1  SUBSYSTEM_ACE

   Grants additional identifiers to a process while it is running
   the image to which the Subsystem ACE applies. Users with execute
   access to the image can access objects that are in the protected
   subsystem, such as data files and printers, but only when they
   run the subsystem images. The Subsystem ACE applies to executable
   images only.

   An example of a Subsystem ACE is as follows:

   (SUBSYSTEM, IDENTIFIER=ACCOUNTING)

   Format

     (SUBSYSTEM,[OPTIONS=attribute[+attribute...],]IDENTIFIER=identifier

     [,ATTRIBUTES=attribute[+attribute...]] [,IDENTIFIER=identifier

     [,ATTRIBUTES=attribute[+attribute...]],...])
 

2  Parameters
 

options

   Specify any of the following attributes:

   Protected    Protects the ACE against casual deletion. Protected
                ACEs can be deleted only in the following ways:

                o  By using the ACL editor

                o  By specifying the ACE explicitly when deleting it

                   Use the command SET SECURITY/ACL=(ace)/DELETE to
                   specify and delete an ACE.

                o  By deleting all ACEs, both protected and
                   unprotected

                   Use the command SET SECURITY/ACL/DELETE=ALL to
                   delete all ACEs.

                The following commands do not delete protected ACEs:

                   SET SECURITY/ACL/DELETE
                   SET SECURITY/LIKE
                   SET SECURITY/DEFAULT

   Nopropagate  Indicates that the ACE cannot be copied by
                operations that usually propagate ACEs. For example,
                the ACE cannot be copied by the SET SECURITY/LIKE or
                SET SECURITY/DEFAULT commands.
   None         Indicates that no attributes apply to an entry.
                Although you can create an ACL entry with
                OPTIONS=None, the attribute is not displayed.
                Whenever you specify additional attributes with
                the None attribute, the other attributes take
                precedence. The None attribute is equivalent to
                omitting the field.
 

identifier

   A general identifier specifying the users or groups of users who
   are allowed or denied access to an object. It is an alphanumeric
   string of 1 through 31 characters, containing at least one
   alphabetic character. It can include the letters A to Z, dollar
   signs ($),  underscores (_), and the numbers 0 to 9. For more
   information, see the OpenVMS Guide to System Security.

   A Subsystem ACE can have multiple pairs of identifiers, with
   special attributes assigned to the identifiers. A subsystem might
   require several identifiers to work properly. For example:

(SUBSYSTEM,IDENTIFIER=MAIL_SUBSYSTEM,ATTRIBUTE=NONE,IDENTIFIER=BLDG5,ATTRIBUTE=NONE)
 

attribute

   The identifier characteristics you specify when you add
   identifiers to the rights list or grant identifiers to users.
   You can specify the following attribute:

   Resource       Allows holders of the identifier to charge disk
                  space to the identifier. Used only for file
                  objects.