skip book previous and next navigation links
go up to top of book: HP OpenVMS Guide to System Security HP OpenVMS Guide to System Security
go to beginning of part: Security for the User Security for the User
go to beginning of chapter: Descriptions of Object Classes Descriptions of Object Classes
go to previous page: Queues Queues
go to next page: Security ClassesSecurity Classes
end of book navigation links

Resource Domains  



Processes that access shared resources can coordinate access using the services of the lock manager. These services allow processes to associate a name with a resource, such as a file or a data structure, to arbitrate access to that resource, and to exchange limited information through a lock value block. The namespaces that catalog resources on which locks can be taken are called resource domains.

A process must become a member of a resource domain to take and release locks and to read and write value blocks associated with resources in that resource domain. A process implicitly joins the system and group domains, but it explicitly joins other domains through a call to the $SET_RESOURCE_DOMAIN system service. Access to all locks and value blocks within a domain is controlled by access to the domain itself.

Naming Rules  

A resource domain is identified to $SET_RESOURCE_DOMAIN by a longword binary value. However, the name of the resource domain object is a string containing the resource number interpreted in octal surrounded by brackets [] or angle brackets <>. Alternatively, the name of the resource domain object can be expressed as an identifier enclosed in brackets or angle brackets. The identifier must translate to a UIC value; the group field of the UIC is used as the resource domain number.

Types of Access  

The resource domain class supports the following types of access:

Read
Gives you the right to read lock value blocks in the domain, including the right to use the $GETLKI system service to retrieve it
Write
Gives you the right to write to lock value blocks in the domain
Lock
Gives you the right to take locks using $ENQ, release locks using $DEQ, and obtain information about the lock database using $GETLKI
Control
Gives you the right to modify the protection elements of a resource domain

Template Profile  

The resource domain class provides the following template profile. The template assigns an owner UIC of [n,*] where n is the resource domain's number.

Template Name Owner UIC Protection Code
DEFAULT
[n,*]
S:RWL,O:RWL,G:RWL,W

Privilege Requirements  

The SYSLCK privilege allows lock access to the system resource domain (Domain 0).

Kinds of Auditing Performed  

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited When Audit Occurs
Access
When a process calls $SET_RESOURCE_DOMAIN or $ENQ to join a domain
Creation
The first time a process joins the resource domain
Deaccess
When a process called $SET_RESOURCE_DOMAIN or at image or process rundown

Permanence of the Object  

Both the resource domain and its security elements are saved in SYS$SYSTEM:VMS$OBJECTS.DAT.

go to previous page: Queues Queues
go to next page: Security ClassesSecurity Classes