 |
|
| Introduction to the OpenVMS Operating Environment |
Data Security
| Introduction to Data Security |
SAS protects data sets, catalogs, and external files by using the normal OpenVMS access-control measures: file protection and access control lists. These access-control measures apply equally to SAS data sets, catalogs, and external files. SAS data set security measures, such as data set READ and WRITE passwords, are also available.
| File Protection |
File protection is a generalized way of controlling access to files, based on the relationship of the user that is accessing the file to the file owner. A typical file protection is specified as a list of user classes and their permitted operations.
File protection consists of four classes of users who can access a file:
- SYSTEM
-
refers to a user who has a system user identification code (UIC) or SYSPRV privilege. This class is typically reserved for the system manager and operations staff.
- OWNER
-
refers to a user who has the same UIC as the user who created the file. At most sites, each user has a unique UIC, so the OWNER is always the person who created the file.
- GROUP
-
refers to a user who has the same group number in their UIC as the creator of the file.
- WORLD
Permitted operations are the following:
- READ access
-
is required to read a file. For example, you must have READ access to a file if you intend to browse, copy, or move it.
- WRITE access
-
is required to change the attributes of a file, including its file protection, as well as to modify data in the file.
- EXECUTE access
-
is required to execute files such as command procedures. It does not apply to OpenVMS data files such as SAS data sets, catalogs, or external files.
- DELETE access
A typical file-protection specification might be the following:
(S:RWE, O:RWED, G:RE, W)
This example permits a SYSTEM user to READ, WRITE, or EXECUTE the file. The OWNER is permitted any operation on the file. Members of the same GROUP as the user are permitted to READ or EXECUTE the file. All other users are denied access to the file.
Specifying File Protection for a Process
To specify file protection for the duration of your process (or until you change the specification), use the SET PROTECTION/DEFAULT DCL command. The /DEFAULT parameter tells OpenVMS to apply the specification to every file that you create during your OpenVMS process except those for which you explicitly specify file protection. For example, the following command specifies new protection values for files that you subsequently create:
$ SET PROTECTION=(S:RWE,O:RWED,G:RE,W)/DEFAULT
Specifying File Protection for Individual Files
To specify file protection for a particular file or set of files, use the SET PROTECTION command without the /DEFAULT parameter. For example, the following SET PROTECTION command sets new protection values for the file MYDATA.SAS7BDAT:
$ SET PROTECTION=(S:RWE,O:RWED,G:RWED,W:RE) - _$ MYDATA.SAS7BDAT
For more information about file protection, see the OpenVMS User's Guide and HP OpenVMS Guide to System Security.
| Access Control Lists |
Access control lists (ACLs) provide more specific control over who can perform operations on a file. ACLs allow each file to have a list of identifiers, which can be either UICs or keyword names that are assigned by the system manager. Only users with matching UICs or resource identifiers can perform operations on the file.
The description of ACLs is beyond the scope of this document. For more information, see HP OpenVMS Guide to System Security.
|
|
Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.