A SERVICE OF

logo

Open as PDF
next previous
74 Chapter 2
Command Definitions A-B
ALTSEC
Operation Notes
You use the ALTSEC command to alter security provisions for files, hierarchical directories,
devices, and device classes by manipulating an object's access control definition (ACD) or
its access mask. All of these objects may have ACDs, but only files have access masks
which can be changed using this command. An object's ACD may be altered using this
command with the ACD keywords NEWACD, REPACD, COPYACD, ADDPAIR, REPPAIR,
DELPAIR, DELACD, and MASK.
A file's access mask may be altered using either the ACCESS keyword or an access
specification without a keyword. Using the ACCESS keyword is a recommended practice to
help distinguish between file access mask and ACD operations. Only the owner of a file can
use the ALTSEC command to change a file's access mask. Object owners and users with
appropriate privilege can use this command to manipulate an object's ACD. Files and
hierarchical directories have their owner's identity and a file group ID (GID) stored in
their file labels. System managers have the appropriate privilege to manipulate the ACDs
for all objects. Account managers for the account matching an object's GID have
appropriate privilege. Devices are owned by system managers. The ability to manipulate
an ACD or file mask is not affected by the object access currently granted to a user.
File ACDs override file lockwords and the file access matrix. ACDs permit more precise
access control than the file access matrix by allowing access permissions to specific users.
MPE/iX allows you to specify a maximum of 40 ACD pairs for a particular object. Since a
large number of ACD pair specifications overflows the command line buffer, you must
enter large numbers of ACD specifications may be entered through an indirect file.
The ALTSEC command fails if you attempt to alter the access permissions for a permanent
disk file whose group's home volume set is not mounted.
Release 5.0 requires ACDs on the following files:
All hierarchical directories
All files under hierarchical directories
All files directly under MPE/iX groups where the file GID does not match the GID of the
accound and group in which the file is located. One way this occurs would be if you
rename a file from an MPE group outside the account to another MPE group.
Required ACDs cannot be removed with the ALTSEC command even by users with SM or
AM capability.
File Access Matrix Examples
To view the file access matrix, use LISTFILE,4.
You have created a file named FDATA, and want to change its file access matrix access
permissions to grant write access to only yourself. Enter:
ALTSEC FDATA;ACCESS=(W:CR)
To change file access permissions for the FPROG program file to allow all group users to
execute programs, but only account and group librarian users to read or write to the file,
enter: