Privileges grant a user the ability to do things a typical user cannot. Privileges are required, for example, to set the system time, to examine the system security logs, or to read any file regardless of its protection.
The most basic user accounts have only the TMPMBX and NETMBX privileges, which are adequate for most ordinary purposes. Your system manager will grant additional privileges on an as-needed basis.
For reference, the full list of privileges (taken from OpenVMS VAX version V7.3) is as follows:
ACNT | may suppress accounting messages |
ALLSPOOL | may allocate spooled device |
ALTPRI | may set any priority value |
AUDIT | may direct audit to system security audit log |
BUGCHK | may make bug check log entries |
BYPASS | may bypass all object access controls |
CMEXEC | may change mode to exec |
CMKRNL | may change mode to kernel |
DIAGNOSE | may diagnose devices |
DOWNGRADE | may downgrade object secrecy |
EXQUOTA | may exceed disk quota |
GROUP | may affect other processes in same group |
GRPNAM | may insert in group logical name table |
GRPPRV | may access group objects via system protection |
IMPERSONATE | may impersonate another user |
IMPORT | may set classification for unlabeled object |
LOG_IO | may do logical i/o |
MOUNT | may execute mount acp function |
NETMBX | may create network device |
OPER | may perform operator functions |
PFNMAP | may map to specific physical pages |
PHY_IO | may do physical i/o |
PRMCEB | may create permanent common event clusters |
PRMGBL | may create permanent global sections |
PRMMBX | may create permanent mailbox |
PSWAPM | may change process swap mode |
READALL | may read anything as the owner |
SECURITY | may perform security administration functions |
SETPRV | may set any privilege bit |
SHARE | may assign channels to non-shared devices |
SHMEM | may create/delete objects in shared memory |
SYSGBL | may create system wide global sections |
SYSLCK | may lock system wide resources |
SYSNAM | may insert in system logical name table |
SYSPRV | may access objects via system protection |
TMPMBX | may create temporary mailbox |
UPGRADE | may upgrade object integrity |
VOLPRO | may override volume protection |
WORLD | may affect other processes in the world |
Note | On older versions of OpenVMS, the IMPERSONATE privilege was called DETACH. Historically, it was used to create detached processes under the User Identification Code (introduced in the next section) of another user. Over time, the power granted by DETACH grew until a name change to IMPERSONATE was warranted. |