Getting Started with OpenVMS System Management (HP Technologies)

An unprivileged user can control his or her files using ACL and UIC mechanisms, but only the manager can create arbitrary groups of users. This is done with a mechanism called the rights identifier. The use of a rights list makes management easier. Suppose I put STUROSS and HICKEY into a group named DM_RIGHT. Then the ACL list on this file becomes a single entry. The rights list is controlled by the manager with AUTHORIZE. Using groups based on the rights list is a three-step process:

• The manager creates the identifier.

• The manager associates the identifier with a number of users forming a group.

• The user (or the manager) creates an ACL for the identifier.

The following commands the manager would use to accomplish this task:

$ RUN AUTHORIZE UAF> ADD/IDENTIFIER DM_RIGHT UAF> sho /id dm_right Name Value Attributes DM_RIGHT %X8001001B UAF> GRANT/IDENT DM_RIGHT HICKEY UAF> GRANT/ID DM_RIGHT STUROSS UAF> sho /right/user=stuross Identifier Value Attributes DM_RIGHT %X8001001B UAF> EXIT

Now DMILLER can issue the following commands

$ SET SEC/ACL=(id=DM_RIGHT,access=read) login.com CSLab::DMILLER? sho sec login.com FACULTY:[DMILLER]LOGIN.COM;101 object of class FILE Owner: [DMILLER] Protection: (System: RWED, Owner: RWED, Group, World) Access Control List: (IDENTIFIER=DM_RIGHT,ACCESS=READ)

Notice that there is some confusion between the identifier (i.e., the name of the rights-identifier) and the assignment of this right to a user. UAF>SHOW /ID lists the identifier, while UAF>SHO /RIGHT lists the user information. As you can see in the example, identifiers may have attributes, such as hiding the identifier name from the user.