skip book previous and next navigation links
go up to top of book: HP OpenVMS Guide to System Security HP OpenVMS Guide to System Security
go to beginning of part: Security for the System Administrator Security for the System Administrator
go to beginning of chapter: Using Protected Subsystems Using Protected Subsystems
go to previous page: System Management Requirements System Management Requirements
go to next page: Enabling Protected Subsystems on a Trusted VolumeEnabling Protected Subsystems on a Trusted Volume
end of book navigation links

Building the Subsystem  



Once managers of the subsystem have the appropriate identifiers and access rights as described in System Management Requirements, they can add the necessary ACEs to a subsystem image. Two kinds of ACEs are necessary to construct a subsystem: the application image receives a Subsystem ACE, and the objects managed by the subsystem receive Identifier ACEs. Therefore, building a subsystem requires the following steps:
  1. Create a Subsystem ACE containing the subsystem identifier in the ACLs of the application images. A Subsystem ACE has the following format: (SUBSYSTEM,{IDENTIFIER=identifier[,ATTRIBUTES=attributes]})

  2. Grant access to the objects managed by the subsystem. You need to add an Identifier ACE to the ACL of the various objects belonging to the subsystem. Each Identifier ACE contains one of the subsystem identifiers in the following format: (IDENTIFIER=identifier, ACCESS=access-type[+...])

In the following example, the subsystem manager uses the DCL command SET SECURITY to associate the subsystem identifier with the images that make up the subsystem. First, the subsystem manager adds a Subsystem ACE with the identifier MEMBERS_SUBSYSTEM to the ACL of the application image MEMBER_LIST.EXE: 

$ SET SECURITY/ACL=(SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,-
_$ ATTRIBUTES=RESOURCE) MEMBER_LIST.EXE
Then the subsystem manager adds an Identifier ACE with the subsystem identifier MEMBERS_SUBSYSTEM to the data files managed by the subsystem:
$ SET SECURITY/ACL=(IDENTIFIER=MEMBERS_SUBSYSTEM,-
_$ ACCESS=READ+WRITE) MEMBER_DATA*.DAT
The DCL command SHOW SECURITY displays the security attributes of the files. For example: 
$ SHOW SECURITY MEMBER_LIST.EXE

MEMBER_LIST.EXE object of class FILE

     Owner: [STAFF]
     Protection: (System: RWED, Owner: RWED, Group, World: RE)
     Access Control List: (SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,ATTRIBUTES=RESOURCE)
$ SHOW SECURITY MEMBER_DATA*.DAT

MEMBER_DATA_1.DAT object of class FILE

     Owner: MEMBERS_SUBSYSTEM
     Protection: (System: RWED, Owner: RWED, Group, World)
     Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,ACCESS=READ+WRITE)

MEMBER_DATA_2.DAT object of class FILE

     Owner: MEMBERS_SUBSYSTEM
     Protection: (System: RWED, Owner: RWED, Group, World)
     Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,
            ACCESS=READ+WRITE)
go to previous page: System Management Requirements System Management Requirements
go to next page: Enabling Protected Subsystems on a Trusted VolumeEnabling Protected Subsystems on a Trusted Volume