VMS Help  —  SET  SECURITY  Qualifiers

1    /ACL

       /ACL[=(ace[,...])]

    Identifies one or more access control list entries (ACEs) to
    add, replace, or delete. Enclose each ACE in parentheses and
    separate multiple ACEs by commas (,).  The most common type of
    entry, the Identifier ACE, has the format (IDENTIFIER=identifier,
    ACCESS=access-type(+...)). By default, SET SECURITY adds an ACE
    to the top of the ACL. This behavior changes when you include one
    of the positional qualifiers: /AFTER, /DELETE, or /REPLACE. See
    the discussion of ACL ordering in the VSI OpenVMS Guide to System
    Security.

2    /AFTER

       /AFTER=ace

    Positions all ACEs specified with the /ACL qualifier after the
    ACE named with the /AFTER qualifier.

3    /BACKUP

    Modifies the time value provided with the /BEFORE or the /SINCE
    qualifier. The /BACKUP qualifier selects files according to the
    date of their most recent backup (rather than by the creation,
    expiration, or modification date). By default, SET SECURITY
    selects files according to their creation date.

4    /BEFORE

       /BEFORE[=time]

    Selects only those files dated prior to the specified time.
    You can specify time as absolute time, as a combination of
    absolute and delta times, or as one of the following keywords:
    BOOT, LOGIN, TODAY (default), TOMORROW, or YESTERDAY. Specify
    the /CREATED or the /MODIFIED qualifier to indicate the time
    attribute to be used as the basis for selection. The /CREATED
    qualifier is the default.

    For complete information on specifying time values, see the
    OpenVMS User's Manual or the online help topic Date.

5    /BY_OWNER

       /BY_OWNER[=uic]

    Selects files whose owner's UIC matches the UIC specified. The
    default UIC is that of the current process.

6    /CLASS

       /CLASS=class-name

    Specifies the class of the object whose profile is to be
    modified. By default, the command assumes the object class is
    FILE.

7    /CONFIRM

    Controls whether SET SECURITY prompts for verification before
    performing the operation. Valid responses are YES, NO, TRUE, and
    FALSE. Answers are not case sensitive and can be abbreviated to
    one letter. To stop processing the command at any point, type
    QUIT or press Ctrl/Z. To cancel the verification procedure but to
    proceed with the command, type ALL.

8    /COPY_ATTRIBUTE

       /COPY_ATTRIBUTE=(keyword[,...])

    Specifies a subset of security elements to transfer from a source
    object to a target object. Valid keywords include the following:

    Keyword        Description

    ALL            Copy all security elements
    (default)
    ACL            Copy the access control list
    OWNER          Copy the owner
    PROTECTION     Copy the protection code

    Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier. For
    example, you can create an ACL for an object and then copy its
    ACL to new objects.

9    /CREATED

    Modifies the time value specified with the /BEFORE or the /SINCE
    qualifier. The /CREATED qualifier selects files according to the
    date they were created (rather than by the backup, expiration,
    or modification date). By default, SET SECURITY selects files
    according to their creation date.

10    /DELETE

       /DELETE[=ALL]

    Deletes ACEs according to the following rules:

    o  The expression /ACL=aces/DELETE deletes the named ACEs.

    o  The expression /ACL/DELETE deletes all unprotected ACEs.

    o  The expression /ACL/DELETE=ALL deletes all ACEs including
       protected ACEs.

    o  The expression /ACL=aces/DELETE=ALL deletes the existing ACL
       (if any) and create a new ACL with the ACEs specifies on the
       /ACL qualifier.

11    /DEFAULT

    Regenerates the security profile of a file. The default qualifier
    changes the protection code, the ACL, and the owner elements of a
    file to what it would be if the file had just been created. The
    profile is recreated according to the following rules:

    o  The protection code is propagated from the default protection
       ACE on the directory (if one exists), or else it is propagated
       from the process default.

    o  The ACL is propagated from the parent directory for those ACEs
       that have the default option.

    o  The owner is set to the owner of the parent directory.

    With subdirectory files, SET SECURITY assigns the owner,
    protection, and ACL elements of the parent directory.

    SET SECURITY does not copy any ACE on the source object if the
    ACE holds the nopropagate attribute nor does it change any ACE
    on the target object if the ACE holds the protected attribute. To
    apply new elements to all versions of the file, specify ;* in the
    object name. See the VSI OpenVMS Guide to System Security for more
    information on propagation rules.

12    /EDIT

    Invokes the access control list editor (ACL editor) and allows
    you to modify an ACL interactively. The ACL editor does not allow
    the asterisk (*)  and the percent sign (%) wildcard characters
    in an object name. You must specify the object whose ACL you are
    editing.

    The /EDIT qualifier must be the first qualifier on the command
    line; other qualifiers can include /CLASS and, if the class is
    SECURITY_CLASS, you can include the /PROFILE qualifier. Whenever
    an object does not belong to the FILE class, you also need to
    specify /CLASS.

    See the ACL editor in the VSI OpenVMS System Management Utilities
    Reference Manual for more information.

13    /EXCLUDE

       /EXCLUDE=(filespec[,...])

    Excludes the specified files from the SET SECURITY operation.
    You can include a directory, but not a device, in the file
    specification. You cannot use relative version numbers to exclude
    a specific version.

14    /EXPIRED

    Modifies the time specified with the /BEFORE or the /SINCE
    qualifier. The /EXPIRED qualifier selects files according to
    their expiration dates rather than by the backup, creation,
    or modification date. (The expiration date is set with the SET
    FILE/EXPIRATION_DATE command.) By default, files are selected
    according to their creation date.

15    /LIKE

       /LIKE=(NAME=source-object-name
     [,CLASS=source-object-class]  [,PROFILE=TEMPLATE=template-name])

    Identifies the object from which SET SECURITY should copy
    security elements. The /LIKE qualifier replaces an object's
    existing elements with those of the source object. Nopropagate
    ACEs are not transferred and protected ACEs on the target object
    are not deleted. Use the /COPY_ATTRIBUTE qualifier with the /LIKE
    qualifier to copy an object's elements. See the VSI OpenVMS Guide
    to System Security for information about the special handling of
    protected and nopropagate ACEs.

    The object class of the source object defaults to the class of
    the target object. When the /CLASS qualifier is omitted, the
    CLASS keyword defaults to FILE.

    The PROFILE keyword applies to security class objects. It
    identifies which template of the security class you want to copy
    and modify. See /PROFILE for more information.

16    /LOG

    Controls whether the SET SECURITY command displays the name of
    the object that has been modified by the command. The qualifier
    is invalid with the /EDIT qualifier.

17    /MODIFIED

    Modifies the time value specified with the /BEFORE or the /SINCE
    qualifier. The /MODIFIED qualifier selects files according to
    the dates on which they were last modified, rather than by the
    backup, creation, or expiration date. By default, files are
    selected according to their creation date.

18    /OWNER

       /OWNER=identifier

    Requires GRPPRV (group privilege) to set the owner to another
    member of the same group. Requires SYSPRV (system privilege) to
    set the owner to any user identification code (UIC) outside your
    group.

    Modifies the owner element of an object. Specify the user
    identification code (UIC) or general identifier in the standard
    format. Modifying the owner element of a file usually requires
    privileges. See the VSI OpenVMS Guide to System Security for more
    information.

19    /PROFILE

       /PROFILE=TEMPLATE[=template-name]

    Identifies which template profile of a security class object
    you want to modify. All object classes except FILE have at
    least one template profile. These template profiles define the
    basis of the profile of new objects. Use the DCL command SHOW
    SECURITY/CLASS=SECURITY_CLASS to display template names. When no
    value is given for template-name, SET SECURITY uses the template
    named DEFAULT.

    Include the /CLASS=SECURITY_CLASS qualifier to identify which
    profile you want to modify.

20    /PROTECTION

       /PROTECTION=(ownership[:access][,...])

    Cannot be used to change the protection on a file by using DECnet
    software.

    Modifies the protection code of an object. The protection code
    defines the type of access allowed to users, based on their
    relationship to the object's owner.

    Specify the ownership parameter as system (S),  owner (O), group
    (G),  or world (W).

    Access types are class specific and are shown in the following
    table. For access, use the first letter of the access name.

        Object Class         Access Types

        CAPABILITY (VAX      Use, Control
        only)
        COMMON_EVENT_FLAG_   Associate, Delete, Control
        CLUSTER
        DEVICE               Read, Write, Physical, Logical, Control
        FILE (including      Read, Write, Execute, Delete, Control
        directory file)
        GROUP_GLOBAL_        Read, Write, Execute, Control
        SECTION
        LOGICAL_NAME_TABLE   Read, Write, Create, Delete, Control
        QUEUE                Read, Submit, Manage, Delete, Control
        RESOURCE_DOMAIN      Read, Write, Lock, Control
        SECURITY_CLASS       Read, Write, Control, Logical I/O,
                             Physical I/O
        SYSTEM_GLOBAL_       Read, Write, Execute, Control
        SECTION
        VOLUME               Read, Write, Create, Delete, Control

21    /REPLACE

       /REPLACE=(ace[,...])

    Eliminates entries listed with the /ACL qualifier and adds
    entries listed with the /REPLACE qualifier. SET SECURITY inserts
    the entries listed with /REPLACE in the position of the last
    deleted ACE.

22    /SECRECY

    Reserved for use by VSI.

23    /SINCE

       /SINCE[=time]

    Selects only those files dated on or after the specified time.
    You can specify time as absolute time, as a combination of
    absolute and delta times, or as one of the following keywords:
    BOOT, JOB_LOGIN, LOGIN, TODAY (default), TOMORROW, or YESTERDAY.
    Specify the /CREATED or the /MODIFIED qualifier to indicate
    the time attribute to be used as the basis for selection. The
    /CREATED qualifier is the default.

    For complete information on specifying time values, see the
    OpenVMS User's Manual or the online help topic Date.

24    /STYLE

       /STYLE=keyword

    Specifies the file name format for display purposes.

    The valid keywords for this qualifier are CONDENSED and EXPANDED.
    Descriptions are as follows:

    Keyword     Explanation

    CONDENSED   Displays the file name representation of what is
    (default)   generated to fit into a 255-length character string.
                This file name may contain a DID or FID abbreviation
                in the file specification.
    EXPANDED    Displays the file name representation of what is
                stored on disk. This file name does not contain any
                DID or FID abbreviations.

    The keywords CONDENSED and EXPANDED are mutually exclusive. This
    qualifier specifies which file name format is displayed in the
    output message, along with the confirmation if requested.

    File errors are displayed with the CONDENSED file specification
    unless the EXPANDED keyword is specified.

    See the VSI OpenVMS System Manager's Manual, Volume 1: Essentials
    for more information.

25    /SYMLINK

       /SYMLINK=keyword

    The valid keywords for this qualifier are [NO]WILDCARD and
    [NO]ELLIPSIS. Descriptions are as follows:

    Keyword     Explanation

    WILDCARD    Indicates that symlinks are enabled during wildcard
                searches.
    NOWILDCARD  Indicates that symlinks are disabled during directory
                wildcard searches.
    ELLIPSIS    Equivalent to WILDCARD (included for command
                symmetry).
    NOELLIPSIS  Indicates that symlinks are matched for all wildcard
                fields except for ellipsis.

    If the file named in the SET SECURITY command is a symlink, the
    command operates on the symlink itself.
Close Help