In some situations, you might want to treat two or more users as a group using accesscodes, to grant all the members of that group common access to certain files.
Form working groups of users with accesscodes in the following ways:
-
Assign each user in the group a unique usercode and a commonly shared accesscode. The group is defined in terms of this shared accesscode. An appropriate guard file grants members access to files “owned” by the group.
-
Assign all members of the group the same usercode; each user in the group then has access to unguarded files stored under the shared usercode. The common usercode has a list of accesscodes associated with it, one accesscode for each member of the group, and these accesscodes are used to provide individual “ownership” of files.
Descriptions of how to implement each method follow.
Group Accesscode
Each user in the group has a unique usercode, and the group is defined in terms of a commonly shared accesscode. To make any file a group file—that is, one that all members of the group can access—attach to the file a guard file designating the group's shared accesscode.
For example, suppose the three users User1, User2, and User3 with usercodes USER1, USER2, and USER3, respectively, are to be a group with common access to certain files associated with a project they are working on. In the USERDATAFILE, each of the users has the same accesscode, PROJECT1, assigned to his or her individual usercode.
Assigning an Accesscode
To assign the accesscode, take the following steps:
-
Run MAKEUSER.
-
To assign User1 the accesscode PROJECT1, enter
USER USER1 ACCESSCODELIST = PROJECT1;
-
Enter the same statement, changing the usercode as needed, for User2 and User3, and assigning each PROJECT1 as an accesscode.
-
End the MAKEUSER session by entering
END
Creating a Guard File
The next task is to create a guard file. Use the MCP File Access Management module of Security Center to create a guard file. For the procedure, see the Security Center Help.
You can also use CANDE to create a guard file by performing the following steps:
-
Enter
RUN $SYSTEM/GUARDFILE; FILE GUARD(TITLE=PROJECT1/GUARD/FILE)
For this example, PROJECT1/GUARD/FILE is the file name of the guard file that is created. In general, you can enter any valid file name or file title in its place.
-
Once SYSTEM/GUARDFILE is running, a question mark (?) prompt appears. Enter
ACCESSCODE PROJECT1 = READWRITE;
This statement grants to any user logged on under the accesscode PROJECT1 to have read and write access to any file with this guard file attached to it.
-
To end the guard file program and display a summary of the guard file that is created, enter
?END
The guard file PROJECT1/GUARD/FILE must be attached to any files shared in common by the group. For example, if a file named ACCOUNTS is to be a group file, enter the following CANDE statement to attach the guard file to the file ACCOUNTS:
SECURITY ACCOUNTS GUARDED (<usercode>)PROJECT1/GUARD/FILE
When a guard file is attached, the family name of the guard file must be specified if that file is on a family that is not accessible through the family substitution designated for the user attaching the guard file. Similarly, the usercode directory of the guard file must be specified if the guard file does not belong to the user attaching it.
To attach the guard file to a different file, substitute the name of that file for ACCOUNTS.
Only the owner of a file—the person under whose usercode directory the file is saved (or a process running under that usercode)—can attach a guard file to that file.
Any user can attach any guard file to one of his or her own files, regardless of whether the guard file belongs to someone else and is a private file. This procedure enables each member of the group to add new group files by attaching the group guard file. Group members need only know the full file title of the group guard file, including usercode and family name.
Commonly Shared Usercode
This method of creating a group entity requires that all users in the group share the same usercode; therefore, each user in the group has access to unguarded files stored under the shared usercode. The common usercode has a list of accesscodes associated with it: one accesscode for each member of the group.
Each user in the group knows his or her accesscode, but does not know any of the accesscodes of the other group members. Action is necessary only to keep private from the rest of the group those files belonging to individual group members.
In cases where access to a file is to be limited to a single member of the group, take the following steps:
-
Assign CONTROLLED to the SECURITYTYPE attribute of the file.
-
Attach to the file a guard file that designates the accesscode of the appropriate group member as having sole access to the file.
For example, suppose the three users Johnson, Harris, and Arnold share a common usercode for the purpose of database maintenance. The following steps define a common usercode, and for each group member, associate an accesscode and accesscode password with the usercode:
-
Run MAKEUSER.
-
Define DATABASEMAINT as a usercode with the password MINUET by entering the following statement:
+USER DATABASEMAINT MINPW = 1 PASSWORD = MINUET;
-
Enter any other pertinent USERDATAFILE information for the usercode, such as the family name.
-
Assign three accesscodes, JOHNSON, HARRIS, and ARNOLD, and associated accesscode passwords CHUCKLES, FLIPPER, and JUMP, respectively, by entering
ACCESSCODELIST = JOHNSON/CHUCKLES, HARRIS/FLIPPER, ARNOLD/JUMP;
-
End the MAKEUSER session by entering END.
Each user must be told his or her accesscode and accesscode password, but is not told the accesscode passwords of the other users.
When a user wants to keep a file private from the other members of the group, he or she assigns the value CONTROLLED to the SECURITYTYPE attribute of the file and attaches an appropriate guard file to the controlled file. The user can attach this guard file to each file he or she wants to keep private.
Access to a controlled file is granted according to access rights designated in the guard file attached to the controlled file. This access checking is performed for all users, including those users and processes running under the usercode that owns the file.
For example, suppose user Harris wants to keep his file STATUS/REPORT private from other members of the DATABASEMAINT group. The first task is to create an appropriate guard file. In CANDE, take the following steps:
-
Enter
RUN $SYSTEM/GUARDFILE; FILE GUARD(TITLE = HARRIS/PRIVATE/GUARD)
For this example, Harris has titled the guard file that protects his files HARRIS/PRIVATE/GUARD. In general, the user could specify any valid file name or file title in its place.
-
Once SYSTEM/GUARDFILE is running, a question mark (?) prompt appears. Harris could respond with the following statement:
USERCODE DATABASEMAINT USING ACCESSCODE HARRIS = READWRITE;
This entry assigns file access only to users or processes under the DATABASEMAINT usercode and the HARRIS accesscode.
Designating the usercode as well as accesscode denies file access to users with different usercodes but with HARRIS as an accesscode.
-
End the guard file program and display a summary of the guard file that is created by entering the following command:
?END
Harris can attach this guard file to any file that he wants to keep private from other users. To attach the guard file to STATUS/REPORT, Harris could use the following CANDE statement:
SECURITY STATUS/REPORT CONTROLLED (<usercode>)HARRIS/PRIVATE/GUARD
Suggestions for Grouping Users
Of the three grouping methods described here, the GROUPCODE method is the preferred method because it provides greater security protection. This greater protection derives from the fact that usercodes and groups are unique, and so it is possible to audit the actions of any single member of the group.
The second method also relies on the unique nature of usercodes and the ability to audit every member of the group.
The third method permits auditing only of the actions of the group as a whole. If one group member is acting in a way that threatens system security, it might be impossible, from auditing the system log, to pinpoint the individual.
Regardless of which method is used to permit group access to files, the FILEDATA utility enables you to keep track of which files are guarded by a specified guard file. See Security Uses of the FILEDATA Utility for a description of this feature.
