UIC-based protection is the standard file protection mechanism. Each object in a OpenVMS system has a UIC plus a protection code.
A process is assigned the UIC of its owner when it is created. A process may SET (change) its UIC only if it has CMKRNL privilege, which is typically reserved for users in a system manager role. The protection code specifies the access privileges specified for each user type.
When you create or maintain accounts for GT.M users, you complete the following actions that affect UIC-based protection:
Assigning each user as a member of a group
Assigning each user a file protection code or mask that will be the default for files owned by the user
The relationship between the UIC of the user and the UIC of the object controls access to that object. UIC's control access to files and other OpenVMS objects according to the following process categories (listed in order of precedence):
|
SYSTEM |
Processes that have a UIC in a distinguished "system" group, or have SYSPRV (or certain special conditions exist). |
|
OWNER |
Processes that have the same UIC as that of the object. |
|
GROUP |
Processes that have a UIC of the same group as the object UIC. |
|
WORLD |
All processes. |
A process requiring access to an object searches the protection mask of the object. Access is granted when the process encounters "permission" associated with the category fulfilled by the process. You can specify permissions for the following:
READ Read the file
WRITE Change the file
EXECUTE Run the file
DELETE Remove the file from storage
Example:
$ SET FILE/PROTECT=(S:RWED,O:RWED,G:RE,W:"") FILE.DAT
In this example, the protection mask specifies READ, WRITE, EXECUTE, and DELETE access for users in the SYSTEM and OWNER categories, READ and EXECUTE access in the GROUP category, and no access in the WORLD category. This is the OpenVMS default for UIC protection.