Logical Name Tables

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the User

Descriptions of Object Classes

Global Sections

Queues

Logical Name Tables

Logical name assignments are maintained in logical name tables. A logical name table can be accessible to only one process, or it can be shareable if its parent table is shareable. All shareable name tables are listed in the LNM$SYSTEM_DIRECTORY, the system directory table. It is shareable logical name tables that the operating system protects.

Naming Rules

The name of a logical name table is a string of 1 to 32 characters.

Types of Access

The logical name table class supports the following types of access:

Read
Gives you the right to look up (translate) logical names in the table

Write
Gives you the right to create and delete logical names in the table

Create
Gives you the right to create a descendant logical name table, including the right to use a subset of the dynamic memory allocated to the parent logical name table when creating the descendant logical name table

Delete
Gives you the right to delete the table

Control
Gives you the right to modify the protection elements and owner of the table

Template Profile

The logical name table class provides the following template profiles. Although the template assigns an owner UIC of [0,0], this value is only temporary. As soon as the object is created, the operating system replaces a 0 value with the value in the corresponding field of the creating process's UIC.

Template Name Owner UIC Protection Code

DEFAULT
[0,0]
S:RW,O:RW,G:R,W:R

GROUP
[0,*]
S:RWCD,O:R,G:R,W

JOB
[0,0]
S:RWCD,O:RWCD,G,W

Template Name	Owner UIC	Protection Code
DEFAULT	[0,0]	S:RW,O:RW,G:R,W:R
GROUP	[0,*]	S:RWCD,O:R,G:R,W
JOB	[0,0]	S:RWCD,O:RWCD,G,W

Privilege Requirements

The operating system allows read and write access to the group logical name tables with GRPNAM privilege and to the system logical name table with SYSNAM privilege.

Deletion of a shared table from the system directory requires SYSNAM privilege, and deletion of a logical name from the group directory requires GRPNAM privilege. Deletion of a parent logical name table results in the deletion of all its descendant logical name tables.

Creation or deletion of an inner-mode logical name or logical name table requires SYSNAM privilege (or being in an inner mode).

Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited When Audit Occurs

Access
When translating a name, when creating a name or a descendent table, or when deleting a name or a descendent table

Creation
During access to a parent table for the right to create a table or when the table itself is created

Event Audited	When Audit Occurs
Access	When translating a name, when creating a name or a descendent table, or when deleting a name or a descendent table
Creation	During access to a parent table for the right to create a table or when the table itself is created

Permanence of the Object

A logical name table and its security profile must be reset each time the system is rebooted.

Global Sections

Queues

Read	Gives you the right to look up (translate) logical names in the table
Write	Gives you the right to create and delete logical names in the table
Create	Gives you the right to create a descendant logical name table, including the right to use a subset of the dynamic memory allocated to the parent logical name table when creating the descendant logical name table
Delete	Gives you the right to delete the table
Control	Gives you the right to modify the protection elements and owner of the table