Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

Format

More

Examples

AFTER

POSITION

IDENTIFIER

ACCESS

relation-name

view-name

field-name

RDB/VMS Relational Database Operator DEFINE_PROTECTION — VMS RDB_3.1A

 Adds an entry to the access control list (ACL) for a database,
 relation, or field.  To define protection for a database, you must
 first invoke the database.

 Example:

      RDO>  DEFINE PROTECTION FOR DATABASE
      cont>   POSITION 3
      cont>   IDENTIFIER [25,235]
      cont>   ACCESS "READ+WRITE+MODIFY+ERASE".

Additional information available:

FormatMoreExamples

Format

 DEFINE PROTECTION FOR ────┐
                           │
      ┌──────<─────────────┘
      └────┬───> 
D

A

T

A

B

A

S

E
───────────>─────────────────┐ ├───> 
R

E

L

A

T

I

O

N
──> relation-name ───────────┤ ├───> 
V

I

E

W
──────> view-name ───────────────┤ └───> 
F

I

E

L

D
─> field-name IN relation-name ─┤ ┌───────────────<───────────────────────────────┘ └───┬───────────>──────────────────┬─┐ ├─> 
A

F

T

E

R
───> identifier ─────┤ │ └─> 
P

O

S

I

T

I

O

N
──> n ────────────┘ │ ┌───────────────<──────────────────┘ └───> 
I

D

E

N

T

I

F

I

E

R
──┬──> identifier ──┬─┐ └──<──── typebox (+) <──────┘ │ ┌────────────────────<─────────────────┘ └───> 
A

C

C

E

S

S
───┬───>─────────────────┬──────────> . └─┬─> access-right ─┬─┘ └─<────── typebox (+) <─────┘

Additional information available:

AFTERPOSITIONIDENTIFIERACCESS

relation-nameview-namefield-name

relation-name

 The name of the Rdb/VMS relation for which you want to insert an ACL
 entry.

 A user with MODIFY rights on the relation automatically gets the same
 rights on all fields in the relation.  However, you can restrict
 MODIFY rights by defining them only on specific fields you want users
 to be able to modify and thus remove the right from the relation
 entry.

view-name

 The name of the Rdb/VMS view for which you want to insert an ACL
 entry.

field-name

 The name of the local field in a specified relation for which you
 want to insert an ACL entry.

 Rights on a field are determined by the rights defined on the field
 combined with those specified for the specific relation ACL.

 Only MODIFY rights can be granted to fields.  All other rights are
 not applicable.

AFTER

 Locates the new ACL entry relative to an existing entry.  When you
 specify an identifier, Rdb/VMS searches the access control list for
 an existing entry that matches.  It then inserts the new entry after
 the existing one.  If you use the AFTER clause, you cannot use the
 POSITION clause.

POSITION

 Locates a new ACL entry relative to its position in the list.  Use an
 unsigned integer greater than zero to specify the position in the
 access control list where Rdb/VMS places a newly created entry.  If
 you use the POSITION clause, you cannot use the AFTER clause.

 When this statement executes, Rdb/VMS automatically reassigns
 sequence numbers to entries in the ACL, starting with number one.

IDENTIFIER

 Identifies the user or users for whom an entry is being added.  You
 can specify any valid VMS identifier in the identifier clause:


  o  UIC identifier

     You cannot specify more than one UIC identifier in a DEFINE
     PROTECTION statement.

  o  General identifier

  o  System-defined identifier

ACCESS

 Grants or denies access rights to the user identified in an ACL
 entry.  For more information on access rights, ask for HELP on
 Access_rights.

 Specify only those access rights that you want to grant access to.

More

 An access control list (ACL) is attached to each database and
 relation.  This list defines which users can access the database
 element and what operations each user can perform.  Thus each entry
 in the access control list consists of two items of information:


  o  An identifier that specifies a user or set of users.

  o  A set of access rights.  These rights specify what operations the
     user or users can perform on the database or relation.


 When you first create a database, Rdb/VMS creates two ACL entries,
 one for the owner of the database and one for all other users.  The
 owner is given all access rights, including CONTROL.  All other users
 are given every access right except CONTROL.  If you, the owner of
 the database, want to use the Rdb/VMS protection mechanism, your
 first step should be to set stricter protection on the database
 immediately.

 Rdb/VMS determines the rights for a user by matching the user's user
 identification code (UIC) with the identifier in each ACL entry.  The
 first time Rdb/VMS finds a match, it grants the user the rights in
 that entry.  If there is no match, Rdb/VMS grants no rights.
 Therefore, if the owner deletes the second default entry whose
 identifier is [*,*], all access is denied to all users but the owner.

 Use the DEFINE PROTECTION statement to add more entries to the list.
 When the statement executes, Rdb/VMS creates a new entry in the
 position specified.  This entry grants the specified rights to the
 user or group of users determined by the identifier.  All rights not
 specified in the statement are denied.

 For a particular user, Rdb/VMS grants an access right to a relation
 only if that right is granted in the ACL for both the database and
 the relation.  That is, a user has WRITE privilege to the EMPLOYEES
 relation only if that user has WRITE privilege to both the PERSONNEL
 database and the EMPLOYEES relation.  This means that protection at
 the database level should grant to each user or group of users all
 the privileges they may need for any relation.  You can then deny
 these privileges at the relation level.

 Granting or revoking a privilege takes effect after the user detaches
 and attaches to the database again.

 To define protection for a database, you must first invoke the
 database.  You must execute the DEFINE PROTECTION statement in a
 read/write transaction.  If you issue this statement when there is no
 active transaction, Rdb/VMS starts a read/write transaction
 implicitly.

 Other users are allowed to be attached to the database when you issue
 the DEFINE PROTECTION statement.

Examples

 Example 1

 The following example grants access rights to a single user:

 RDO>  DEFINE PROTECTION FOR DATABASE
 cont> POSITION 3
 cont> IDENTIFIER [CLERKS,DAVIES]
 cont> ACCESS "READ+WRITE+MODIFY+ERASE".

 This statement performs the following actions:

  o  Specifies the location of the entry within the access control
     list.  The new entry is in the third position and all subsequent
     entries are moved to the next higher position.

  o  Uses an identifier to designate the user who is granted access
     rights.

  o  Grants the specified access rights.  Rdb/VMS denies all other
     rights.



 Example 2

 The following example grants access rights to a group of users:

 RDO>  DEFINE PROTECTION FOR RELATION SALARY_HISTORY
 cont>      AFTER [ANALYSTS,JOHNSON]
 cont>      IDENTIFIER [ANALYSTS,*]
 cont>      ACCESS
 cont>      "READ+WRITE+MODIFY+ERASE -
 cont>      +DEFINE+CHANGE+DELETE".

 This statement performs the following actions:

  o  Names the relation SALARY_HISTORY.  The new ACL entry will be
     applied to this relation.

  o  Uses the AFTER clause to specify the location of the entry within
     the ACL.  In this case, the new ACL entry appears after the entry
     for user identifier [ANALYSTS,JOHNSON].

  o  Identifies the set of users ([ANALYSTS,*]) who are granted the
     listed access rights.  In this case, the new identifier has the
     same group identifier as the identifier that precedes it in the
     list.  This means that for user JOHNSON in group ANALYSTS,
     Rdb/VMS will grant the privileges listed in the earlier entry.
     All other users in group ANALYSTS will fall through to the entry
     identified by [ANALYSTS,*].  Rdb/VMS grants these other members
     of group PROGRAMMERS the rights listed in this statement.  In
     this way, the system gives general rights to a group and more
     specific rights to a single member of the group.



 Example 3

 The following example grants access rights on the specific field to a
 group of users:

 RDO>  DEFINE PROTECTION FOR FIELD SALARY_AMOUNT IN SALARY_HISTORY
 cont>      AFTER [MANAGERS,SMITH]
 cont>      IDENTIFIER [MANAGERS,*]
 cont>      ACCESS MODIFY.

 The following examples show how to specify the identifiers in a
 DEFINE PROTECTION statement.


 Example 4

 In this example, all users with the UIC matching [25,*] and running a
 batch job are granted the access rights listed.

 RDO>  DEFINE PROTECTION FOR DATABASE
 cont> POSITION 4
 cont> IDENTIFIER [25,*]+BATCH
 cont> ACCESS READ+DEFINE+CHANGE+DELETE.


 Example 5

 All users associated with the general identifier DATAENTRY and using
 RDO interactively are granted update access rights.

 RDO>  DEFINE PROTECTION FOR DATABASE
 cont> POSITION 5
 cont> IDENTIFIER DATAENTRY+INTERACTIVE
 cont> ACCESS READ+WRITE+MODIFY+STORE.


 Example 6

 User JONES gets the specified access rights.

 RDO> DEFINE PROTECTION FOR DATABASE
 cont> POSITION 6
 cont> IDENTIFIER [RDB,JONES]
 cont> ACCESS READ+WRITE+MODIFY+ERASE.


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026