RDB/VMS Relational Database Operator CHANGE_PROTECTION — VMS RDB_4.0
Changes protection for a single entry within the specified access
control list.
Example:
RDO> CHANGE PROTECTION FOR DATABASE
cont> [ADMIN,JONES]
cont> ACCESS "WRITE+MODIFY+ERASE".
Additional information available:
Format
CHANGE PROTECTION FOR ────┐ │ ┌────────────────────┘ └────┬───>
D
A
T
A
B
A
S
E ───────────>─────────────────┐ ├───>
R
E
L
A
T
I
O
N ──> relation-name ───────────┤ ├───>
V
I
E
W ──────> view-name ───────────────┤ └───>
F
I
E
L
D ─> field-name IN relation-name ─┤ ┌───────────────<───────────────────────────────┘ └───┬───────────>───────────┬─┐ ├──> sequence-number ───┤ │ └┬─> identifier ───┬────┘ │ └─────── typebox (+) <──────┘ │ ┌────────────────────────────┘ └──>
A
C
C
E
S
S ──┬─> access-right ──┬──────────> . └───── typebox (+) <─────────┘
Additional information available:
relation-nameview-namefield-namesequence-numberidentifier
access-right
relation-name
The name of the Rdb/VMS relation for which you want to change an ACL entry. A user with MODIFY rights on the relation automatically gets the same rights on all fields in the relation. A user with MODIFY rights on the relation automatically gets the same rights on all fields in the relation. However, you can restrict MODIFY rights by defining them only on specific fields you want users to be able to modify and thus remove the right from the relation entry.
view-name
The name of the view for which you want to change an ACL entry.
field-name
The name of the local field in a specified relation for which you want to change an ACL entry. Rights on a field are determined by the rights defined on the relation combined with those specified for the specific relation ACL.
sequence-number
A number that identifies the entry within the specified access control list whose protection you want to change. The default is one. If you specify a sequence number larger than the largest existing sequence number, Rdb/VMS returns an error message.
identifier
A VMS user identifier that identifies the entry within the specified
access control list whose protection you want to change. An
identifier can be any of the following:
o UIC identifier
You cannot specify more than one UIC identifier in a CHANGE
PROTECTION statement.
o General identifier
o System-defined identifier
access-right
An access right to be granted or denied to the user identified by UIC. The new version of the ACL entry you create with the CHANGE PROTECTION statement does not inherit any characteristics from the old version. When you change protection on a database element, you need to specify the entire entry, including all the access rights you want to deny. Request HELP on Access_rights to see a complete table of Rdb/VMS access rights.
More
You must have the CONTROL privilege to modify the access rights of
other users with the CHANGE PROTECTION statement.
An access control list (ACL) is attached to each database and
relation. Each list consists of entries that specify two items of
information:
o An identifier that specifies a user or set of users.
o A set of access rights. These rights specify what operations
that user or set of users can perform on the database or
relation.
The new version of the ACL entry you create with the CHANGE
PROTECTION statement does not inherit any characteristics from the
old version. When you change protection on a database element, you
need to specify the entire entry, including all the access rights you
want to deny.
When changing protection, observe the following rules:
o To change protection, you must first invoke the database that
includes the protection.
o If you specify two or more access rights, separate each by a plus
sign (+), but do not include any spaces. For example,
READ+WRITE.
o If the list of access rights exceeds one line in length, place
the list in quotation marks and use the continuation character
(hyphen). Otherwise, Rdb/VMS reads the carriage return as the
end of the list, and an error results:
cont> ACCESS "DEFINE+CHANGE+DELETE -
cont> +CONTROL+OPERATOR+ADMINISTRATOR"
Granting or revoking a privilege takes effect after the user detaches
and attaches to the database again.
You must execute the CHANGE PROTECTION statement in a read/write
transaction. If there is no active transaction and you issue this
statement, Rdb/VMS starts a read/write transaction implicitly.
Other users are allowed to be attached to the database when you issue
the CHANGE PROTECTION statement.
Examples
Example 1
You can change the protection in an access control list entry by
specifying an identifier:
RDO> CHANGE PROTECTION FOR DATABASE
cont> [GROUP1,SMITH]
cont> ACCESS NOCONTROL+NOOPERATOR+NOADMINISTRATOR.
This statement performs the following actions:
o Identifies the user whose protection you want to change. Here,
the user is identified by [GROUP1,SMITH].
o Changes the access rights to deny the user CONTROL, OPERATOR, and
ADMINISTRATOR privileges. All other privileges remain as you
defined them in the previous version of this ACL entry.
Example 2
You can identify the ACL entry by a sequence number:
RDO> CHANGE PROTECTION FOR DATABASE
cont> 4
cont> ACCESS WRITE+MODIFY+ERASE.
This statement performs the following actions:
o Identifies the entry by specifying a sequence number 4. This
means that this statement will change the fourth entry in the
access control list for the database PERSONNEL.
o Changes the access rights by granting WRITE, MODIFY, and ERASE
access. All other rights remain as they were before.