Designing User Groups

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Controlling Access to System Data and Resources

Naming Individual Users in ACLs

Designing User Groups

As you design user groups, remember that the groups you establish have an impact on data and resource protection and influence those who receive the GROUP, GRPNAM, and GRPPRV privileges. You may want to map out the functions you expect your users to perform. Look for groups of users involved with a common function, such as accounting, engineering, marketing, and personnel.

Think ahead to future plans in your organization. Incorporate these ideas into your strategy. You can fine-tune the group design at any time, but it is most important to gain a perspective on the logical groupings according to the functions your users perform.

Following are two guidelines for determining the placement of users in UIC groups:

Sharing: Users who typically share data and control of processes should be arranged in the same group.

Protection: Users who should not have access to each other's data or control each other's processes should be assigned to separate groups.

However, there are limitations to UIC group design. You may want to give only a few members of your UIC group access to files that you own, or you may want to grant access to your files to members of several UIC groups without having to grant world access. These limitations are described in Limitations to UIC Group Design.

Example of UIC Group Design

The fictitious Rainbow Paint Company is a distribution company with five departments: executive, accounting, marketing, shipping, and administration. Employee Grouping by Department and Function identifies the employees in the various departments who need computer resources. The table also lists the job responsibilities of the employees.

Table 1 Employee Grouping by Department and Function
Department Employee Function

Executive
Samuel Gibson
President

Olivia Westwood
Treasurer Head of Computer Operations

Accounting
Carlo Ruiz
Payroll

Rich Smith
Bookkeeping

Rod Jacobs
Clerk

Ruth Ross
Clerk

Marketing
Jason Chang
Forecasting

Alana Mack
Sales Reporting

Shipping
Scott Giles
Inventory Control

Administration
Jane Simon
Correspondence Management Paycheck Printing

**Table 1** **Employee Grouping by Department and Function**
Department	Employee	Function
Executive	Samuel Gibson	President
	Olivia Westwood	Treasurer Head of Computer Operations
Accounting	Carlo Ruiz	Payroll
	Rich Smith	Bookkeeping
	Rod Jacobs	Clerk
	Ruth Ross	Clerk
Marketing	Jason Chang	Forecasting
	Alana Mack	Sales Reporting
Shipping	Scott Giles	Inventory Control
Administration	Jane Simon	Correspondence Management Paycheck Printing

The fact that the company has been organized into departments suggests that individuals in the same department perform many of the same functions. For example, the advantage of grouping all the employees who perform bookkeeping tasks for the company in the accounting department is that employees can easily communicate with one another and gain access to the data they must share.

As the system manager of Rainbow Paint's computer resources, Olivia Westwood will set up UIC groups based on the existing organizational structure. For example, the employees in the accounting department (Ruiz, Smith, Jacobs, and Ross) could be members of the UIC group ACCOUNTING. Setting up the UIC group in this way ensures that user Ruiz has easy access to data from user Smith, and so on.

Effective department organization ensures that only selected employees will have access to all data and employees in the company. For example, one of the functions of the accounting department concerns payroll. Because payroll information is confidential, employees in the shipping and marketing departments should not have access to that information.

As the system manager of Rainbow Paint's computer resources, Westwood sets up the UIC groups---ACCOUNTING, EXECUTIVE, MARKETING, SHIPPING, and ADMINISTRATION---corresponding to the various departments in the company. Members of a UIC group can be given common access to files, as shown in the following example:

$ SET SECURITY/PROTECTION=G:RWE GROUP_STATS.DAT

With this command, the owner of the file GROUP_STATS.DAT allows each member of the UIC group read, write, and execute access to the file.

Limitations to UIC Group Design

In some cases, UIC-based protection does not present the best solution to your object protection needs. If users in several UIC groups need access to common files and other resources on the system, the only UIC-based alternatives are to give world access to the object (all users can access the object) or to grant extended privileges to each user. Neither choice is desirable.

You may also need to allow users in a UIC group several types of access to files; you may want to deny access to the object to some users in the same group. Again, UIC-based protection does not offer a good solution to meet these needs.

Access control lists (ACLs), described in the following sections, offer another way to protect files and other objects on the system.

As the site security administrator, it is extremely important to familiarize yourself with the subtleties of the UIC categories, as described in Controlling Access with Protection Codes"Controlling Access with Protection Codes" on page 82. Putting users in certain UIC groups may grant them system privileges, and a user with system privilege has control access to any protected object on the system. The SYSPRV privilege is given by default to all UIC groups less than or equal to 10, but the actual range for the system UIC category is determined by the value of the MAXSYSGROUP system parameter. Putting users with the GRPPRV privilege in groups that own system files might also cause security problems.

Naming Individual Users in ACLs