|
HP OpenVMS Systemsask the wizard |
|
The Question is: My question has to do with the way the users are set-up in the UAF FILE. We are running an application at the college where I am situated. Within the application there are 3 modules: Financial Application, Human Resources Application and a Student Information System Application. Those users who are primarily users of one application over the other are set-up in a UIC Group for that application; that is, Financial Application (UIC Group 2000), Human Resources (3000) and Student Information System (1000). The users within one application need to reference the data files from the other applications (ex: Account Validation). The consulting company that was here before set-up the users in the UAF with the BYPASS Privilege, which is obviously a very dangerous thing to do because of the nature of the privilege. I have been assigned the task of reworking, if you will the security and eliminating the BYPASS Privilege. I know that one way to do would be to have all of the users in one UIC Group. I believe that another way would be the use of ACLs. Would appreciate any help in this matter. I have been referencing the ACL Editor Command and regarding this command, if the OWNER of the file is say the Financial Account and I want to give access to Read and Write to say a Human Resources User, would the command Syntax of the ACL Command be like (IDENTIFIER= [3000,*],ACCESS=READ+WRITE). In this scenario, would you have to set-up an ACL for the Financial User as well or since the owner is the Financial User you would not have to?. In addition, would you issue the ACL for the directory if all files in the directory are affected or if just one file is affected, issue the above command for the affected file only?. Thank you. William G. Kassar The Answer is : You will want to read up on the access control list (ACL) mechanism, as ACLs and security identifiers are intended for this situation. You will want to create identifiers -- such as the following FINANCIAL identifier -- and assign ACLs such as the following pair commonly found on directory files: (IDENTIFIER=FINANCIAL,OPTION=DEFAULT,ACCESS=READ+WRITE) (IDENTIFIER=FINANCIAL,ACCESS=READ+WRITE) Security on directory files is a soft protection, and can potentially be bypassed by a knowledgable user -- it is best to place the appropriate ACL both on the specific file(s) involved and also on the directory involved. You could use UIC group values as identifiers, but it is more flexible to create local identifiers. You can assign ACLs on the device level, or on the file level, or -- with the subsystem option -- even on executable images. In one local case, the OpenVMS Wizard places an identifier on an image, and users can access the relevent data files only through the executable image. For details on ACLs, please see the OpenVMS security manual.
|