Files can also be protected by means of the basic access control list (BACL).
Only permanent files and work files on disks can be protected with a BACL. BACL protection does not cover temporary files and tape files. When using a BACL, any desired combinations of access rights can be defined independently of each other for various user classes. Subsequently these combinations are entered in the BACL.
The BACL takes effect for an object if no Guards protection has been defined for it. Password protection and the retention period remain effective.
User classes
In connection with access protection via a basic access control list, a distinction is made between three classes of users:
OWNER: | The owner of an object, i.e. the user ID under which the file is cataloged, together with co-owners defined using the co-owner protection mechanism (see "Defining co-ownership (co-owners)"). |
GROUP: | All user IDs in the user group to which the owner belongs with the exception of the owner himself/herself and any co-owners; the group structure of the home pubset is checked. |
OTHERS: | All other users with the exception of the co-owners. |
Access rights
A BACL defines nine access authorizations for a file. Each of the user classes OWNER, GROUP and OTHERS can be separately assigned three access rights:
Read (R): The file may be read and copied.
Write (W): Data may be written to the file and the file may be overwritten. In contrast to the ACCESS attribute, BACL write access authorization does not automatically imply read access (data protection).
Execute (X): The file (program, procedure) may be executed.
None of these access rights subsumes any of the others.
Each of the attributes R, W, X may be set or not set. They are independent of each other and only applicable to the specified access mode. In particular, “R” does not need to be set as a prerequisite for “X”. Specifying NO-ACCESS for all user classes revokes all access rights for the owner, the owner's user group and all other user IDs.
The following table shows which values must be entered in the basic access control list for a file in order to achieve the same effect as for the various values which can be specified for the SHARE and ACCESS operands of the CATAL macro or by means of the ACCESS and USER-ACCESS operands of the CREATE-FILE command.
| Standard access control (CATAL macro) | Basic control list (BACL) | |||
|---|---|---|---|---|
ACCESS | SHARE | OWNER | GROUP | OTHERS |
WRITE | NO | R W X | - - - | - - - |
WRITE | YES | R W X | R W X | R W X |
WRITE | SPECIAL | R W X | R W X | R W X |
READ | NO | R - X | - - - | - - - |
READ | YES | R - X | R - X | R - X |
READ | SPECIAL | R - X | R - X | R - X |
| Standard access control (CREATE-FILE command) | Basic control list (BACL) | |||
|---|---|---|---|---|
ACCESS | USER-ACCESS | OWNER | GROUP | OTHERS |
WRITE | OWNER-ONLY | R W X | - - - | - - - |
WRITE | ALL-USERS | R W X | R W X | R W X |
WRITE | SPECIAL | R W X | R W X | R W X |
READ | OWNER-ONLY | R - X | - - - | - - - |
READ | ALL-USERS | R - X | R - X | R - X |
READ | SPECIAL | R - X | R - X | R - X |
Evaluation of the Basic Access Control List
If the user ID requesting access is the (co-) owner of the object or systems support then the access rights stored under OWNER apply.
If the user ID belongs to the owner's user group then the access rights stored under GROUP apply.
For all other user IDs, the access rights stored under OTHERS apply.
Example
OWNER | GROUP | OTHERS |
R W X | R W - | R - - |
The (co-)owner(s) of this file have read, write and execute access to the file. Members of the file owner's group have read and write access to the file. All other users have only read access to the file.
Notes
The software product SECOS must be used if all entries for all three user classes are to be evaluated (see the “SECOS” manual [8 (Related publications)]).
User groups cannot be defined unless SECOS is being used. If SECOS is not used, existing entries in the GROUP user class are ignored and only the entries in the OWNER and OTHERS classes are evaluated.
However, with an eye to the possibility of using SECOS later on, it is a good idea to make the same entries for the GROUP user class as for the OTHERS user class.
Activating BACL protection
BACL protection is activated when there is a BACL entry for at least one user class.
In a Basic Access Control List, the READ, WRITE, EXECUTE access types (abbreviated to R, W and X) can be assigned for user classes as follows:
The operands BASACL, OWNERAR, GROUPAR and OTHERAR of the CATAL macro are used to set BACL protection on the macro level. Any specification of an operand without an operand value is ignored.
On the command level, BACL is activated by the BASIC-ACL operand of the CREATE-FILE(-GROUP) and MODIFY-FILE(-GROUP)-ATTRIBUTES commands.
Deactivating BACL protection
Existing BACL protection can be canceled by means of an explicit specification (in the CATAL macro or MODIFY-FILE(-GROUP)-ATTRIBUTES command). If a higher protection level (GUARDS) is activated, the protection provided via the BACL is ignored.