HP OpenVMS Guide to System Security > Chapter 5 Descriptions of Object Classes

Resource Domains

  Table of Contents

  Glossary

  Index

Processes that access shared resources can coordinate access using the services of the lock manager. These services allow processes to associate a name with a resource, such as a file or a data structure, to arbitrate access to that resource, and to exchange limited information through a lock value block. The namespaces that catalog resources on which locks can be taken are called resource domains.

A process must become a member of a resource domain to take and release locks and to read and write value blocks associated with resources in that resource domain. A process implicitly joins the system and group domains, but it explicitly joins other domains through a call to the $SET_RESOURCE_DOMAIN system service. Access to all locks and value blocks within a domain is controlled by access to the domain itself.

Naming Rules

A resource domain is identified to $SET_RESOURCE_DOMAIN by a longword binary value. However, the name of the resource domain object is a string containing the resource number interpreted in octal surrounded by brackets [] or angle brackets <>. Alternatively, the name of the resource domain object can be expressed as an identifier enclosed in brackets or angle brackets. The identifier must translate to a UIC value; the group field of the UIC is used as the resource domain number.

Types of Access

The resource domain class supports the following types of access:

Read

Gives you the right to read lock value blocks in the domain, including the right to use the $GETLKI system service to retrieve it

Write

Gives you the right to write to lock value blocks in the domain

Lock

Gives you the right to take locks using $ENQ, release locks using $DEQ, and obtain information about the lock database using $GETLKI

Control

Gives you the right to modify the protection elements of a resource domain

Template Profile

The resource domain class provides the following template profile. The template assigns an owner UIC of [n,*] where n is the resource domain's number.

Template Name Owner UIC Protection Code

DEFAULT

[n,*]

S:RWL,O:RWL,G:RWL,W

Privilege Requirements

The SYSLCK privilege allows lock access to the system resource domain (Domain 0).

Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited When Audit Occurs

Access

When a process calls $SET_RESOURCE_DOMAIN or $ENQ to join a domain

Creation

The first time a process joins the resource domain

Deaccess

When a process called $SET_RESOURCE_DOMAIN or at image or process rundown

Permanence of the Object

Both the resource domain and its security elements are saved in SYS$SYSTEM:VMS$OBJECTS.DAT.