Protecting Accounts

When you create a new account, you can specify a number of different types of security protection. Each account can be assigned a password and can be assigned retrieval and update codes to control access to its files. In addition, each account can be assigned a system privilege level. Finally, you can specify the amount of disk space you want the account to occupy. User access to an account is controlled by assigning a password to it. Only those users who know the password can log on to the account. You need not assign a password to every account; Rocket recommends, however, that you do so.

Accounts without passwords can be logged on to by any user of the system. You can provide additional security control by determining what files on the system are to be accessible from the new account, and what accounts can access the files in the new account.

The ability to read some or all of the files in any account on the system can be restricted by assigning a retrieval code to both the new account and to the files to be accessed. The ability to make changes and add data to files in any account on the system can be similarly restricted by assigning update codes.

Retrieval and update rights are given to users of an account by the codes assigned in the account’s definition item in the SYSTEM file. Retrieval and update checking is controlled by the codes given to the files.

Whenever a user of an account tries to access another account or file on the system, any update and retrieval codes in the account are compared to codes assigned to the account or file the user is trying to access. If the codes match, access is allowed; if they don’t, access is denied. For more details about retrieval and update codes, see mvBase System Security in the mvBase System Administration Manual.

Setting system privilege levels allows the system administrator to restrict the accessibility of certain parts of the system for each account. mvBase has four system privilege levels. From most restrictive to least restrictive, they are: SYS0, SYS1, SYS2, and SYS3.

SYS0

Most restrictive. Users are not able to create or delete files, to clear data from files, or to update the Master Dictionary of the account.

SYS1

User can update the Master Dictionary of their accounts and use magnetic tape commands.

SYS2

Users can use the DUMP processor and the FILE-SAVE and FILE-RESTORE processors.

SYS3

Users have unrestricted access to all levels of the system, including all files, regardless of any retrieval or update codes.

See Using the SYSPROG Account and Commands for additional information about the system privilege levels of SYS1, SYS2, or SYS3.

See Also

Accounts and User-IDs

Using CREATE-ACCOUNT