Modifies the security profile of an object.
Format
SET SECURITY object-name
1 – Parameter
object-name
Specifies the name of an object, such as a file or device, whose
security profile is to be modified. An object is identified by an
object name and a class name. The default class name is FILE.
An object name of the FILE class (explicitly or implicitly
specified) can include an asterisk (*) or a percent sign (%)
wildcard character, but wildcard characters are not allowed
in any class other than FILE. SET SECURITY does not operate on
remote files and devices, alias directory entries, or directory
names in UIC format (for example, [14,5]).
The following table shows the qualifier categories for the SET
SECURITY command.
ACL- Security File-
General Modifying Class Specific Transfer
Qualifiers Qualifiers Qualifier Qualifiers Qualifiers
/ACL /AFTER /PROFILE /BACKUP /COPY_ATTRIBUTE
/CLASS /DELETE /BEFORE /LIKE
/LOG /EDIT /BY_OWNER
/OWNER /REPLACE /CONFIRM
/PROTECTION /CREATED
/DEFAULT
/EXCLUDE
/EXPIRED
/MODIFIED
/SINCE
/STYLE
2 – Qualifiers
2.1 /ACL
/ACL[=(ace[,...])]
Identifies one or more access control list entries (ACEs) to
add, replace, or delete. Enclose each ACE in parentheses and
separate multiple ACEs by commas (,). The most common type of
entry, the Identifier ACE, has the format (IDENTIFIER=identifier,
ACCESS=access-type(+...)). By default, SET SECURITY adds an ACE
to the top of the ACL. This behavior changes when you include one
of the positional qualifiers: /AFTER, /DELETE, or /REPLACE. See
the discussion of ACL ordering in the VSI OpenVMS Guide to System
Security.
2.2 /AFTER
/AFTER=ace
Positions all ACEs specified with the /ACL qualifier after the
ACE named with the /AFTER qualifier.
2.3 /BACKUP
Modifies the time value provided with the /BEFORE or the /SINCE
qualifier. The /BACKUP qualifier selects files according to the
date of their most recent backup (rather than by the creation,
expiration, or modification date). By default, SET SECURITY
selects files according to their creation date.
2.4 /BEFORE
/BEFORE[=time]
Selects only those files dated prior to the specified time.
You can specify time as absolute time, as a combination of
absolute and delta times, or as one of the following keywords:
BOOT, LOGIN, TODAY (default), TOMORROW, or YESTERDAY. Specify
the /CREATED or the /MODIFIED qualifier to indicate the time
attribute to be used as the basis for selection. The /CREATED
qualifier is the default.
For complete information on specifying time values, see the
OpenVMS User's Manual or the online help topic Date.
2.5 /BY_OWNER
/BY_OWNER[=uic]
Selects files whose owner's UIC matches the UIC specified. The
default UIC is that of the current process.
2.6 /CLASS
/CLASS=class-name
Specifies the class of the object whose profile is to be
modified. By default, the command assumes the object class is
FILE.
2.7 /CONFIRM
Controls whether SET SECURITY prompts for verification before
performing the operation. Valid responses are YES, NO, TRUE, and
FALSE. Answers are not case sensitive and can be abbreviated to
one letter. To stop processing the command at any point, type
QUIT or press Ctrl/Z. To cancel the verification procedure but to
proceed with the command, type ALL.
2.8 /COPY_ATTRIBUTE
/COPY_ATTRIBUTE=(keyword[,...])
Specifies a subset of security elements to transfer from a source
object to a target object. Valid keywords include the following:
Keyword Description
ALL Copy all security elements
(default)
ACL Copy the access control list
OWNER Copy the owner
PROTECTION Copy the protection code
Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier. For
example, you can create an ACL for an object and then copy its
ACL to new objects.
2.9 /CREATED
Modifies the time value specified with the /BEFORE or the /SINCE
qualifier. The /CREATED qualifier selects files according to the
date they were created (rather than by the backup, expiration,
or modification date). By default, SET SECURITY selects files
according to their creation date.
2.10 /DELETE
/DELETE[=ALL]
Deletes ACEs according to the following rules:
o The expression /ACL=aces/DELETE deletes the named ACEs.
o The expression /ACL/DELETE deletes all unprotected ACEs.
o The expression /ACL/DELETE=ALL deletes all ACEs including
protected ACEs.
o The expression /ACL=aces/DELETE=ALL deletes the existing ACL
(if any) and create a new ACL with the ACEs specifies on the
/ACL qualifier.
2.11 /DEFAULT
Regenerates the security profile of a file. The default qualifier
changes the protection code, the ACL, and the owner elements of a
file to what it would be if the file had just been created. The
profile is recreated according to the following rules:
o The protection code is propagated from the default protection
ACE on the directory (if one exists), or else it is propagated
from the process default.
o The ACL is propagated from the parent directory for those ACEs
that have the default option.
o The owner is set to the owner of the parent directory.
With subdirectory files, SET SECURITY assigns the owner,
protection, and ACL elements of the parent directory.
SET SECURITY does not copy any ACE on the source object if the
ACE holds the nopropagate attribute nor does it change any ACE
on the target object if the ACE holds the protected attribute. To
apply new elements to all versions of the file, specify ;* in the
object name. See the VSI OpenVMS Guide to System Security for more
information on propagation rules.
2.12 /EDIT
Invokes the access control list editor (ACL editor) and allows
you to modify an ACL interactively. The ACL editor does not allow
the asterisk (*) and the percent sign (%) wildcard characters
in an object name. You must specify the object whose ACL you are
editing.
The /EDIT qualifier must be the first qualifier on the command
line; other qualifiers can include /CLASS and, if the class is
SECURITY_CLASS, you can include the /PROFILE qualifier. Whenever
an object does not belong to the FILE class, you also need to
specify /CLASS.
See the ACL editor in the VSI OpenVMS System Management Utilities
Reference Manual for more information.
2.13 /EXCLUDE
/EXCLUDE=(filespec[,...])
Excludes the specified files from the SET SECURITY operation.
You can include a directory, but not a device, in the file
specification. You cannot use relative version numbers to exclude
a specific version.
2.14 /EXPIRED
Modifies the time specified with the /BEFORE or the /SINCE
qualifier. The /EXPIRED qualifier selects files according to
their expiration dates rather than by the backup, creation,
or modification date. (The expiration date is set with the SET
FILE/EXPIRATION_DATE command.) By default, files are selected
according to their creation date.
2.15 /LIKE
/LIKE=(NAME=source-object-name
[,CLASS=source-object-class] [,PROFILE=TEMPLATE=template-name])
Identifies the object from which SET SECURITY should copy
security elements. The /LIKE qualifier replaces an object's
existing elements with those of the source object. Nopropagate
ACEs are not transferred and protected ACEs on the target object
are not deleted. Use the /COPY_ATTRIBUTE qualifier with the /LIKE
qualifier to copy an object's elements. See the VSI OpenVMS Guide
to System Security for information about the special handling of
protected and nopropagate ACEs.
The object class of the source object defaults to the class of
the target object. When the /CLASS qualifier is omitted, the
CLASS keyword defaults to FILE.
The PROFILE keyword applies to security class objects. It
identifies which template of the security class you want to copy
and modify. See /PROFILE for more information.
2.16 /LOG
Controls whether the SET SECURITY command displays the name of
the object that has been modified by the command. The qualifier
is invalid with the /EDIT qualifier.
2.17 /MODIFIED
Modifies the time value specified with the /BEFORE or the /SINCE
qualifier. The /MODIFIED qualifier selects files according to
the dates on which they were last modified, rather than by the
backup, creation, or expiration date. By default, files are
selected according to their creation date.
2.18 /OWNER
/OWNER=identifier
Requires GRPPRV (group privilege) to set the owner to another
member of the same group. Requires SYSPRV (system privilege) to
set the owner to any user identification code (UIC) outside your
group.
Modifies the owner element of an object. Specify the user
identification code (UIC) or general identifier in the standard
format. Modifying the owner element of a file usually requires
privileges. See the VSI OpenVMS Guide to System Security for more
information.
2.19 /PROFILE
/PROFILE=TEMPLATE[=template-name]
Identifies which template profile of a security class object
you want to modify. All object classes except FILE have at
least one template profile. These template profiles define the
basis of the profile of new objects. Use the DCL command SHOW
SECURITY/CLASS=SECURITY_CLASS to display template names. When no
value is given for template-name, SET SECURITY uses the template
named DEFAULT.
Include the /CLASS=SECURITY_CLASS qualifier to identify which
profile you want to modify.
2.20 /PROTECTION
/PROTECTION=(ownership[:access][,...])
Cannot be used to change the protection on a file by using DECnet
software.
Modifies the protection code of an object. The protection code
defines the type of access allowed to users, based on their
relationship to the object's owner.
Specify the ownership parameter as system (S), owner (O), group
(G), or world (W).
Access types are class specific and are shown in the following
table. For access, use the first letter of the access name.
Object Class Access Types
CAPABILITY (VAX Use, Control
only)
COMMON_EVENT_FLAG_ Associate, Delete, Control
CLUSTER
DEVICE Read, Write, Physical, Logical, Control
FILE (including Read, Write, Execute, Delete, Control
directory file)
GROUP_GLOBAL_ Read, Write, Execute, Control
SECTION
LOGICAL_NAME_TABLE Read, Write, Create, Delete, Control
QUEUE Read, Submit, Manage, Delete, Control
RESOURCE_DOMAIN Read, Write, Lock, Control
SECURITY_CLASS Read, Write, Control, Logical I/O,
Physical I/O
SYSTEM_GLOBAL_ Read, Write, Execute, Control
SECTION
VOLUME Read, Write, Create, Delete, Control
2.21 /REPLACE
/REPLACE=(ace[,...])
Eliminates entries listed with the /ACL qualifier and adds
entries listed with the /REPLACE qualifier. SET SECURITY inserts
the entries listed with /REPLACE in the position of the last
deleted ACE.
2.22 /SECRECY
Reserved for use by VSI.
2.23 /SINCE
/SINCE[=time]
Selects only those files dated on or after the specified time.
You can specify time as absolute time, as a combination of
absolute and delta times, or as one of the following keywords:
BOOT, JOB_LOGIN, LOGIN, TODAY (default), TOMORROW, or YESTERDAY.
Specify the /CREATED or the /MODIFIED qualifier to indicate
the time attribute to be used as the basis for selection. The
/CREATED qualifier is the default.
For complete information on specifying time values, see the
OpenVMS User's Manual or the online help topic Date.
2.24 /STYLE
/STYLE=keyword
Specifies the file name format for display purposes.
The valid keywords for this qualifier are CONDENSED and EXPANDED.
Descriptions are as follows:
Keyword Explanation
CONDENSED Displays the file name representation of what is
(default) generated to fit into a 255-length character string.
This file name may contain a DID or FID abbreviation
in the file specification.
EXPANDED Displays the file name representation of what is
stored on disk. This file name does not contain any
DID or FID abbreviations.
The keywords CONDENSED and EXPANDED are mutually exclusive. This
qualifier specifies which file name format is displayed in the
output message, along with the confirmation if requested.
File errors are displayed with the CONDENSED file specification
unless the EXPANDED keyword is specified.
See the VSI OpenVMS System Manager's Manual, Volume 1: Essentials
for more information.
2.25 /SYMLINK
/SYMLINK=keyword
The valid keywords for this qualifier are [NO]WILDCARD and
[NO]ELLIPSIS. Descriptions are as follows:
Keyword Explanation
WILDCARD Indicates that symlinks are enabled during wildcard
searches.
NOWILDCARD Indicates that symlinks are disabled during directory
wildcard searches.
ELLIPSIS Equivalent to WILDCARD (included for command
symmetry).
NOELLIPSIS Indicates that symlinks are matched for all wildcard
fields except for ellipsis.
If the file named in the SET SECURITY command is a symlink, the
command operates on the symlink itself.
3 – Examples
1.$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM]
Protection: (System: RWCD, Owner: R, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,VARANESE],ACCESS=CONTROL)
$ SET SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE -
_$ /ACL=((IDENTIFIER=CHEKOV,ACCESS=CONTROL), -
_$ (IDENTIFIER=WU,ACCESS=READ+WRITE)) -
_$ /DELETE=ALL -
_$ /PROTECTION=(S:RWCD, O:RWCD, G:R, W:R)
$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM]
Protection: (System: RWCD, Owner: RWCD, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,CHEKOV],ACCESS=CONTROL)
(IDENTIFIER=[USER,WU],ACCESS=READ+WRITE)
This example shows how to make a straightforward change to the
security elements of an object. The first SHOW SECURITY command
displays the current settings of the LNM$GROUP logical name
table. The SET SECURITY command resets the ACL to allow control
access for user Chekov, and to allow read and write access
for user Wu. Note that without the /DELETE=ALL qualifier,
these ACEs would have been added to the existing ACL rather
than superseding it. The protection is also changed to allow
read, write, create, and delete access for the owner. The last
command displays the results of the changes.
2.$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM]
Protection: (System: RWCD, Owner: R, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,FERNANDEZ],ACCESS=CONTROL)
$ SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE
LNM$JOB object of class LOGICAL_NAME_TABLE
Owner: [USER,WEISS]
Protection: (System: RWCD, Owner: RWCD, Group, World)
Access Control List: <empty>
$ SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
_$ /LIKE=(NAME=LNM$GROUP, CLASS=LOGICAL_NAME_TABLE) -
_$ /COPY_ATTRIBUTES=PROTECTION
$ SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
_$ /ACL=(IDENTIFIER=FERNANDEZ, ACCESS=READ)
$ SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE
LNM$JOB object of class LOGICAL_NAME_TABLE
Owner: [USER,WEISS]
Protection: (System: RWCD, Owner: R, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,FERNANDEZ],ACCESS=READ)
This example shows how to copy security access information
from one object to another and, at the same time, set some
elements explicitly. The first SHOW SECURITY commands display
the current settings for the LNM$GROUP and LNM$JOB logical name
tables. The SET SECURITY command copies the protection code
from the LNM$GROUP logical name table to the LNM$JOB logical
name table and adds an ACE to allow read access to another
user. The final SHOW SECURITY command shows the effect of the
changes.
3.$ SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS
SECURITY_CLASS object of class SECURITY_CLASS
Owner: [SYSTEM]
Protection: (System: RWED, Owner: RWED, Group: R, World: R)
Access Control List: <empty>
Template: DEFAULT
Owner: [SYSTEM]
Protection: (System: RWED, Owner: RWED, Group, World: RE)
Access Control List: <empty>
$ SET SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS -
_$ /PROFILE=TEMPLATE=DEFAULT -
_$ /PROTECTION=(S:RWE, O:RWE, G:RE)
$ SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS
SECURITY_CLASS object of class SECURITY_CLASS
Owner: [SYSTEM]
Protection: (System: RWED, Owner: RWED, Group: R, World: R)
Access Control List: <empty>
Template: DEFAULT
Owner: [SYSTEM]
Protection: (System: RWE, Owner: RWE, Group: RE, World: RE)
Access Control List: <empty>
This example demonstrates how to change the security elements
for the template of a security class object. The first command
shows the current settings for the SECURITY_CLASS object. The
second command changes the DEFAULT template of the SECURITY_
CLASS object such that the protection is (S:RWE, O:RWE, G:RE).
The change is shown in the display of the last command. The
world protection of RE remains unchanged.
4.$ DIRECTORY/SECURITY
Directory DKA200:[DATA]
FILE001.DAT;1 [SYSTEM] (RWED,RWED,RE,)
Total of 1 file.
$ SET SECURITY/CLASS=FILE/PROTECTION=(WORLD:RE)/LOG FILE001.DAT
%SET-I-MODIFIED, DKA200:[DATA]FILE001.DAT;1 modified
$ DIRECTORY/SECURITY
Directory DKA200:[DATA]
FILE001.DAT;1 [SYSTEM] (RWED,RWED,RE,RE)
Total of 1 file.
$
This example shows how to set UIC-based protection codes on
an object. The first DIRECTORY command displays the current
security settings on the file FILE001.DAT. The SET SECURITY
command changes the protection codes on the file to allow read
and execute access for all users. The last command displays the
results of the change.