ALTSEC

This command changes the access permissions of an object by altering the access control definition (ACD).

ACDs are the main method of controlling access to files, hierarchical directories, and devices. ACDs are automatically assigned to hierarchical directories and to files existing in hierarchical directories.

You can change access permissions for any of the following:

files
hierarchical directories
devices
device classes

You can also change file access masks with this command (only files have access masks). The file status change time stamp is updated by ALTSEC.




	NOTE: The `ALTSEC` command cannot be used to change access permissions for MPE groups, accounts, or the root directory.

Syntax

   ALTSEC objectname [,{FILENAME

                       LDEV

                        DEVCLASS}]

   [;[ACCESS=](fileaccess[;[fileaccess][;...]])]

   [ {;NEWACD=

      ;REPACD=

      ;ADDPAIR=

      ;REPPAIR=} {(acdpair [;acdpair] [;...] ) 

                  ^filereference } ]

   [;DELPAIR= {(userspec [;userspec] [;...])

               ^filereference } ]

   [;COPYACD= objectname {,FILENAME

                         ,LDEV} ]  [;DELACD]  [;MASK]

Parameters

objectname

Specifies the actual file designator, directory name, logical device number, or device class whose security provisions you want to alter.

Either MPE or hierarchical file system (HFS) file name syntax may be used for the actual file designator of the file or directory whose access permissions are to be altered.

You can only use wildcard characters with MPE syntax files that reside in a group.

A logical device number must be a numeric value configured on the system, or an @ sign, that indicates all devices on the system. A device class name must be configured on the system.

File equations are ignored during resolution of the object name to avoid having accidental file equation references cause unintentional changes to an object's access permissions.

MPE Syntax

You can include MPE file name syntax but not RFA information. If the object is an MPE syntax file, its format is:

   filename[/lockword][.groupname[.acctname]]

You may specify file lockwords for files protected by active lockwords unless the objects are also protected by a current ACD.

In a batch job, if a lockword exists on a file, you must specified it. In a session, if a lockword exists and is omitted, MPE/iX will prompt you for it.

HFS Syntax

You must begin file designators using HFS file name syntax with either a dot (.) or a slash (/) character. The maximum length is 255 characters (including the "./" or "/").

The objectname parameter is followed by one of the three type identifiers listed below.

FILENAME: A type identifier that indicates objectname refers to either a file or directory. The FILENAME type identifier is the default if a type identifier is not specified.
LDEV: A type identifier that indicates objectname refers to a logical device number.
DEVCLASS: A type identifier that indicates objectname refers to a device class.

ACCESS

Optional keyword that indicates a fileaccess specification follows. This option affects security at the file level only.

fileaccess

File access mask specifications, entered as follows:

   {R

    L

    A

    W

    X} [,...]: {ANY

                AC

                GU

                AL

                GL

                CR } [,...]

The R, L, A, W, and X specify modes of access by types of users (ANY, AC, GU, AL, GL, CR) as follows:

   R   =   READ

   L   =   LOCK 

   A   =   APPEND 

   W   =   WRITE 

   X   =   EXECUTE

LOCK allows opening the file with dynamic locking option. APPEND implicitly specifies LOCK. WRITE implicitly specifies APPEND and LOCK.

You may specify two or more modes if you separate them by commas. The user types are specified as follows:

   ANY =  Any user

   AC  =  Member of this account only

   GU  =  Member of this group only

   AL  =  Account librarian user only

   GL  =  Group librarian user only

   CR  =  Creator

You may specify two or more user types if you separate them by commas. The default is R,L,W,A,X:ANY. The colon (:) separating one or more modes from one or more user types is required punctuation in the specification of fileaccess.

The ACCESS keyword is optional. If the file is protected by an ACD, the ACD overrides the file access mask.

NEWACD

(Indicates "new ACD"). Use NEWACD to create a new ACD for the specified object. NEWACD is used when an ACD does not currently exist. It must be followed by valid ACD pair(s) as described below.

REPACD

(Indicates "replace ACD"). Use REPACD to create a new ACD or replace an entire existing ACD for the specified object. It must be followed by valid ACD pairs as described below.

ADDPAIR

(Indicates "add pair"). Use ADDPAIR to add a new ACD pair to an existing ACD. It must be followed by valid ACD pairs as described below.

REPAIR

(Indicates "replace pair"). Use REPAIR to replace an existing ACD pair in an existing ACD. You must follow this with a valid ACD pair as described below. A new ACD pair will replace an existing ACD pair if it has the same user and account name.

acdpair

An access control definition pair. Like the fileaccess parameter this consists of a modes part and a userspec part. The modes part is separated from the userspec part by a colon (:). Acceptable modes for files are:

             R : read file access

             W : write file access

             L : lock file access

             A : append file access

             X : execute file access

          NONE : no access

          RACD : copy or read the ACD permission

Acceptable modes for directories are:

            CD : create directory entries access

            DD : delete directory entries access

            RD : read directory entries access

            TD : traverse directory entries access

          NONE : no access

          RACD : copy or read the ACD permission

File ACD pairs may contain R, W, L, A, X, NONE, and RACD. Directory ACD pairs may contain CD, DD, RD, TD, NONE, and RACD.

The userspec part consists of

a fully qualified user name (username.accountname)
the file owner represented as $OWNER
the file group represented as $GROUP
the file group mask represented as $GROUP_MASK
@.accountname, which represents all users in the account accountname
@.@, which represents all users in the system




	NOTE: You cannot use wildcards cannot be used in any other manner within a user specification.

A typical ACD consisting of three ACD pairs might look like this:

   (R,W:ENGR.MFG;R,W,RACD:@.MRKT;R:@.@)

This ACD would allow Read and Write access to the ENGR user of the MFG account; Read and Write access to any user of the MRKT account along with the ability to read or copy the ACD; and Read access to any user in any account.

^ filereference

A file containing one or more ACD pairs. ACD pairs must be separated by semi-colons and may be placed on separate lines. A single ACD pair may not span more than one line. The file name must be preceded by the ^ sign (caret symbol) to indicate that the designated file contains the ACD definition. This is known as an indirect file.

The ALTSEC command fails if the indirect file does not contain a syntactically correct ACD. ACD pairs may be on separate lines, but a pair may not span lines. Parentheses are optional when defining an acdpair within an indirect file.

The file reference may be specified using MPE or HFS file name syntax. For example:

   filename[/lockword][.group[.account]]

If the file has an active lockword, you must be specify it. ACDs override lockwords. Lockwords can only be specified in file references using MPE name syntax. Unqualified file names are relative to the current working directory.

DELPAIR

(Indicates "delete pair"). Use to delete one or more ACD pairs in an existing ACD). DELPAIR must be followed by a valid userspec.

userspec

Username and accountname, the same as the userspec described above in acdpair. A wildcard (@) may be used for the username or both the username and accountname together. A wildcard may not be specified for the accountname unless it is also specified for the username.

COPYACD

(Indicates "copy ACD"). Use COPYACD to copy an ACD from an existing objectname to the specified objectname. ACDs can be copied only between like objects. You must specify FILENAME or LDEV. FILENAME is the default. You cannot copy an ACD from a device class (DEVCLASS), although you may copy to all devices on the system by specifying the @ sign as the target device.

DELACD

(Indicates "delete ACD"). Use DELACD to delete all ACD pairs from the specified objectname. ACDs may be removed only from devices and files in MPE groups. The file access matrix controls access to a file when an ACD is deleted.

MASK

(Indicates "recalculate MASK"). Use MASK to recalculate the ACD file group class mask ($GROUP_MASK) access permissions.

Operation Notes

You use the ALTSEC command to alter security provisions for files, hierarchical directories, devices, and device classes by manipulating an object's access control definition (ACD) or its access mask. All of these objects may have ACDs, but only files have access masks which can be changed using this command. An object's ACD may be altered using this command with the ACD keywords NEWACD, REPACD, COPYACD, ADDPAIR, REPPAIR, DELPAIR, DELACD, and MASK. A file's access mask may be altered using either the ACCESS keyword or an access specification without a keyword. Using the ACCESS keyword is a recommended practice to help distinguish between file access mask and ACD operations.

Only the owner of a file can use the ALTSEC command to change a file's access mask. Object owners and users with appropriate privilege can use this command to manipulate an object's ACD. Files and hierarchical directories have their owner's identity and a file group ID (GID) stored in their file labels. System managers have the appropriate privilege to manipulate the ACDs for all objects. Account managers for the account matching an object's GID have appropriate privilege. Devices are owned by system managers. The ability to manipulate an ACD or file mask is not affected by the object access currently granted to a user.

File ACDs override file lockwords and the file access matrix. ACDs permit more precise access control than the file access matrix by allowing access permissions to specific users. MPE/iX allows you to specify a maximum of 40 ACD pairs for a particular object. Since a large number of ACD pair specifications overflows the command line buffer, you must enter large numbers of ACD specifications may be entered through an indirect file.

The ALTSEC command fails if you attempt to alter the access permissions for a permanent disk file whose group's home volume set is not mounted.

File Access Matrix Examples




	NOTE: You can use `LISTFILE,4` to view the file access matrix.

You have created a file named FDATA, and want to change its file access matrix access permissions to grant write access to only yourself. Enter:

   ALTSEC FDATA;ACCESS=(W:CR)

To change file access permissions for the FPROG program file to allow all group users to execute programs, but only account and group librarian users to read or write to the file, enter:

   ALTSEC FPROG;ACCESS=(X:GU;R,W:AL,GL)

ACD Examples




	NOTE: You can use `LISTFILE,-2` to view ACD information. This form of the `LISTFILE` command displays `only` ACD information.

You have created a file named FDATA, and want to assign a new ACD to FDATA, granting write access to a user named FRIEND.ACCT. Enter:

   ALTSEC FDATA;NEWACD=(W:FRIEND.ACCT)

As the creator of a file, you can access the file by default, so you don't need to grant yourself access through an ACD. Users with appropriate privileges are always permitted to access files protected by ACDs.

To extend the ACD for the FDATA file so that all users on the system can read it, and all users within your account ACCT can also write to it, enter:

   ALTSEC FDATA;ADDPAIR=(R:@.@;W,R:@.ACCT)

If you decide that users outside your account ACCT should not have read access to the file FDATA any longer, enter:

   ALTSEC FDATA;DELPAIR=(@.@)

This does not delete all ACD pairs, only the ACD pair matching @.@. To delete the entire ACD, enter:

   ALTSEC FDATA;DELACD

To replace the entire ACD, enter:

   ALTSEC FDATA;REPACD=(W:FRIEND.ACCT)

You want to copy the ACD associated with LDEV 5 to all devices in device class TERM:

   ALTSEC TERM,DEVCLASS;COPYACD=5,LDEV

ACDs may be copied only between objects of the same type.

You want to grant users in account ACCT all access to directory Mydir1:

   ALTSEC ./Mydir1;ADDPAIR=(CD,DD,RD,TD,RACD:@.ACCT)

You want to grant read and write access to yourself and read access for other members of your group to an HFS syntax file named a_file_of_Mine:

   ALTSEC ./a_file_of_Mine;REPPAIR=(RACD,R,W:$OWNER;

   RACD,R:$GROUP,$GROUP_MASK;NONE:@.@)

To add a new ACD to file PROGNAME allowing all users on the system to execute it, but only users in account ACCT to write to it enter:

   ALTSEC PROGNAME;NEWACD=(X:@.@;W,X:@.ACCT)

To add a new ACD pair to an ACD which already exists for file PROGNAME which will allow the user ENGR of the LAB account to read, write, lock, append, execute and read the ACD information enter:

   ALTSEC PROGNAME;ADDPAIR=(R,W,X,RACD:ENGR.LAB)

Note that L and A (lock and append) need not be specified because they are implied with W (write).

To add an ACD that prevents any user except OPERATOR.SYS (and any user with SM capability) from accessing LDEV 7 (a tape drive), enter:

   ALTSEC 7,LDEV;NEWACD=(R,W:OPERATOR.SYS)

Note in the last example that X is not used because it makes no sense to execute a tape drive. It also makes no sense to lock or append a tape drive but W tacitly provides L and A anyway.

To eliminate any ACD that may be in effect for device class LP, and to prevent any user except MGR of the FINANCE account from writing to a printer in device class LP, enter:

   ALTSEC LP,DEVCLASS;DELACD

   ALTSEC LP,DEVCLASS;NEWACD=(W:MGR.FINANCE)

Related Commands

   LISTF

   LISTFILE

   RELEASE

   SECURE

   SHOWDEV

   and the fileaccess parameter for:

   ALTACCT

   ALTGROUP

   NEWACCT

   NEWGROUP