HP OpenVMS Guide to System Security


  Table of Contents



This glossary provides definitions of security-related terms used in this guide.


access control  

Restrictions on the ability of a subject (user or process) to use the system or an object in the computing system. Authentication of the user name and password controls access to the system, while protection codes, access control lists, and privileges regulate access to protected objects in that system.

access control entry (ACE)  

An entry in an access control list (ACL). Access control entries may specify identifiers and the access rights to be granted or denied the holders of the identifiers, default protection for directories, or security details. ACLs for each object can hold many entries, limited only by overall space and performance considerations. See also access control list, identifier .

access control list (ACL)  

A list that defines the kinds of access to be granted or denied to users of an object. Access control lists can be created for all protected objects such as files, devices, and logical name tables. Each ACL consists of one or more entries known as access control entries (ACEs). See also access control entry .

access control string 

A character string used in remote logins. It consists of the user name for the remote account and the user's password enclosed within quotation marks.

access matrix 

A table that lists subjects on one axis and objects on the other. Each crosspoint in the matrix thus represents the access that one subject has to one object.

access type  

The capability required to perform an operation on a protected object. OpenVMS security policy can require multiple capabilities to complete an operation. The most commonly accessed object, a file, can require read, write, execute, delete, or control access.


See access control entry.


See access control list.

ACL editor 

An OpenVMS utility that helps users create and maintain access control lists. See also access control list.


See security alarm.

ALF file 

See automatic login.

alphanumeric UIC 

A format of a user identification code (UIC). The group and member names can each contain up to 31 alphanumeric characters, at least one of which is alphabetic. The other format of a UIC is numeric: it contains a group number and a member number. See also user identification code, numeric UIC .


In the security context, a characteristic of an identifier or the holder of an identifier. Attributes can enhance or limit the rights granted with an identifier; for example, a user holding an identifier with the Resource attribute can charge disk space to the identifier.


See security audit.

audit trail  

A pattern of security-relevant activity sometimes found in the audit log file. The audit log file maintains a record of security-relevant events, such as access attempts, successful or not, as required by the authorization database. See also security audit.


Recording the occurrence of security-relevant events as they occur on the system and, later, examining system activity for possible security violations or improper use of the system. Security-relevant events include activities such as logins, break-ins, changes to the authorization database, and access to protected objects. Event messages can be sent as alarms to an operator terminal or written as audit records to a log file. See also security audit, security alarm .


The act of establishing the identity of users when they start to use the system. OpenVMS systems (and most other commercial operating systems) use passwords as the primary authentication mechanism. See also password .

authorization database  

A database that contains the security attributes of subjects and objects. From these attributes, the reference monitor determines what kind of access (if any) is authorized.

authorization file 

See system user authorization file.

automatic login 

A feature that permits users to log in without specifying a user name. The operating system associates the user name with the terminal (or terminal server port) and maintains these assignments in the file SYS$SYSTEM:SYSALF.DAT, referred to as the automatic login file or the ALF file.



A break in the system security that results in access to system resources or objects in violation of the system's security policy.

break-in attempt 

An effort made by an unauthorized source to gain access to the system. Because the first system access is achieved through logging in, intrusion attempts primarily refer to attempts to log in illegally. These attempts focus on supplying passwords for users known to have accounts on the system through informed guesses or other trial-and-error methods. See also evasive action .


C2 system 

A U.S. government rating of the security of an operating system; it identifies an operating system as one that meets the criteria of a Division C, class 2 system.


A resource to which the system controls access; currently, the only defined capability is the vector processor.

OpenVMS security policy protects vector processors from improper access. An operation can require use or control access.

captive account 

A type of account that confines the user to the captive login command procedure. The use of Ctrl/Y is disabled. If errors in the captive command procedure cause the procedure to terminate and attempt to return the user to the DCL command level, the process is deleted. (This type of account is synonymous with a turnkey or tied account.)

common event flag cluster 

A set of 32 event flags that enable cooperating processes to post event notifications to each other.

OpenVMS security policy protects common event flag clusters from improper access. An operation can require associate, delete, or control access.

control access 

The right to modify an object's security profile. Control access is granted explicitly in an ACL and implicitly in a protection code. (All users qualifying for system or owner categories have control access.)



The process that restores encoded information to its original unencoded form. The information was encoded by using encryption.

Default attribute  

An option added to an ACE that indicates the ACE is to be included in the ACL of any files created within a directory. When the entry is propagated, the Default attribute is removed from the ACE of the created file. An Identifier ACE with the Default attribute has no effect on access. See also access control entry, Identifier ACE.


A class of peripherals connected to a processor that are capable of receiving, storing, or transmitting data.

OpenVMS security policy protects devices from improper access. An operation can require read, write, physical, logical, or control access.

discretionary access controls 

Security controls that are applied at the user's option; that is, they are not required. Access control lists (ACLs) are typical of such optional security features. Discretionary controls are the opposite of mandatory controls.

disk scavenging 

Any method of obtaining information from a disk that the owner intended to discard. The information, although no longer accessible to the original owner by normal means, retains a sufficient amount of its original magnetic encoding that it can be retrieved and used by one of the scavenging methods. See also erase-on-allocate, erase-on-delete, erasure pattern.



A process of encoding information so that its content is no longer immediately obvious to anyone who obtains a copy of it. The information is decoded using decryption.

environmental identifier  

One of four classes of identifiers. Environmental identifiers are provided by the system to identify groups of users according to their usage of the system. Environmental identifiers correspond to login classes. For example, all users who access the system by dialing up receive the dialup identifier. See also identifier.


A technique that applies an erasure pattern whenever a new area is allocated for a file's extent. The new area is erased with the erasure pattern so that subsequent attempts to read the area can yield only the erasure pattern and not some valuable remaining data. This technique is used to discourage disk scavenging. See also disk scavenging, erase-on-delete, erasure pattern, high-water marking.


A technique that applies an erasure pattern whenever a file is deleted or purged. This technique is used to discourage disk scavenging. See also disk scavenging, erase-on-allocate, erasure pattern.

erasure pattern 

A character string that can be used to overwrite magnetic media for the purpose of erasing the information that was previously stored in that area.

evasive action  

A responsive behavior performed by the operating system to discourage break-in attempts when they appear to be in progress. The operating system has a set of criteria it uses to detect that an intrusion attempt may be underway. Typically, once the operating system becomes suspicious that an unauthorized user is attempting to log in, the evasive action consists of locking out all login attempts by the offender for a limited period of time.

event classes 

Categories of security-relevant events. The operating system audits several event classes by default, and the security administrator can enable additional ones, if desired.

event messages 

In terms of security, any notification that has to do with a user's access to the system or to a protected object within the system. The operating system can record both successful and unsuccessful events so the security administrator can know when security-relevant activity occurs on the system.


facility identifier  

An identifier whose binary value contains the facility code of the application defining the identifier. See also identifier.


A set of data elements arranged in a structure significant to the user. A file is any named, stored program or data, or both, to which the system has access. Access can be of two types: read-only, meaning the file is not to be altered, and read/write, meaning the contents of the file can be altered. See also volume.

OpenVMS security policy protects files from improper access. An operation can require read, write, execute, delete, or control access.

file encryption 

See encryption.


general identifier 

One of four possible types of identifiers that specify one or more groups of users. The general identifier is alphanumeric and typically is a convenient term that symbolizes the function of the group of users. For example, typical general identifiers might be PAYROLL for all users allowed to run payroll applications or RESERVATIONS for operators at the reservations desk. See also identifier.

global section  

A shared memory area (for example, Fortran global common) potentially available to all processes in the system. A global section can provide access to a disk file (called a file-backed global section), provide access to dynamically created storage (called a page file-backed global section), or provide access to specific physical memory (called a page frame number [PFN] global section). See also group global section, system global section.


A set of users in a system. Any user whose group UIC is identical to the group UIC of the object qualifies for the access rights granted through a protection code. The group name appears as the first field of a user identification code (UIC): [group,member].

group global section 

A shareable memory section potentially available to all processes in the same group.

OpenVMS security policy protects group global sections from improper access. Operations on file-backed sections require read, write, execute, delete, or control access. Operations on other types of sections require read, write, execute, or control access. See also global section, system global section.

group number  

The number or its alphanumeric equivalent in the first field of a user identification code (UIC): [group,member].


Hidden attribute 

An option added to an access control entry that indicates the ACE should be changed only by the application that adds it. Although the Hidden attribute is valid for any ACE type, its intended use is to hide Application ACEs. See also access control entry.

high-water mark  

A mark identifying the highest file address written, beyond which the user cannot read.

high-water marking 

A technique for discouraging disk scavenging. This technique tracks the furthest extent that the owner of a file has written into the file's allocated area (the high-water mark). It then prohibits any attempts at reading beyond the written area, on the premise that any information that exists beyond the currently written limit is information some user had intended to discard. The operating system accomplishes the goals of high-water marking with a combination of true high-water marking and an erase-on-allocate strategy. See also erase-on-allocate.


A user who possesses a particular identifier. Users and the identifiers they hold are recorded in the rights database. Whenever an object requires an accessor to hold an identifier, the system checks the process rights list (which is built from the rights database) in processing the access request.



An alphanumeric string representing a user or group of users recorded in the rights database and used by the system in checking access requests. There are four types of identifiers: environmental, facility, general, and UIC. See also environmental identifier, facility identifier, general identifier, resource identifier, UIC identifier.

Identifier ACE 

An access control entry that controls the type of access allowed to a particular user or group of users.



Name of the auditing log file where the system records events with security implications, such as logins, break-ins, or changes to the authorization database.


locked password 

A password that cannot be changed by the account's owner. Only system managers or users with the SYSPRV privilege can change locked passwords.


A record of performance or system-relevant events.

logical I/O access  

Right to perform a set of I/O operations that allow restricted direct access to device-level I/O operations using logical block addresses.

logical name table 

A shareable table of logical names and their equivalence names for the operating system or a particular group.

OpenVMS security policy protects logical name tables from improper access. An operation can require read, write, create, delete, or control access.


The series of actions involved in authenticating a user to the system and creating a process that runs on the user's behalf.

login class 

A user's method of logging into the system. System managers can control system access based on the login class: local, dialup, remote, batch, or network.


mandatory access controls 

Security controls that are imposed by the system upon all users. There are no examples of mandatory controls within the OpenVMS system. Access controls on this operating system are optional (discretionary). SEVMS, the security enhanced version of OpenVMS, provides mandatory access controls (MAC) and enhanced security auditing for secure standalone or clustered OpenVMS systems.



See network proxy authorization file.

network proxy authorization file (NETPROXY.DAT or NET$PROXY.DAT [VAX only])  

A file containing an entry for each user authorized to connect to the local system from a remote node in the network.

nondiscretionary controls 

See mandatory controls.


Describes a type of account with no privilege other than TMPMBX and NETMBX and a user identification code (UIC) greater than the system parameter MAXSYSGROUP.

Nopropagate attribute 

An option added to an access control entry that indicates the ACE cannot be copied by operations that usually propagate ACEs, such as SET SECURITY/LIKE. See also access control entry.

numeric UIC  

A format of a user identification code (UIC) that specifies the user's group and member number in numeric form. The group number is an octal number in the range of 1 through 37776; the member number is an octal number in the range of 0 through 177776.



A passive repository of information to which the system controls access. Access to an object implies access to the information it contains. See also capability, common event flag cluster, device, file, group global section, logical name table, queue, resource domain, security class, system global section, volume.

object class  

A set of protected objects with common characteristics. For example, all files belong to the file class; whereas all devices belong to the device class.

object security profile 

A set of security elements that defines access requirements. The elements include an owner (UIC), a UIC-based protection code, and, possibly, an ACL. See also access control list, owner, protection code.

open accounts 

Accounts that do not require passwords.

operator terminal 

A terminal attended by a system operator. The system can send system event messages to the terminal, provided the event class is enabled.


A user with the same user identification code (UIC) as the protected object. An owner always has control access to the object and can therefore modify the object's security profile. When the operating system processes an access request from an owner, it considers the access rights in the owner field of a protection code.



A character string that users provide at login time to validate their identity and as a form of proof of their authorization to access the account. There are system passwords and user passwords. User passwords include both primary and secondary passwords. See also primary password, secondary password, system password, user password.

physical I/O access 

The right to perform a set of I/O functions that allows access to all device-level I/O operations except maintenance mode using physical block addresses.

primary password 

A type of user password that is the first user password requested from the user. Systems may optionally require a secondary password. A primary or a secondary password must be associated with the user name in the user authorization file. See also secondary password.


A means of protecting the use of certain system functions that can affect system resources and integrity. System managers grant privileges according to users' needs and deny them to users as a means of restricting their access to the system.

process security profile 

The set of security elements the system assigns to a process at creation. Elements include the process UIC plus all of its identifiers and privileges. See also identifier, privileges, user identification code.

Protected attribute 

An option added to an access control entry that indicates the ACE is protected against casual deletion. It can be deleted by using the ACL editor or by specifying the ACE explicitly when deleting it.

protected object 

An object containing shareable information to which the system controls access. See also object.

protected subsystem 

An application with enhanced access control. While users run the application, their process rights list contains identifiers giving them access to objects owned by the subsystem. As soon as the users exit the application, these identifiers and, therefore, access rights to objects are taken away.


The attributes of an object that limit the type of access available to users. See also access control list, protection code, user identification code.

protection code 

A code defining the type of access that users are allowed to objects, based on the user's relationship to the object's owner. The code defines four sets of users: those with system rights, those with ownership rights, those belonging to the same group, and all users on the system, who are called world users. See also group, owner, system, world.

proxy login 

A type of login that permits a user from a remote node to effectively log in to a local node as if the user owned an account on the local node. However, the user does not specify a password in the access control string. The remote user may own the account or share the account with other users.


An entity like a mailbox that is treated as an I/O device by the user or system, although it is not any particular physical device.



A set of jobs to be processed. There are four types of execution queues: batch, terminal, server, and print.

OpenVMS security policy protects queues from improper access. An operation can require read, submit, manage, delete, or control access.


reference monitor 

The control center within the operating system that authenticates subjects and implements and enforces the security policy for every access to an object by a subject.

Resource attribute  

An option specified when an identifier is added to the rights database, and later when the identifier is granted to a user. When a user holds the identifier with the Resource attribute, that user can charge disk space to the identifier.

resource domain 

A namespace controlling access to OpenVMS distributed lock management resources.

OpenVMS security policy protects resource domains from improper access. An operation can require read, write, lock, or control access.

resource identifier  

An identifier with the Resource attribute. Thus, holders of the identifier can charge disk space to the identifier.

restricted account 

A type of account with a secure login procedure. The user is not allowed to use the Ctrl/Y key sequence during the system or process login command procedure. Control may be turned over to the user following execution of the login command procedures.

rights database  

The collection of data the system maintains and uses to define identifiers and associate identifiers with the holders of the identifiers.

rights identifier 

See identifier.

rights list 

The list associated with each process that includes all the identifiers the process holds.


The abbreviation for read, write, execute, delete, which are types of access to data files and directory files.


secondary password 

A user password that may be required at login time immediately after the primary password has been submitted correctly. Primary and secondary passwords can be known by separate users to ensure that more than one user is present at the login. A less common use is to require a secondary password as a means of increasing the password length so that the total number of combinations of characters makes password guessing more time-consuming. See also primary password.

secure terminal server 

Operating system software designed to ensure that users can log in only to terminals that are already logged out. When the user presses the Break key on a terminal, the secure server (if enabled) responds by first disconnecting any logged-in process and then initiating a login. If no process is logged in at the terminal, the login can proceed immediately.

security administrator  

The person or persons responsible for implementing and maintaining the organization's security policy. This role is sometimes performed by the same person who functions as a system manager. It requires the same skills as the system manager as well as knowledge of the security features provided with the operating system.

security alarm  

A message sent to an operator terminal that is enabled to receive messages pertaining to security events. Security alarms are triggered by the occurrence of an event previously designated as worthy of the alarm because of its security implications.

security audit 

An auditing message written to the security audit log file. These messages report the occurrence of events with security implications, such as logins, break-ins, and changes to the authorization database. A system administrator uses the log file to examine system activity for possible security violations or improper use of the system.

security auditing 

See auditing.

security class 

The object class whose members are all object classes. Each member defines the object templates and management routines for its object class.

OpenVMS security policy protects security classes from improper access. An operation can require read, write, or control access.

security officer  

See security administrator.

security operator terminal 

A class of terminal that has been enabled to receive messages sent by OPCOM to security operators. These messages are security alarm messages. Normally such a terminal is a hardcopy terminal in a protected room. The output provides a log of security-related events and details that identify the source of the event.

security profile  

A set of elements that describe either an object's access requirements or a subject's access rights. See also object security profile , process security profile .

social engineering  

The act of gaining unauthorized access to or information about computer systems and resources by enlisting the aid of unwitting users or operators. Often involves impersonation or other fraud.


A prinicpal, either a user process or an application, that accesses information or is prevented from accessing information. The operating system controls access to any object that contains shareable information. Therefore, subjects must be authorized to access objects. See also process security profile.


In the context of a protection code, identifies a set of users in a system. System users typically have a UIC is in the range 1 through 10 (octal); however, the exact range of a system UIC is determined by the system parameter MAXSYSGROUP. Other ways to become a system user include having SYSPRV privilege or being in the same group as the owner and holding GRPPRV. System operators and system managers are usually system users.

system global section 

A shareable memory section potentially available to all processes in the system.

OpenVMS security policy protects system global sections from improper access. Operations on file-backed sections require read, write, execute, delete, or control access. Operations on other types of sections require read, write, execute, or control access.

system password  

A password controlling access to particular terminals. System passwords are usually necessary to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines. After an authorized person enters the system password, a user can enter his user password. See also user password.

system user authorization file (SYSUAF.DAT)  

A file containing an entry for every user that the system manager authorizes to gain access to the system. Each entry identifies the user name, password, default account, user identification code (UIC), quotas, limits, and privileges assigned to individuals who use the system.

system-defined identifier 

See environmental identifier.


See system user authorization file.



See trusted computing base.

template profile 

The default set of security elements applied to new objects of a class. See also object security profile.

tied account 

See captive account.

trap door 

An illicit piece of software or software modification in an operating system that allows access in violation of the system's established security policy.

Trojan horse program 

A program that gains access to otherwise secured areas through its pretext of serving one purpose when its real intent is far more devious and potentially damaging. When an authorized user performs an legitimate operation using a program, the unauthorized program within it (the Trojan horse) performs an unauthorized function.

trusted computing base (TCB)  

A combination of computer hardware and operating system software that enforces a security policy.

In OpenVMS systems, the TCB includes the entire executive and file system, all other system components that do not execute in user mode (such as device drivers, RMS, and DCL), most system programs installed with privilege, and a variety of other utilities used by system managers to maintain data relevant to the TCB.

turnkey account 

See captive account.



See system user authorization file.


See user identification code.

UIC identifier 

An identifier in alphanumeric format that is based on a user's identification code (UIC). Such an identifier can appear with or without brackets. See also identifier.

UIC protection code 

See protection code.

user category  

One of four fields in a protection code. The code defines the access rights for four categories of users: (a) the owner, (b) the users who share the same group UIC as the owner (the group category), (c) all users on the system (the world category), and (d) those with system privileges or rights (the system category). A code lists access rights in a fixed order: System, Owner, Group, World.

user identification code (UIC)  

A 32-bit value assigned to users that tells what group users belong to on the system and what their unique identification is within that group. Any UIC specification is enclosed in brackets, but it can be in either an alphanumeric or a numeric format. For example, the UIC [SALES,JONES] identifies Jones as a member of the Sales group. Protected objects like files also have UICs. In most cases, their UICs come from the users who created them.

user irresponsibility 

Situations where the user purposely or accidentally causes some noticeable damage on a computer system.

user name 

The name a user enters to log in to the system. Together with a password, the user name identifies and authenticates a person as a valid user of the system. See also password, user password.

user password  

A character string recorded in a user's record in the system user authorization file. The password and the user's name must be correctly supplied when the user attempts to log in so that the user is authenticated for access to the system. The two types of user passwords are known as primary and secondary; the terms also represent the sequence in which they are entered. See also primary password, secondary password, system password.

user penetration 

Situations where the user exploits defects in the system software or system administration to break through security controls to gain access to the computer system.

user probing 

Situations where a user exploits insufficiently protected parts of a computer system.



A command procedure or executable image written and placed on the system for the sole purpose of seeking unauthorized access to files and accounts on the system. The virus seeks access to a user file through a flaw in the file protection. If successful, the virus modifies the file so that it carries a copy of the virus. Each time an unsuspecting user executes the code that contains the virus, the virus attempts to propagate itself into other poorly protected procedures or images. The virus seeks to find its way into a procedure that will be run from a privileged account so that the virus can inflict damage to the system.


A mass storage medium, such as a disk or tape, that is in ODS-2 or ODS-5 format. Volumes contain files and may be mounted on devices.

OpenVMS security policy protects volumes from improper access. An operation can require read, write, create, delete, or control access.



A category of users whose access rights to an object are identified in the last field of a protection code. The world category encompasses all users or applications on the system, including system operators, system managers, and users both in the owner's group and any other group.


A procedure that replicates itself over many nodes in a network, typically using default network access or known security flaws. The usual effect of a worm is severe performance degradation as replicas of the worm saturate the computing capacity and bandwidth of the network. In contrast to a virus, which spreads by modifying existing programs and executing when some user runs the program, a worm stands by itself, operates in its own process context, and initiates its own offspring.