Previous Page | Next Page

Introduction to the OpenVMS Operating Environment

Data Security


Introduction to Data Security

SAS protects data sets, catalogs, and external files by using the normal OpenVMS access-control measures: file protection and access control lists. These access-control measures apply equally to SAS data sets, catalogs, and external files. SAS data set security measures, such as data set READ and WRITE passwords, are also available.


File Protection

File protection is a generalized way of controlling access to files, based on the relationship of the user that is accessing the file to the file owner. A typical file protection is specified as a list of user classes and their permitted operations.

File protection consists of four classes of users who can access a file:

SYSTEM

refers to a user who has a system user identification code (UIC) or SYSPRV privilege. This class is typically reserved for the system manager and operations staff.

OWNER

refers to a user who has the same UIC as the user who created the file. At most sites, each user has a unique UIC, so the OWNER is always the person who created the file.

GROUP

refers to a user who has the same group number in their UIC as the creator of the file.

WORLD

refers to any other user on the system.

Permitted operations are the following:

READ access

is required to read a file. For example, you must have READ access to a file if you intend to browse, copy, or move it.

WRITE access

is required to change the attributes of a file, including its file protection, as well as to modify data in the file.

EXECUTE access

is required to execute files such as command procedures. It does not apply to OpenVMS data files such as SAS data sets, catalogs, or external files.

DELETE access

is required to delete or move a file.

A typical file-protection specification might be the following:

(S:RWE, O:RWED, G:RE, W)

This example permits a SYSTEM user to READ, WRITE, or EXECUTE the file. The OWNER is permitted any operation on the file. Members of the same GROUP as the user are permitted to READ or EXECUTE the file. All other users are denied access to the file.


Specifying File Protection for a Process

To specify file protection for the duration of your process (or until you change the specification), use the SET PROTECTION/DEFAULT DCL command. The /DEFAULT parameter tells OpenVMS to apply the specification to every file that you create during your OpenVMS process except those for which you explicitly specify file protection. For example, the following command specifies new protection values for files that you subsequently create:

$ SET PROTECTION=(S:RWE,O:RWED,G:RE,W)/DEFAULT


Specifying File Protection for Individual Files

To specify file protection for a particular file or set of files, use the SET PROTECTION command without the /DEFAULT parameter. For example, the following SET PROTECTION command sets new protection values for the file MYDATA.SAS7BDAT:

$ SET PROTECTION=(S:RWE,O:RWED,G:RWED,W:RE) -
_$ MYDATA.SAS7BDAT

For more information about file protection, see the OpenVMS User's Guide and HP OpenVMS Guide to System Security.


Access Control Lists

Access control lists (ACLs) provide more specific control over who can perform operations on a file. ACLs allow each file to have a list of identifiers, which can be either UICs or keyword names that are assigned by the system manager. Only users with matching UICs or resource identifiers can perform operations on the file.

The description of ACLs is beyond the scope of this document. For more information, see HP OpenVMS Guide to System Security.

Previous Page | Next Page | Top of Page