Generated from C.65.00 /SYSADMIN/PUB/MYCICAT last modified on Sun Aug 29 15:08:37 2004
Changes the access permissions of an object by altering its access control definition (ACD). ACDs are the main method of controlling access to files, hierarchical directories, and devices. ACDs are automatically assigned to hierarchical directories and to files existing in hierarchical directories. You can change the access permission for a file, a hierarchical directory, a device, and a device class. You cannot use ALTSEC to change access permissions for an MPE group, account, or the root directory.
ALTSEC objectname [,{FILENAME}] {LDEV} {DEVCLASS} [,[ACCESS=](fileaccess[,[fileaccess][; ...]])] [{;NEWACD=} {(acdpair[;acdpair][; ...])}] {;ADDPAIR=} {^filereference} {;REPPAIR=} [{;REPACD=}{(acdpair[;acdpair][; ...])}] {^filereference} {objectname} [;DELPAIR= {(userspec[;userspec][; ...])}] {^filereference} [;COPYACD= objectname {,FILENAME}] [;DELACD] [;MASK] {,LDEV}
objectname An actual file designator, a directory name, logical device number, device name or device class whose security provisions are to be altered. Either MPE or Hierarchical File System (HFS) file name syntax may be used for the actual file designator of the file or directory whose access permissions are to be altered. Wildcard characters may only be used with MPE syntax files residing in a group. MPE Syntax MPE file name syntax may include lockwords but not RFA information. If the object is an MPE syntax file, its format is: filename[/lockword][.groupname[.acctname]] A logical device number must be a numeric value and be configured on the system. A device class name must be configured on the system. File lockwords must be specified for files protected by active lockwords unless the object is also protected by a current ACD. In a batch job, if a lockword exists on a file it must be specified. In a session, if a lockword exists and is omitted, MPE/iX prompts for it. HFS Syntax File designators using HFS file name syntax must begin with either a dot (.) or a slash (/) character, and are limited to a maximum length of 255 characters. File equations are ignored during resolution of the object name to avoid having accidental file equation references cause unintentional changes to an object's access permissions. The objectname parameter is followed by one of the three type identifiers listed below. FILENAME A type identifier indicating that the objectname refers to either a file or directory designator. FILENAME is the default if a type identifier is not specified. LDEV A type identifier indicating that the objectname refers to a logical device number. DEVCLASS A type identifier indicating that the objectname refers to a device class. ACCESS Optional keyword indicating that fileaccess specification follows. This option affects security at the file level only. fileaccess File security specifications, entered as follows {R} {ANY} {L} {AC } {A} [,...]: {GU }[,...] {W} {AL } {X} {GL } {CR } where R, L, A, W, and X specify modes of access by types of users (ANY, AC, GU, AL, GL, CR) as follows R = READ L = LOCK (allows opening with dynamic lock option) A = APPEND (implicitly specifies L also) W = WRITE (implicitly specifies A and L also) X = EXECUTE Two or more modes may be specified if they are separated by commas. The user types are specified as follows ANY = Any user AC = Member of this account only GU = Member of this group only AL = Account librarian user only GL = Group librarian user only CR = Creating user only Two or more user types may be specified if they are separated by commas. Default is R, L, W, A, X:ANY. The colon (:) separating one or more modes from one or more user types is required punctuation in the specification of fileaccess. The ACCESS keyword is optional. If the file is protected by an ACD, the ACD overrides the file access mask. NEWACD Indicates "new ACD". Use NEWACD to create a new ACD pair for the specified object. NEWACD is used when an ACD does not currently exist. It must be followed by valid ACD pair(s) as described below. REPACD Indicates "replace ACD". Use REPACD to replace an entire existing ACD for the specified object, or to copy an ACD from an existing objectname to the specified objectname where objectname refers to a file. (You cannot use REPACD to copy ACDs between devices.) The REPACD parameter must be followed by valid ACD pair(s) as described below. ADDPAIR Indicates "add pair". Use ADDPAIR to add a new ACD pair to an existing ACD. It must be followed by valid ACD pair(s) as described below. REPPAIR Indicates "replace pair". Use REPPAIR to replace an existing ACD pair in an existing ACD. It must be followed by valid ACD pair(s) as described below. A new ACD pair will replace an existing ACD pair if it has the same user and account name. acdpair An access control definition pair. Like the fileaccess parameter this consists of a modes part and a userspec part. The modes part is separated from the userspec part a colon (:). Acceptable modes for files are: R : READ file access W : WRITE file access L : LOCK file access A : APPEND file access X : EXECUTE file access NONE : no access RACD : copy or read the ACD permission Acceptable modes for directories are: CD : CREATE DIRECTORY ENTRIES access DD : DELETE DIRECTORY ENTRIES access RD : READ DIRECTORY ENTRIES access TD : TRAVERSE DIRECTORY ENTRIES access NONE : no access RACD : copy or read the ACD permission File ACD pairs may contain R, W, L, A, X, NONE, and RACD. Directory ACD pairs may contain, CD, DD, RD, TD, NONE, and RACD. The userspec part consists of: o a fully qualified user name (username.accountname) o the file owner represented as $OWNER o the file group represented as $GROUP o the file group mask represented as $GROUP_MASK o @.accountname which represents all users in the account "accountname" o @.@ which represents all users in the system NOTE: Wildcards cannot be used in any other manner within a user specification. A typical ACD consisting of three ACD pairs might look like this: (R,W:ENGIR.MFG;R,W,RACD:@.MRKT;R:@.@) This ACD would allow READ and WRITE access to the ENGR user of the MFG account; READ and WRITE access to any user of the MRKT account along with the ability to read or copy the ACD; and READ access to any user in any account. filereference A file containing one or more ACD pairs. ACD pairs must be separated by semi-colons and may be placed on separate lines. A single ACD pair may not span more than one line. The file name must be preceded by the ^ sign (caret symbol) to indicate that the designated file contains the ACD definition. This is known as an indirect file. The ALTSEC command fails if the indirect file does not contain a syntactically correct ACD. ACD pairs may be on separate lines, but a pair may not span lines. Parentheses are optional when defining an acdpair within an indirect file. The file reference may be specified using MPE or HFS file name syntax. For example: filename[/lockword][.group[.account]] If the file has an active lockword, it must be specified. ACDs override lockwords. Lockwords can only be specified in file references using MPE name syntax. Unqualified file names are relative to the current working directory. DELPAIR Deletes one or more ACD pairs. It must be followed by a valid userspec. userspec Username and accountname, the same as the userspec described above in acdpair. A wildcard (@) may be used for the username or both the username and accountname together. A wildcard may not be specified for the accountname unless it is also specified for the username. COPYACD Indicates that an ACD is to be copied from an existing objectname to the specified objectname. ACDs can only be copied between like objects. You must specify FILENAME, LDEV, or DEVNAME. You cannot copy an ACD from a device class (DEVCLASS) although you may copy to all devices on the system by specifying the @ sign as the target device. DELACD Deletes the ACD (all ACD pairs) from the specified objectname. ACDs may only be removed from devices and file in MPE groups. The file access matrix controls access to these files when an ACD is deleted. MASK Keyword which selects recalculation of the ACD file group class mask ($GROUP_MASK) access permission.
The ALTSEC command alters security provisions for files, hierarchical directories, devices and device classes by manipulating an object's access control definition (ACD) or its access mask. All of these objects may have ACDs, but only files have access masks which can be changed using this command. An object's ACD may be altered using this command with the ACD keywords NEWACD, REPACD, COPYACD, ADDPAIR, REPPAIR, DELPAIR, DELACD, and MASK. A file's access mask may be altered using either the ACCESS keyword or an access specification without a keyword. Using the ACCESS keyword is a recommended practice to help distinguish between file access mask and ACD operations. Only a file's owner can use this command to change a file's access mask. Object owners and users with appropriate privilege can use this command to manipulate an object's ACD. Files and hierarchical directories have their owner's identity and a file group ID (GID) stored in their file labels. System managers and account managers have appropriate privilege to manipulate an object's ACD. Account managers for the account matching an object's GID have appropriate privilege. Devices are owned by system managers. The ability to manipulate an ACD or file mask is not affected by the object access currently granted to a user. System and account managers are always granted all access to files and hierarchical directories protected by ACDs. File ACDs override file lockwords and the file access matrix. ACDs permit more precise access control than can be expressed using the file access matrix by allowing access permissions to be granted or denied to specific users. MPE/iX allows a maximum of 40 ACD pairs to be specified for a particular object. Since a large number of ACD pair specifications will overflow the command line buffer, large numbers of ACD specifications may be entered using an indirect file. The ALTSEC command fails if you attempt to alter the access permissions for a permanent disk file whose group's home volume set is not mounted. Release 5.0 requires ACDs on the following files: o All hierarchical directories o All files under hierarchical directories o All files directly under MPE/iX groups where the file GID does not match the GID of the account and group in which the file is located. One way this occurs would be if you rename a file from an MPE group outside the account to another MPE group. Required ACDs cannot be removed with the ALTSEC command even by users with SM or AM capability. Access to Command Files and UDCs You can now protect UDCs and command files by denying READ (R) access and granting EXECUTE (X) access to users that need to execute the file but are not permitted to read the file. When a user lacks READ access to a command file or UDC file, the system behaves in the following manner: o The user cannot see any of the commands within the file. Specifically OPTION LIST and the HPCMDTRACE variable are defeated. o HELP is unavailable for the file. For a UDC file this means that all of the UDCs within the file are treated as if OPTION NOHELP was specified. o SHOWCATALOG'' still lists the individual UDCs and UDC filenames. If an error occurs, the offending command line is not echoed to $STDLIST. To see examples of how to grant only execute access to a command file or UDC, read "Examples." This command may be issued from a session, job, program, or in BREAK. Pressing [Break] has no effect on this command.
LISTFILE,4 can be used to view the file access matrix. You have created a file named FDATA and you want to change its security provisions to allow WRITE access to yourself only. There will be no default security provisions. Enter ALTSEC FDATA;ACCESS=(W:CR) To change the file access matrix permissions for the FPROG program file to allow group users to execute the program, but only account and group librarian users can read or write to the file, enter: ALTSEC FPROG;ACCESS=(X:GU;R,W:AL,GL) ACD Examples LISTFILE,-2 can be used to view ACD information. This form of the LISTFILE command displays only ACD information. You have created a file named FDATA and you wish to assign a new ACD to FDATA granting write access to a user named FRIEND. Enter: ALTSEC FDATA;NEWACD=(W:FRIEND.ACCT) As the creator of a file, you are by default able to access the file, so granting your user identity all access in the ACD would be redundant. Users with appropriate privileges are always permitted to access files protected by ACDs. To extend the ACD for the FDATA file so that all users on the system can read it, and all users within your account "ACCT" can also write to it, enter: ALTSEC FDATA;ADDPAIR=(R:@.@; W,R:@.ACCT) ALTSEC FDATA;DELPAIR=(FRIEND.ACCT) If you later decided that users outside your account "ACCT" should not have read access to the file FDATA any longer, enter: ALTSEC FDATA;DELPAIR=(@.@) This does not mean to delete all ACD pairs, only the ACD pair matching @.@. To delete the entire ACD enter: ALTSEC FDATA;DELACD You want to copy the ACD associated with LDEV 5 to all devices in device class TERM: ALTSEC TERM,DEVCLASS;COPYACD=5,LDEV ACDs may be copied only between objects of the same type. You want to grant users in account ACCT all access to directory Mydir1: ALTSEC .\Mydir1;ADDPAIR=(CD,DD,RD,TD,RACD : @.ACCT) You want to grant read and write access to yourself and read access for other members of your group to an HFS syntax file named a_file_of_Mine: ALTSEC ./a_file_of_Mine;REPPAIR=(RACD,R,W:$OWNER; RACD,R:$GROUP,$GROUP_MASK; NONE:@.@) To alter the security of file FILENAME, to allow write access to the creator only and override the MPE/iX default security (if it still exists) enter: ALTSEC FILENAME;ACCESS=(W:CR) To change the security of program file PROGNAME so that any group user can execute the program, but only account and group librarians can read or write to the file, enter: ALTSEC PROGNAME;ACCESS=(X:GU;R,W:AL,GL) To add a new ACD to file PROGNAME allowing all users on the system to execute it, but only users in account ACCT to write to it enter: ALTSEC PROGNAME;NEWACD=(X:@.@;W,X:@.ACCT) To grant execute access to the mycmdf file, enter either of the following commands. (To then verify the security, use LISTFILE formats -2 or 4.) :altsec mycmdf; access=(x:any; r,w,l,a:gu) :altsec mycmdf; repacd=(racd,x:@.@; r,w,l,a:$group)
Commands: LISTF, LISTFILE, RELEASE, SHOWDEV, SECURE Also see the fileaccess parameter for these commands: ALTACCT, ALTGROUP, NEWACCT, NEWGROUP Manuals : MPE/iX Intrinsics Reference Manual (32650-90028) Back to Main Index