Understanding Your System: HP 3000 Series 9X8LX Computer Systems > Chapter 4 Here I Am— What Can I Do?Who Can, Who Cannot... |
|
Capabilities are assigned, and they determine the extent to which you, or any other user, can make full use of the computer's facilities. Capabilities are assigned to these elements:
On most MPE/iX computers, you will find that there is a hierarchy of capabilities. Some users have more capabilities, or more powerful capabilities, than others. This arrangement of capabilities can be tailored to meet the needs of your organization. As a generalization, the range of capabilities, from low to high, is likely to be something like this:
At the highest level, capabilities are assigned by the person who plays the role of system manager on your system. This is the person who knows how to log on as MANAGER.SYS. Strictly speaking, the system manager is not a person. Rather it is a user (user name) that has been granted system manager capability within the SYS account. The computer code for this capability is SM. As you might infer, the user that has SM capability has a high "status" on the computer system and has access to the widest range of programs and functions. It is the system manager who creates accounts and assigns them passwords. The system manager can log on to any group in any account on the system and is able to discover the passwords assigned to every account, every group, and every user. In addition, the system manager has the authority to analyze and fine tune the performance of the system. A less extensive set of capabilities is assigned to the user (user name) who plays the role of system supervisor or system operator, for which the computer code is OP. This user can log on as OPERATOR.SYS. The system operator has day to day responsibility for the functioning of the system. That may include the creation of accounts. If yours is a small-size or medium-size organization, the roles of system manager and system operator may be combined in one person (user). Other tasks that fall to OPERATOR.SYS may include these:
Every account on the system has an account manager (code AM). AM capabilities are different from OP capabilities, but they include such things as the creation of users and groups within the account, and the assignment of passwords and capabilities to users and groups within the account. If yours is a small-size or medium-size organization, the system operator or system manager may serve as the manager of one or many accounts. Users (user names) that are assigned no extensive capabilities acquire the abilities that are assigned to the group (within the account) to which they log on. As a generalization, groups have the least extensive set of capabilities in the hierarchy of capabilities. However, the creator of the group (the account manager, system operator, or system manager (AM, OP, or SM capability) determines the capabilities that the group will have. It would make little sense to give to a group capabilities that are greater than the capabilities of the account in which it resides. In fact, it is impossible to do so. For users, these are the default (standard) capabilities: Imagine an account called MYACCT. One of its users is JOHN. Imagine that this user happens to have only the standard (default) capabilities. Imagine, too, that this account has these three groups and that they have minimal capabilities:
Finally, suppose that there is a file called MYREPORT that you can put into any one of these three groups to show what happens. The tables that follow illustrate what you can and cannot do with MYREPORT if you log on to any one of the three groups. In each case, you could try to do these things:
There are other capabilities in addition to the ones mentioned thus far. Many of these other capabilities serve to restrict the use of very specialized user names, programs, and processes. In particular, two special capabilities prevent the unauthorized use of sensitive or extremely powerful programs: PH (process handing) and PM (privileged mode). Whoever manages your computer system, or your account, should be sure to give you the capabilities you need to do your day to day work. In general, the specialized and powerful capabilities are reserved for those who must manage or run your computer system, and in some cases for those who manage accounts. Unless you have such responsbilities, you are not likely to need specialized capabilities. ACDs are ordered lists of pairs. These pairs consist of access permissions and user specifications that control the ability to access and change MPE files, hierarchical directories, and the files within them. ACDs are applied using the ALTSEC command and take precedence over other security features, such as lockwords and file access control, such as read/write access. For more information on ACDs, refer to Chapters 3 and 9 of the manual, New Features of MPE/iX: Using the Hierarchical File System, (32650-90351). For more information on the ALTSEC command, refer to the Commands Reference (B3813-90011). Each MPE/iX user has an associated user ID (UID). The UID is a string (in the form user.account) and a corresponding integer value. Additionally, one or more users can be organized into groups (distinct from MPE groups) to simplify file sharing. Each group has an associated group ID (GID). UIDs and GIDs are used in conjunction with other security mechanisms to control access to objects. Objects are entities that contain or receive information, such as files, directories, and devices. When files or directories are created, they are assigned their parent directory's GID and the UID of the process creating them. UIDs and GIDs are stored in two databases: HPUID.PUB.SYS holds UIDs and related user information in a user ID database, and HPGID.PUB.SYS holds GIDs and related information in a group ID database. |