Securing Diskfiles In the Guardian Environment
In the Guardian environment, each file has an owner and a security vector. By default, the owner of the file is the userid that created it and the security vector is the owner's default security as defined in their User Record.
By default, a file owner or the owner's group manager can give their files to another user, using the FUP GIVE command, and also change the file's security vector using the FUP SECURE command.
The four file operations controlled by the security vector are:
| READ | Determines who can read or copy any kind of file or who can execute a macro or OBEY an obey file. |
| WRITE | Determines who can modify the contents of a file. |
| EXECUTE | Determines who can execute a code 100 or 700 (object file) with the TACL RUN command. |
| PURGE | Determines who can delete, rename or FUP ALTER a file. |
The security settings are always displayed in this order: READ, WRITE, EXECUTE, PURGE (RWEP).
There are seven possible values for each operation. These values reflect who is allowed to perform the operation and whether or not the operation can be performed by someone on a remote node. The value is always a single character. The values are:
| LOCAL | REMOTE (Superset of local) | |
|---|---|---|
| File Owner | O (owner) | U (user) |
| File Owner's Group | G (group) | C (community) |
| Everyone | A (all users) | N (all network users) |
| Local SUPER.SUPER only | - (hyphen) |
 |
AFILE 255,255 SOMEFILE 200,100 - - - -
| |
In Example 1, only SUPER.SUPER can READ, WRITE, EXECUTE or PURGE either of the files. Notice that it does not matter who owns the file, if the security for any or all operations is a hyphen, then only SUPER.SUPER can perform that operation on the file.
| |
AFILE 255,255 UUUU
| |
In Example 2, only a network SUPER.SUPER can READ, WRITE, EXECUTE or PURGE the file because SUPER.SUPER owns the file.
| |
AFILE 255,255 GG-G
| |
In Example 3 , only a local SUPER.SUPER can execute this file, but the rest of the local SUPER group can READ, WRITE, OR PURGE the file.
| |
AFILE 200,100 CC-U
| |
In Example 4, only a local SUPER.SUPER can EXECUTE this file, only the owner, 200,100 can PURGE, but the rest of network group 200 can READ and WRITE the file.
| |
AFILE 200,100 OOOO
| |
In Example 5, only local user 200,100 can READ, WRITE, EXECUTE or PURGE the file.
| |
AFILE 200,100 NUNU
| |
In Example 6, only network user 200,100 can WRITE or PURGE, but all network users can READ or EXECUTE the file.
| |
AFILE 200,100 CUUO
| |
In Example 7 , user 200,100 can only PURGE the file when logged on locally, but can READ, WRITE or EXECUTE the file remotely. Users in group 200 can only READ the file, whether local or remote.
The Default Program
The DEFAULT program, is used to set the following parameters for User Records:
DEFAULT VOLUME
DEFAULT SECURITY
Please refer to Managing Userids in the Guardian System in Part Three.
