The approach to implementation forms the basis for a practical default protection setting. The users themselves are the people who must decide which protection attribute default values are to apply to which files and then implement this decision in practice.

Two steps are necessary in order to define a user-specific default setting:

• Define the protection attribute default values in attribute guards (guard type: DEFPATTR).

• Link the defined protection attribute default values with the object names to which the protection attribute default values are to apply. This link must be established in the form of rules in guards of type DEFAULTP. Guards of this type are known as rule containers.

A further, optional step may be required if the system administration decides to specify a pubset-global default protection setting:

• Define user and group IDs which can be used to complete object path names in a pubset (guard type: DEFPUID). This allows system administrators to restrict the assignment of default values to those objects which are created under the specified IDs.

  This step can be omitted if the it is not necessary to differentiate between the objects on the basis of a user ID in the path name.

Examples of a conceptual basis for implementation

Example 1

A user wants to define the following default protection attributes for files created under his/her user ID:

a) For all files whose names begin with ’PUBLIC.’, the USER-ACCESS attribute is to be set by default to *ALL-USERS.

b) All files whose names begin with ’SCRATCH.*’ are to be protected by default by means of a BACL.

c) All files whose names begin with ’SECRET.’ or ’SSS’ are to be protected by default by means of a guard.

Given these requirements, the user needs three attribute guards in which to define the protection attributes specified in a) to c). It is also necessary to create three rule containers. The rules in these rule containers consist of the following parts:

1. Name of the file or files to which the default protection attributes are to apply.

2. Reference to an attribute guard which contains the required default protection attributes for the named file name space.

3. For the system administration only, in the case of a pubset-global default protection mechanism

   Reference to a guard with a list of user or group IDs for the unique, pubset-global identification of file names.

Points a) and b) can each be described in one rule, whereas two rules are used for point c). This results in the following overview:

Example 2 (for system administration)

System administration wants to make the same pubset-global specifications as the user in example 1. However, the protection attributes in a) and b) are only to apply to files created under the user ID PUBLIC. The necessary rule containers and guards are depicted in the diagram below: