VMS Help  —  SET  SECURITY
    Modifies the security profile of an object.

    Format

      SET SECURITY  object-name

1  –  Parameter

 object-name

    Specifies the name of an object, such as a file or device, whose
    security profile is to be modified. An object is identified by an
    object name and a class name. The default class name is FILE.

    An object name of the FILE class (explicitly or implicitly
    specified) can include an asterisk (*)  or a percent sign (%)
    wildcard character, but wildcard characters are not allowed
    in any class other than FILE. SET SECURITY does not operate on
    remote files and devices, alias directory entries, or directory
    names in UIC format (for example, [14,5]).

    The following table shows the qualifier categories for the SET
    SECURITY command.

                 ACL-        Security   File-
    General      Modifying   Class      Specific   Transfer
    Qualifiers   Qualifiers  Qualifier  Qualifiers Qualifiers

    /ACL         /AFTER      /PROFILE   /BACKUP    /COPY_ATTRIBUTE
    /CLASS       /DELETE                /BEFORE    /LIKE
    /LOG         /EDIT                  /BY_OWNER
    /OWNER       /REPLACE               /CONFIRM
    /PROTECTION                         /CREATED
                                        /DEFAULT
                                        /EXCLUDE
                                        /EXPIRED
                                        /MODIFIED
                                        /SINCE
                                        /STYLE

2  –  Qualifiers

2.1    /ACL

       /ACL[=(ace[,...])]

    Identifies one or more access control list entries (ACEs) to
    add, replace, or delete. Enclose each ACE in parentheses and
    separate multiple ACEs by commas (,).  The most common type of
    entry, the Identifier ACE, has the format (IDENTIFIER=identifier,
    ACCESS=access-type(+...)). By default, SET SECURITY adds an ACE
    to the top of the ACL. This behavior changes when you include one
    of the positional qualifiers: /AFTER, /DELETE, or /REPLACE. See
    the discussion of ACL ordering in the VSI OpenVMS Guide to System
    Security.

2.2    /AFTER

       /AFTER=ace

    Positions all ACEs specified with the /ACL qualifier after the
    ACE named with the /AFTER qualifier.

2.3    /BACKUP

    Modifies the time value provided with the /BEFORE or the /SINCE
    qualifier. The /BACKUP qualifier selects files according to the
    date of their most recent backup (rather than by the creation,
    expiration, or modification date). By default, SET SECURITY
    selects files according to their creation date.

2.4    /BEFORE

       /BEFORE[=time]

    Selects only those files dated prior to the specified time.
    You can specify time as absolute time, as a combination of
    absolute and delta times, or as one of the following keywords:
    BOOT, LOGIN, TODAY (default), TOMORROW, or YESTERDAY. Specify
    the /CREATED or the /MODIFIED qualifier to indicate the time
    attribute to be used as the basis for selection. The /CREATED
    qualifier is the default.

    For complete information on specifying time values, see the
    OpenVMS User's Manual or the online help topic Date.

2.5    /BY_OWNER

       /BY_OWNER[=uic]

    Selects files whose owner's UIC matches the UIC specified. The
    default UIC is that of the current process.

2.6    /CLASS

       /CLASS=class-name

    Specifies the class of the object whose profile is to be
    modified. By default, the command assumes the object class is
    FILE.

2.7    /CONFIRM

    Controls whether SET SECURITY prompts for verification before
    performing the operation. Valid responses are YES, NO, TRUE, and
    FALSE. Answers are not case sensitive and can be abbreviated to
    one letter. To stop processing the command at any point, type
    QUIT or press Ctrl/Z. To cancel the verification procedure but to
    proceed with the command, type ALL.

2.8    /COPY_ATTRIBUTE

       /COPY_ATTRIBUTE=(keyword[,...])

    Specifies a subset of security elements to transfer from a source
    object to a target object. Valid keywords include the following:

    Keyword        Description

    ALL            Copy all security elements
    (default)
    ACL            Copy the access control list
    OWNER          Copy the owner
    PROTECTION     Copy the protection code

    Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier. For
    example, you can create an ACL for an object and then copy its
    ACL to new objects.

2.9    /CREATED

    Modifies the time value specified with the /BEFORE or the /SINCE
    qualifier. The /CREATED qualifier selects files according to the
    date they were created (rather than by the backup, expiration,
    or modification date). By default, SET SECURITY selects files
    according to their creation date.

2.10    /DELETE

       /DELETE[=ALL]

    Deletes ACEs according to the following rules:

    o  The expression /ACL=aces/DELETE deletes the named ACEs.

    o  The expression /ACL/DELETE deletes all unprotected ACEs.

    o  The expression /ACL/DELETE=ALL deletes all ACEs including
       protected ACEs.

    o  The expression /ACL=aces/DELETE=ALL deletes the existing ACL
       (if any) and create a new ACL with the ACEs specifies on the
       /ACL qualifier.

2.11    /DEFAULT

    Regenerates the security profile of a file. The default qualifier
    changes the protection code, the ACL, and the owner elements of a
    file to what it would be if the file had just been created. The
    profile is recreated according to the following rules:

    o  The protection code is propagated from the default protection
       ACE on the directory (if one exists), or else it is propagated
       from the process default.

    o  The ACL is propagated from the parent directory for those ACEs
       that have the default option.

    o  The owner is set to the owner of the parent directory.

    With subdirectory files, SET SECURITY assigns the owner,
    protection, and ACL elements of the parent directory.

    SET SECURITY does not copy any ACE on the source object if the
    ACE holds the nopropagate attribute nor does it change any ACE
    on the target object if the ACE holds the protected attribute. To
    apply new elements to all versions of the file, specify ;* in the
    object name. See the VSI OpenVMS Guide to System Security for more
    information on propagation rules.

2.12    /EDIT

    Invokes the access control list editor (ACL editor) and allows
    you to modify an ACL interactively. The ACL editor does not allow
    the asterisk (*)  and the percent sign (%) wildcard characters
    in an object name. You must specify the object whose ACL you are
    editing.

    The /EDIT qualifier must be the first qualifier on the command
    line; other qualifiers can include /CLASS and, if the class is
    SECURITY_CLASS, you can include the /PROFILE qualifier. Whenever
    an object does not belong to the FILE class, you also need to
    specify /CLASS.

    See the ACL editor in the VSI OpenVMS System Management Utilities
    Reference Manual for more information.

2.13    /EXCLUDE

       /EXCLUDE=(filespec[,...])

    Excludes the specified files from the SET SECURITY operation.
    You can include a directory, but not a device, in the file
    specification. You cannot use relative version numbers to exclude
    a specific version.

2.14    /EXPIRED

    Modifies the time specified with the /BEFORE or the /SINCE
    qualifier. The /EXPIRED qualifier selects files according to
    their expiration dates rather than by the backup, creation,
    or modification date. (The expiration date is set with the SET
    FILE/EXPIRATION_DATE command.) By default, files are selected
    according to their creation date.

2.15    /LIKE

       /LIKE=(NAME=source-object-name
     [,CLASS=source-object-class]  [,PROFILE=TEMPLATE=template-name])

    Identifies the object from which SET SECURITY should copy
    security elements. The /LIKE qualifier replaces an object's
    existing elements with those of the source object. Nopropagate
    ACEs are not transferred and protected ACEs on the target object
    are not deleted. Use the /COPY_ATTRIBUTE qualifier with the /LIKE
    qualifier to copy an object's elements. See the VSI OpenVMS Guide
    to System Security for information about the special handling of
    protected and nopropagate ACEs.

    The object class of the source object defaults to the class of
    the target object. When the /CLASS qualifier is omitted, the
    CLASS keyword defaults to FILE.

    The PROFILE keyword applies to security class objects. It
    identifies which template of the security class you want to copy
    and modify. See /PROFILE for more information.

2.16    /LOG

    Controls whether the SET SECURITY command displays the name of
    the object that has been modified by the command. The qualifier
    is invalid with the /EDIT qualifier.

2.17    /MODIFIED

    Modifies the time value specified with the /BEFORE or the /SINCE
    qualifier. The /MODIFIED qualifier selects files according to
    the dates on which they were last modified, rather than by the
    backup, creation, or expiration date. By default, files are
    selected according to their creation date.

2.18    /OWNER

       /OWNER=identifier

    Requires GRPPRV (group privilege) to set the owner to another
    member of the same group. Requires SYSPRV (system privilege) to
    set the owner to any user identification code (UIC) outside your
    group.

    Modifies the owner element of an object. Specify the user
    identification code (UIC) or general identifier in the standard
    format. Modifying the owner element of a file usually requires
    privileges. See the VSI OpenVMS Guide to System Security for more
    information.

2.19    /PROFILE

       /PROFILE=TEMPLATE[=template-name]

    Identifies which template profile of a security class object
    you want to modify. All object classes except FILE have at
    least one template profile. These template profiles define the
    basis of the profile of new objects. Use the DCL command SHOW
    SECURITY/CLASS=SECURITY_CLASS to display template names. When no
    value is given for template-name, SET SECURITY uses the template
    named DEFAULT.

    Include the /CLASS=SECURITY_CLASS qualifier to identify which
    profile you want to modify.

2.20    /PROTECTION

       /PROTECTION=(ownership[:access][,...])

    Cannot be used to change the protection on a file by using DECnet
    software.

    Modifies the protection code of an object. The protection code
    defines the type of access allowed to users, based on their
    relationship to the object's owner.

    Specify the ownership parameter as system (S),  owner (O), group
    (G),  or world (W).

    Access types are class specific and are shown in the following
    table. For access, use the first letter of the access name.

        Object Class         Access Types

        CAPABILITY (VAX      Use, Control
        only)
        COMMON_EVENT_FLAG_   Associate, Delete, Control
        CLUSTER
        DEVICE               Read, Write, Physical, Logical, Control
        FILE (including      Read, Write, Execute, Delete, Control
        directory file)
        GROUP_GLOBAL_        Read, Write, Execute, Control
        SECTION
        LOGICAL_NAME_TABLE   Read, Write, Create, Delete, Control
        QUEUE                Read, Submit, Manage, Delete, Control
        RESOURCE_DOMAIN      Read, Write, Lock, Control
        SECURITY_CLASS       Read, Write, Control, Logical I/O,
                             Physical I/O
        SYSTEM_GLOBAL_       Read, Write, Execute, Control
        SECTION
        VOLUME               Read, Write, Create, Delete, Control

2.21    /REPLACE

       /REPLACE=(ace[,...])

    Eliminates entries listed with the /ACL qualifier and adds
    entries listed with the /REPLACE qualifier. SET SECURITY inserts
    the entries listed with /REPLACE in the position of the last
    deleted ACE.

2.22    /SECRECY

    Reserved for use by VSI.

2.23    /SINCE

       /SINCE[=time]

    Selects only those files dated on or after the specified time.
    You can specify time as absolute time, as a combination of
    absolute and delta times, or as one of the following keywords:
    BOOT, JOB_LOGIN, LOGIN, TODAY (default), TOMORROW, or YESTERDAY.
    Specify the /CREATED or the /MODIFIED qualifier to indicate
    the time attribute to be used as the basis for selection. The
    /CREATED qualifier is the default.

    For complete information on specifying time values, see the
    OpenVMS User's Manual or the online help topic Date.

2.24    /STYLE

       /STYLE=keyword

    Specifies the file name format for display purposes.

    The valid keywords for this qualifier are CONDENSED and EXPANDED.
    Descriptions are as follows:

    Keyword     Explanation

    CONDENSED   Displays the file name representation of what is
    (default)   generated to fit into a 255-length character string.
                This file name may contain a DID or FID abbreviation
                in the file specification.
    EXPANDED    Displays the file name representation of what is
                stored on disk. This file name does not contain any
                DID or FID abbreviations.

    The keywords CONDENSED and EXPANDED are mutually exclusive. This
    qualifier specifies which file name format is displayed in the
    output message, along with the confirmation if requested.

    File errors are displayed with the CONDENSED file specification
    unless the EXPANDED keyword is specified.

    See the VSI OpenVMS System Manager's Manual, Volume 1: Essentials
    for more information.

2.25    /SYMLINK

       /SYMLINK=keyword

    The valid keywords for this qualifier are [NO]WILDCARD and
    [NO]ELLIPSIS. Descriptions are as follows:

    Keyword     Explanation

    WILDCARD    Indicates that symlinks are enabled during wildcard
                searches.
    NOWILDCARD  Indicates that symlinks are disabled during directory
                wildcard searches.
    ELLIPSIS    Equivalent to WILDCARD (included for command
                symmetry).
    NOELLIPSIS  Indicates that symlinks are matched for all wildcard
                fields except for ellipsis.

    If the file named in the SET SECURITY command is a symlink, the
    command operates on the symlink itself.

3  –  Examples

    1.$  SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE

      LNM$GROUP object of class LOGICAL_NAME_TABLE

           Owner: [SYSTEM]
           Protection: (System: RWCD, Owner: R, Group: R, World: R)
           Access Control List:
                (IDENTIFIER=[USER,VARANESE],ACCESS=CONTROL)

      $  SET SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE -
      _$      /ACL=((IDENTIFIER=CHEKOV,ACCESS=CONTROL), -
      _$            (IDENTIFIER=WU,ACCESS=READ+WRITE)) -
      _$       /DELETE=ALL -
      _$       /PROTECTION=(S:RWCD, O:RWCD, G:R, W:R)

      $  SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE

      LNM$GROUP object of class LOGICAL_NAME_TABLE

           Owner: [SYSTEM]
           Protection: (System: RWCD, Owner: RWCD, Group: R, World: R)
           Access Control List:
                (IDENTIFIER=[USER,CHEKOV],ACCESS=CONTROL)
                (IDENTIFIER=[USER,WU],ACCESS=READ+WRITE)

      This example shows how to make a straightforward change to the
      security elements of an object. The first SHOW SECURITY command
      displays the current settings of the LNM$GROUP logical name
      table. The SET SECURITY command resets the ACL to allow control
      access for user Chekov, and to allow read and write access
      for user Wu. Note that without the /DELETE=ALL qualifier,
      these ACEs would have been added to the existing ACL rather
      than superseding it. The protection is also changed to allow
      read, write, create, and delete access for the owner. The last
      command displays the results of the changes.

    2.$  SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE

      LNM$GROUP object of class LOGICAL_NAME_TABLE

           Owner: [SYSTEM]
           Protection: (System: RWCD, Owner: R, Group: R, World: R)
           Access Control List:
                (IDENTIFIER=[USER,FERNANDEZ],ACCESS=CONTROL)

      $  SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE

      LNM$JOB object of class LOGICAL_NAME_TABLE

           Owner: [USER,WEISS]
           Protection: (System: RWCD, Owner: RWCD, Group, World)
           Access Control List:  <empty>

      $  SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
      _$      /LIKE=(NAME=LNM$GROUP, CLASS=LOGICAL_NAME_TABLE) -
      _$      /COPY_ATTRIBUTES=PROTECTION
      $  SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
      _$      /ACL=(IDENTIFIER=FERNANDEZ, ACCESS=READ)

      $  SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE

      LNM$JOB object of class LOGICAL_NAME_TABLE

           Owner: [USER,WEISS]
           Protection: (System: RWCD, Owner: R, Group: R, World: R)
           Access Control List:
                (IDENTIFIER=[USER,FERNANDEZ],ACCESS=READ)

      This example shows how to copy security access information
      from one object to another and, at the same time, set some
      elements explicitly. The first SHOW SECURITY commands display
      the current settings for the LNM$GROUP and LNM$JOB logical name
      tables. The SET SECURITY command copies the protection code
      from the LNM$GROUP logical name table to the LNM$JOB logical
      name table and adds an ACE to allow read access to another
      user. The final SHOW SECURITY command shows the effect of the
      changes.

    3.$  SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS

      SECURITY_CLASS object of class SECURITY_CLASS

           Owner: [SYSTEM]
           Protection: (System: RWED, Owner: RWED, Group: R, World: R)
           Access Control List:  <empty>

        Template: DEFAULT

           Owner: [SYSTEM]
           Protection: (System: RWED, Owner: RWED, Group, World: RE)
           Access Control List:   <empty>

      $  SET SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS -
      _$      /PROFILE=TEMPLATE=DEFAULT -
      _$      /PROTECTION=(S:RWE, O:RWE, G:RE)

      $  SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS

      SECURITY_CLASS object of class SECURITY_CLASS
           Owner: [SYSTEM]
           Protection: (System: RWED, Owner: RWED, Group: R, World: R)
           Access Control List:  <empty>

        Template: DEFAULT

           Owner: [SYSTEM]
           Protection: (System: RWE, Owner: RWE, Group: RE, World: RE)
           Access Control List:  <empty>

      This example demonstrates how to change the security elements
      for the template of a security class object. The first command
      shows the current settings for the SECURITY_CLASS object. The
      second command changes the DEFAULT template of the SECURITY_
      CLASS object such that the protection is (S:RWE, O:RWE, G:RE).
      The change is shown in the display of the last command. The
      world protection of RE remains unchanged.

    4.$  DIRECTORY/SECURITY

      Directory DKA200:[DATA]

      FILE001.DAT;1        [SYSTEM]                         (RWED,RWED,RE,)

      Total of 1 file.

      $  SET SECURITY/CLASS=FILE/PROTECTION=(WORLD:RE)/LOG FILE001.DAT
      %SET-I-MODIFIED, DKA200:[DATA]FILE001.DAT;1 modified

      $  DIRECTORY/SECURITY

      Directory DKA200:[DATA]

      FILE001.DAT;1        [SYSTEM]                       (RWED,RWED,RE,RE)

      Total of 1 file.
      $

      This example shows how to set UIC-based protection codes on
      an object. The first DIRECTORY command displays the current
      security settings on the file FILE001.DAT. The SET SECURITY
      command changes the protection codes on the file to allow read
      and execute access for all users. The last command displays the
      results of the change.
Close Help