The file attributes SECURITYMODE, GROUP, SECURITYTYPE, SECURITYUSE, SECURITYGUARD, and ALTERNATEGROUPS enable you to control access to a disk file. The following discussion provides a brief description of the functions of these attributes. For information about how to use the FILEDATA utility to obtain the security attributes associated with existing files, see Security Uses of the FILEDATA Utility.

SECURITYMODE Attribute

The SECURITYMODE attribute is a mask of file permission flags that are used to specify the types of access available to the

Each type of user can have Read, Write, and Execute flags set to define their access privileges. These categories enable the user to more closely control access to files.

The SECURITYTYPE and SECURITYUSE attributes can also be used to control file access. However, it is recommended that you do not combine usage of the SECURITYMODE attribute with the SECURITYUSE and SECURITYTYPE attributes. Mixing usage of these attributes can produce unexpected results. For example, changing the value of either the SECURITYMODE or SECURITYTYPE attribute can cause the value of the other parameter to also change.

The following table shows the relationship between the SECURITYTYPE and SECURITYUSE attributes and the SECURITYMODE attribute.

ALTERNATEGROUPS Attribute

The ALTERNATEGROUPS file attribute extends the capabilities of the SECURITYMODE attribute by providing the capability to

The effect of each groupcode and corresponding security mode value is identical to the effect of assigning that groupcode to the file's GROUP file attribute and assigning the corresponding security mode value to the file's GROUPRWX attribute.

The ALTERNATEGROUPS attribute can be used to block access to files from specified groups by giving those groups no access rights, assuming that the people in these restricted groups are not also in groups that are given more access.

For more information about the ALTERNATEGROUPS file attribute, refer to the File Attributes Programming Reference Manual.

SECURITYTYPE Attribute

This attribute specifies who, apart from the owner, can access the file. The attribute values are as follows.

The default value of the SECURITYTYPE attribute is PRIVATE for files created by programs that run under a usercode; otherwise, the value is PUBLIC.

The SECOPT (Security Options) system command enables you to change to PRIVATE the default value of the SECURITYTYPE attribute for files created by processes without any usercode associated with them. If the SECOPT command designates NONUSERFILES = PRIVATE, by default any file created by a process running without a usercode is a private file. The SECOPT command is described in Security Configuration.

SECURITYUSE Attribute

This attribute has an effect only when the SECURITYTYPE attribute is PUBLIC and a nonprivileged user attempts to access a file not under his or her usercode directory. Under these conditions, the SECURITYUSE attribute controls the use of the file, unless the SECURITYMODE or ALTERNATEGROUPS attributes are used to specify a more specific set of access permissions.

The SECURITYUSE attribute values are IN, IO, OUT, and SECURED. The default value of the attribute is IO. SECURITYUSE does not place any restrictions on the execution of a code file. The attribute values have the following effects.

SECURITYGUARD Attribute

If SECURITYTYPE is GUARDED or CONTROLLED, then the SECURITYGUARD attribute specifies the title of the guard file that designates the users or programs that can access the file and specifies the access rights to the guarded file those users or programs have. Creating the guard file is done with the GUARDFILE utility.

If SECURITYGUARD is not specified for a GUARDED or CONTROLLED file or if the specified guard file cannot be found on the specified pack, then the file is treated as PRIVATE. If the SECURITYTYPE is CONTROLLED and the guard file cannot be found, even the file owner is denied access to the file, if that owner is not privileged.

To obtain the names of all the files that are guarded by a specified guard file, use the FILEDATA utility. For more information, see Security Uses of the FILEDATA Utility.

Attribute Interactions

If a user or program running under a usercode attempts to access a file under the same usercode directory or a program running without a usercode attempts to access a file under the nonusercode (*) directory, and SECURITYTYPE does not equal CONTROLLED, the value of the SECURITYUSE attribute is ignored and complete access to the file is granted.

That is, the value of the SECURITYUSE attribute of a file is ignored for the owner of the file. A nonusercoded process can be considered the owner of a nonusercoded file.

If a user or program running under a usercode attempts to access a file under a different usercode directory or a program running without a usercode attempts to access a file under a usercode directory, file access depends on the values of the SECURITYTYPE and SECURITYUSE attributes, as follows.

A security error is detected when some action contrary to the permitted usage is attempted.

Execution of a code file by a user other than the owner is permitted for a public file regardless of the value of the SECURITYUSE attribute. Execution is controlled for a guarded or controlled file by the data in the guard file. The security tests are applied to the usercode the process is running under, which might not be the usercode of the code file or of the parent task.

Considerations for Using the SECURITYMODE and ALTERNATEGROUPS Attributes

The SECURITYMODE attribute can be used to more finely control file access by enabling the owner of a file to restrict access permissions or to provide shared access to a group of users without having to set up a guard file.

The SECURITYMODE attribute is a superset of both the SECURITYTYPE and SECURITYUSE attributes. The mapping between these attributes has been described previously in this section and in greater detail in the File Attributes Reference Manual.

A single method of determining file access permissions is used by the system no matter which file attributes are specified. The following table is a simplified description that applies to files that do not have the ALTERNATEGROUPS attribute set.

The following table provides the full description that applies to files whether or not they have the ALTERNATEGROUPS attribute set.

The normal ACTOR/DECLARER model is applied when access privileges are verified.

Guard Files

A guard file is an extra level of security that describes the access rights of various users and programs for access to a program, data file, or database. When a file is protected by a guard file, the system examines the access rules in the guard file to determine the access to the protected file.

A privileged user or process bypasses the guard file for a GUARDED or CONTROLLED file. The file owner bypasses the guard file for a GUARDED file. A guard file cannot be assigned to a permanent directory.

You can use the same guard file to protect more than one file. In fact, you might consider creating several guard file templates that contain groups of access rules you commonly use. This might be useful in situations requiring progressively increased access restrictions that are defined by some standard or procedure.

The analysis of the guard file is governed by a first-match rule. When the guard file is examined to determine access rights to a file it is protecting, the search stops at the first rule that matches the process or identity (or both). The rule defines the access right for the process.

Two methods are available to create and manage guard files:

Some of the access rights that you can specify in a guard file are read only, write only, read and write, and execute only. Special access rights protect the contents of databases.