skip book previous and next navigation links
go up to top of book: HP OpenVMS Guide to System Security HP OpenVMS Guide to System Security
go to beginning of part: Security for the System Administrator Security for the System Administrator
go to previous page: Example of a Protected Subsystem Example of a Protected Subsystem
go to next page: ACNT Privilege (Devour)ACNT Privilege (Devour)
end of book navigation links
AAssigning Privileges  


Privileges restrict the use of certain system functions to processes created on behalf of authorized users. These restrictions protect the integrity of the operating system's code, data, and resources and thus, the integrity of user service. Grant privileges to individual users only after carefully considering the following two factors:

Privileges fall into the following seven categories according to the damage that the user possessing them could cause the system:

A user's privileges are recorded in the user's UAF record in a 64-bit privilege mask. When a user logs in to the system, the user's privileges are stored in the header of the user's process. In this way, the user's privileges are passed on to the process created for the user. Users can use the DCL command SET PROCESS/PRIVILEGES to enable and disable privileges for which they are authorized and to further control the privileges available to the images they run. Moreover, any user with the SETPRV privilege can enable any privilege.

OpenVMS PrivilegesTable 8-2 lists the privileges by category and gives brief, general definitions of them. The following sections describe all privileges available on OpenVMS systems in detail; each section title identifies the privilege category (Normal, Devour, and so on). For each privilege, the appendix describes the capabilities granted by the privilege and the users who should receive them.

skip links to sections within this chapter.
ACNT Privilege (Devour)
ALLSPOOL Privilege (Devour)
ALTPRI Privilege (System)
AUDIT Privilege (System)
BUGCHK Privilege (Devour)
BYPASS Privilege (All)
CMEXEC Privilege (All)
CMKRNL Privilege (All)
DIAGNOSE Privilege (Objects)
DOWNGRADE Privilege (All)
EXQUOTA Privilege (Devour)
GROUP Privilege (Group)
GRPNAM Privilege (Devour)
GRPPRV Privilege (Group)
IMPERSONATE Privilege (All) (Formerly DETACH)
IMPORT Privilege (Objects)
LOG_IO Privilege (All)
MOUNT Privilege (Normal)
NETMBX Privilege (Normal)
OPER Privilege (System)
PFNMAP Privilege (All)
PHY_IO Privilege (All)
PRMCEB Privilege (Devour)
PRMGBL Privilege (Devour)
PRMMBX Privilege (Devour)
PSWAPM Privilege (System)
READALL Privilege (Objects)
SECURITY Privilege (System)
SETPRV Privilege (All)
SHARE Privilege (All)
SHMEM Privilege (Devour)
SYSGBL Privilege (Files)
SYSLCK Privilege (System)
SYSNAM Privilege (All)
SYSPRV Privilege (All)
TMPMBX Privilege (Normal)
UPGRADE Privilege (All)
VOLPRO Privilege (Objects)
WORLD Privilege (System)
end of content navigation links

go to previous page: Example of a Protected Subsystem Example of a Protected Subsystem
go to next page: ACNT Privilege (Devour)ACNT Privilege (Devour)