create ACCOUNTS, *
* GROUPS, USERS and passwords. *
* *
* ACCTLOG Contains a summary of the account structure that *
* you have created, showing ACCOUNTS, their GROUPS, *
* their USERS, all passwords, and the HOME GROUP *
* to which each user of each account was assigned. *
* *
* To see these two files enter: *
* *
* :PRINT cmdlog.pub *
* :PRINT acctlog.pub *
* *
* Since these files contain passwords, it is your *
* responsibility as system manager to keep this information *
* safe from misuse. *
* *
**************************************************************
Please press {{RETURN}} to continue
|
After carefully reading this screen, press Return to view the next screen.
***************************************************************
* *
* *
* To create more GROUPS, USERS or ACCOUNTS just execute *
* MKACCT again. *
* *
* The following MPE commands may be used to list and *
* modify your accounts: *
* *
* :LISTACCT AccountName :ALTACCT AccountName *
* :LISTGROUP GroupName :ALTGROUP GroupName *
* :LISTUSER UserName :ALTUSER UserName *
* :PURGEACCT AccountName :PURGEGROUP GroupName *
* :PURGEUSER UserName *
* *
* You can get HELP for any of these commands by typing: *
* *
* :HELP CommandName e.g. :HELP ALTUSER *
* *
**************************************************************
Please press {{RETURN}} to continue Return
|
To get to the system prompt, press Return. The following message will appear on your screen and you will be returned the system prompt.
End of the MKACCT command file.
:_
|
You may run MKACCT as often as you like. The ACCTLOG and CMDLOG files will accumulate information and show the date and time of each MKACCT session.
Using MKACCT to add groups or users to an existing account.Log on as MANAGER.SYS. Type MKACCT at the system prompt and press Return At the "More information (Yes,No,Exit)?" prompt, type NO. Type YES, or press Return, at the following prompt:
Do you want to add {{groups}} or {{users}} to an existing
ACCOUNT (Yes,No,Exit)? YES Return
|
Provide the name of the account to which you wish to add groups or users at the following prompt:
Please enter the name of an existing ACCOUNT:
|
When prompted, supply a new group name and password. MKACCT will continue to prompt you for new group names until you type NO at the "Do you want to create a new {{group}} in the ACCTNAME?" prompt. When prompted supply a new user name and password. MKACCT will continue to prompt you for new user names until you type NO or EXIT at the "Do you want to create a new {{user}} in the ACCTNAME?" prompt. When you have finished adding new groups and users to your existing account, type EXIT at any prompt that ends with the (Yes,No,Exit)? options.
To delete any portion of your account structure, use the PURGEACCT, PURGEGROUP or PURGEUSER commands. To modify capabilities or file access for any account, group, or user, use the ALTACCT, ALTGROUP, or ALTUSER commands. To change a password, use the PASSWORD command.
MKACCT is a command file that helps you establish user names, groups, accounts and passwords. If you have any problems with MKACCT you may restart it at anytime without damaging your system. MKACCT is interactive, and if you make a mistake, it prompts you for the correct response. You may verify the results of MKACCT with the LISTACCT, LISTGROUP, and LISTUSER commands. You change anything accomplished by MKACCT with the ALTUSER, ALTGROUP, and ALTACCT commands. Capability Requirements for Applications and Programs | |
Before you move an application or program into a group, verify its capability requirements with the VERSION utility. In order for the application to execute, the group in which it is stored must have those capabilities. For example, if you want to load the EDIT/3000 text editor application (henceforth referred to as the editor) into one of your account groups, first check the editor's capability requirements: Noticethe editor's capability requirements at the bottom of the display:
# SEG: 12
STACK: %10770
MAXDATA: %23420
TOTAL DB: %1735
DL:%0
CAP: BA,IA,DS
|
Any group in which the editor application will be stored must have BA, IA, and DS capabilities in order for the application to run successfully. Of course, any general user with default capabilities can use the editor successfully. Only the account and group where the editor resides, namely the PUB group of the SYS account, need have the special capabilities. Lesson Summary | |
A minimum of account manager capability is required to do the following: Display information about all groups in your account. Create, modify, and delete account groups. List all passwords in your account.
The MKACCT command file allows a system manager to create accounts, groups, and users on the system in a question-answer format. The REPORT and LISTGROUP commands provide information on groups within an account. The capabilities for any group may not exceed those of the account. Before loading an application or executable program into one of your account groups, check its capability requirements. If the requirements exceed those of the group, the application will not execute.
Exercise 1-4: Lesson 2 ReviewMatch the commands with what they do:
Command: PURGEGROUP
NEWGROUP
VERSION
REPORT
LISTGROUP
LISTGROUP name;PASS
ALTGROUP
ALTSEC
Provides detailed information on each group in the account. Allows you to change the attributes of a group. Lists file space, CPU time, and connect time for all groups in an account. Creates a new group in an account. Lists detailed information on a group including the group's password. Creates or changes ACD protection for files. Checks capability requirements for applications and executable programs. Deletes a group from an account.
********** End of Exercise 1-4 ********** |
