From:	SMTP%"\'NAVAJO::HESTERMANS\'@linus.mesaii.trw.com"  6-JUN-1995 11:59:49.15
To:	EVERHART
CC:	
Subj:	ACL primer

Date: Mon, 05 Jun 1995 16:35:05 -0700
From: "NAVAJO::HESTERMANS"@linus.mesaii.trw.com (I think, therefore I think I am... I think...)
Subject: ACL primer
To: OPEN-VMS-SIG@decus.org
Errors-to: open-vms-sig-owner@DECUS.Org
Warnings-to: open-vms-sig-owner@DECUS.Org
Message-id: <95060516350586@linus.mesaii.trw.com>
X-VMS-To: INET::"OPEN-VMS-SIG@DECUS.ORG"
X-VMS-Cc: SELF
Content-transfer-encoding: 7BIT
Comments: Send OPEN-VMS-SIG subscribe/unsubscribe requests to mailserv@DECUS.Org

Scott,

********************************************************************************
Before doing any of these commands, review it on paper, make sure it
will not open your data to inappropriate access or tampering.
If not sure, ask for specific help.
********************************************************************************

It depends on your needs.

The basic order is:
  1) Create rights identifier(s)
  2) Grant the identifiers to the users that need them.
  3) Place an ACE (access control entry) in the ACL (access control list)
     for the files in question, and directories as appropriate.

It is easier to answer specific questions, but I will make some assumptions
and go from there.  I assume you understand UIC protections.

ACL's extend the concept GROUP.
With simple UIC protection, you are considered to be a member of a group
if your UIC group number is the same as the object in question.

 Example:  File owner is  [100,3]
           If your UIC is [  1,4]     you are SYSTEM (for example)
           If your UIC is [100,3]     you are OWNER
           If your UIC is [100,77]    you are GROUP
           If your UIC is [222,3]     you are WORLD

To create a group with members without regard to UIC, you create
a rights identifier.  Then, anyone you grant that identifier to becomes
a member of your new group.

********************************************************************************
Before doing any of these commands, review it on paper, make sure it
will not open your data to inappropriate access or tampering.
If not sure, ask for specific help.
********************************************************************************


Example 1:
     DIA3:[STUD.DAT]STUD_INFO.DAT   !  List of students with personal info.
     DIA3:[FINANCE.DAT]LEDGER.DAT   !  Accounting details
     DIA9:[FINANCE.RPT]             !  Files are owned by creators, read by many
                                    !  
       MRSROBINSON    Executive Secretary
       HOFFMAND       Accountant I
       GARFUNKLEA     Accountant I
       MRBIG          Chief Financial Officer
       PUSHYBOSS      Finance Manager

$  set default sys$system
$  run authorize
UAF> add /identifier STUDINFO_READ   ! I named them like this for ease of
UAF> add /identifier STUDINFO_UPDATE ! reading later. Could call them anything.
UAF> grant/id STUDINFO_READ   MRSROBINSON    ! I picked these usernames at
UAF> grant/id STUDINFO_READ   HOFFMAND       ! random.  They have no relation
UAF> grant/id STUDINFO_READ   GARFUNKLEA     ! to anything real or imagined.
UAF> grant/id STUDINFO_UPDATE MRBIG          ! I have no attitude problems with
UAF> grant/id STUDINFO_UPDATE PUSHYBOSS      ! managers.I never saw the graduate
UAF> exit
$
$! You could replace these with ACL's granting access, if you wanted to.
$  set file/protection=(W:E)  DIA3:[000000]FINANCE.DIR
$  set file/protection=(W:E)  DIA3:[FINANCE]DAT.DIR
$  set file/protection=(W:E)  DIA3:[000000]STUD.DIR
$  set file/protection=(W:E)  DIA3:[STUD]DAT.DIR
$  set file/protection=(W:E)  DIA9:[000000]FINANCE.DIR
$  set file/protection=(W)  DIA9:[FINANCE]RPT.DIR
$
$!  By only granting E access to the directories, the users must know the
$!  names of the files they want to access.  They will not be able to issue
$!  wildcard directory commands.
$
$  set acl/acl=( (id=STUDINFO_UPDATE,access=R+W ) -
                ,(id=STUDINFO_READ,  access=E   ) -
                ,(id=STUDINFO_UPDATE,options=default,access=R+W ) -
                ,(id=STUDINFO_READ,  options=default,access=R   ) ) -
     DIA3:[STUD]DAT.DIR
$
$  set acl/acl=( (id=STUDINFO_UPDATE,access=R+W ) -
                ,(id=STUDINFO_READ,  access=E   ) -
                ,(id=STUDINFO_UPDATE,options=default,access=R+W ) -
                ,(id=STUDINFO_READ,  options=default,access=R   ) ) -
     DIA3:[FINANCE]DAT.DIR
$
$
$
$!  By granting R access to this directory, the users may issue wildcard
$!  directory commands.  They can see all reports in this directory.
$
$  set acl/acl=( (id=STUDINFO_UPDATE,access=R+W ) -
                ,(id=STUDINFO_READ,  access=R   ) -
                ,(id=STUDINFO_UPDATE,options=default,access=R+W ) -
                ,(id=STUDINFO_READ,  options=default,access=R   ) ) -
     DIA3:[FINANCE]DAT.DIR
$
$! Make sure all pre-existing files get the appropriate ACL's added to them.
$  set acl/default DIA3:[FINANCE.DAT]*.DAT
$  set acl/default DIA3:[STUD.DAT]*.DAT
$  set acl/default DIA9:[FINANCE.RPT]*.*;*
$

The access granted can be any combination of:
   R+W+E+D+C and should be specified by separating with the plus sign.
   R = Read   Can open a file for read. If a directory, can DIR with wildcards.
   W = Write  Can open a file for write.  If a directory, can create new files,
              and/or new versions of files in that directory.
   E = Execute Can run an .EXE file.  If a directory, can pass through on the
               way to accessing files in that directory, or subdirectories
               as long as you know the exact file name you want.  Cannot
               do wildcard directory listings.
   D = Delete  Can delete this file.  If a directory, can delete the directory
               if it is empty.  (generally not used for directories)
   C = Control Can change the protections of this file.

--------------------------------------------------------------------------------

Users with the STUDINFO_UPDATE id will be able to create new files.
They will be owned by the user that created them, but readable by all users
with STUDINFO_READ identifier, and modifiable by those with STUDINFO_UPDATE.

--------------------------------------------------------------------------------
Users with STUDINFO_READ will be able to read any files in any of the
directories in question, regardless of who created them.

They will not be able to issue wildcard DIRECTORY commands on 
    DIA3:[FINANCE.DAT]
 or DIA3:[STUD.DAT]

They WILL be able to do wildcard DIRECTORY commands on DIA9:[FINANCE.RPT]
--------------------------------------------------------------------------------

If you have need of multiple users creating files owned by a common owner,
rather than individual users, ask me and I'll explain more.

Scott Hesterman
VMS and DCL Guru

********************************************************************************
Before doing any of these commands, review it on paper, make sure it
will not open your data to inappropriate access or tampering.
If not sure, ask for specific help.
********************************************************************************
