Document revision date: 30 March 2001

By default, anyone with a valid network user name and password can log on to a server and connect to a share on that server. However, a user must have the requisite permissions to access the directories and files in the share. You use the SET FILE/PERMISSIONS command to set permissions on a shared directory. You may need to change access permissions if users cannot access the directories or files they need, or if unauthorized users can access them. For information on how a file or directory that does not have explicit permissions inherits the permissions, see Section 4.1.3.1, Inheritance of Directory Permissions, and Section 4.3.5.3, Inheriting Permissions.

Permissions for disk resources are stored on the disk with each resource as an OpenVMS Access Control List (ACL). Thus, resource permissions are backed up by the OpenVMS BACKUP utility.

4.3.5.3 Inheriting Permissions

As you create subdirectories and files in shared directories that have existing permissions, those permissions are automatically propagated to the new subdirectories and files. However, if you decide to share a directory that contains existing subdirectories and files, the permissions you assign to the new share are not propagated to its subdirectories and files. You can either explicitly set permissions for each subdirectory and file, or you allow their permissions to be inherited.

4.3.6 Specifying File and Directory Access Permissions

When sharing a directory on a server, you specify the name of the groups and users who can access the share, its subdirectories, and its files, and the permissions each group or user has for the share. After the share has been created, you can modify the permissions on the files and directories in the share. The following example shows how to use the SET FILE/PERMISSIONS command to modify permissions. In this example, the command specifies the access permissions for all files with the .C extension in the directory CURTAIN in share GREATOZ.

LANDOFOZ\\TINMAN> SET FILE GREATOZ\CURTAIN\*.C - _LANDOFOZ\\TINMAN> MUNCHKINS/PERMISSIONS=READ - _LANDOFOZ\\TINMAN> SCARECROW/PERMISSIONS=FULL_CONTROL %PWRK-S-FILEMOD, "GREATOZ\CURTAIN\FILE1.C" modified on server "TINMAN" %PWRK-S-FILESMODIFIED, total of 1 file modified LANDOFOZ\\TINMAN>

As a result, the following permissions are set:

• Group MUNCHKINS has READ access
• User SCARECROW has FULL access

To display directory and file permissions, use the SHOW FILES/PERMISSIONS command, specifying a share name and its path. For example, with a share called RAINBOW and a file called LOGS.TXT, you can display permissions as follows:

LANDOFOZ\\TINMAN> SHOW FILES RAINBOW\LOG.TXT /PERMISSIONS Files in: \\TINMAN\RAINBOW LOGS.TXT Permissions: Administrators Full (All) Everyone Change (RWXD) Server Operators Change (RWXD) SYSTEM Full (All) Total of 1 file LANDOFOZ\\TINMAN>

4.3.8 Using Network Permissions and OpenVMS Protections

If the Advanced Server and OpenVMS security model is enabled, and a network user attempts to access a file or directory, the access must be allowed by two security checks: network permissions, and OpenVMS file and directory protections.

4.3.8.1 OpenVMS Protections

Every file on an OpenVMS system has four protection codes:

• The OpenVMS SYSTEM UIC group (System).
• The OpenVMS owner of a file (Owner).
• The OpenVMS group that can access a file (Group). (This is the OpenVMS group to which the owner belongs.)
• The world, which means everyone else (World).

To set OpenVMS system file protections, use the OpenVMS command SET PROTECTION.

When a network user attempts to access a file, the following rules determine the way that OpenVMS system protections control the access:

• If the network user account is mapped to the OpenVMS user account that is the owner of the file, then the Owner protections apply.
• If the network user account is mapped to an OpenVMS user that is in the same UIC group as the file owner, then Group protections apply.
• If the user's UIC group is in the range of SYSTEM UIC group numbers, then the System protections apply.
• Otherwise, World protections apply.

When you assign permissions for a resource, you can also audit use of the resource. The Advanced Server can write an entry to the Security event log whenever a user accesses the resource in a certain way. The audit entry shows the resource, action performed, user who performed it, and date and time of the event.

Events that Advanced Server can audit for directory and file access include:

• Successful and failed attempts to take ownership of a file or directory
• Successful and failed attempts to access a file or directory
• Successful or failed attempts to change access permissions on a file or directory

For more information about auditing and viewing events, see Chapter 6, Monitoring Events and Troubleshooting.

4.3.10 Taking Ownership of Files or Directories

When you create a file or directory, you become its owner. By granting permissions, the owner controls how the file or directory is used. The owner can grant permission to another user to take ownership of a file or directory. Otherwise, you must be logged on as a member of the Administrators group to take ownership. Although an administrator can take ownership, an administrator cannot transfer ownership to others. This preserves security. To make sure that your files are secure, you should check their ownership regularly using the SHOW FILES/OWNER command.

4.3.10.1 Authorizing a User to Take Ownership of a File or Directory

You can specify permission to take ownership of a file or a directory using the following commands:

• SET FILE/PERMISSIONS=FILE_SPECIFIC=TAKE_OWNERSHIP
• SET FILE/PERMISSIONS=DIRECTORY_SPECIFIC=TAKE_OWNERSHIP

For example, to authorize the user SCARECROW to take ownership of a file called SIMIANS.DAT that is stored on domain LANDOFOZ in the directory \WITCH\MKEY, enter the following command:

LANDOFOZ\\TINMAN> SET FILE WITCH\MKEY\SIMIANS.DAT - _LANDOFOZ\\TINMAN>SCARECROW/PERMISSIONS=FILE_SPECIFIC=TAKE_OWNERSHIP %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified

4.3.10.2 Taking Ownership of a File or Directory

To take ownership of a file or directory, use the TAKE FILE OWNERSHIP command as follows:

TAKE FILE OWNERSHIP UNCpath [/qualifiers])

For example, the following command takes ownership of the file called SIMIANS.DAT that is stored on domain LANDOFOZ in the directory \WITCH\MKEY:

LANDOFOZ\\TINMAN> TAKE FILE OWNERSHIP WITCH\MKEY\SIMIANS.DAT %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified LANDOFOZ\\TINMAN>

4.3.11 Managing Shares from a Windows NT Server

You can manage shares on the Advanced Server using a Windows NT Server. When the Windows NT Server performs server administration, the Windows NT server administration tool Server Manager attempts to verify the share path locally before passing the server operation request to the Advanced Server. Any share path that does not conform to the device:\directory convention, where device: is a single letter drive letter, fails the share path verification; therefore, you cannot manage an Advanced Server share from the Windows NT Server Manager if the share path does not conform to the device:\directory convention.

The following sections describe ways to manage an Advanced Server share from the Windows NT Server.

4.3.11.1 Adding a Share from a Windows NT Server

To add an Advanced Server share using a Windows NT Server, use one of the following procedures:

• Define the OpenVMS device using the Autoshare server configuration parameter in the OpenVMS Registry. This server parameter allows you to map the OpenVMS device to a single letter DOS device. (See Section 4.2.3.2, Defining Autoshares, for more information.)
  When a device is defined as an autoshare this way, you can add the share using the Windows NT Server by specifying the share path as device:\directory, where device is the mapped device letter.
  For example, to share the directory DUA1:[SHARE1] using the device letter D, include the following in the OpenVMS Registry:

  Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\ShareParameters Value: Autoshare= DUA1=D

  
  To add this share using the Windows NT Server Manager, specify the share path as follows:

  d:\share1

• Convert the share path input string from the OpenVMS directory path by adding C:\ to the beginning of the path specification. Instead of specifying device:[share], enter device\share. The Advanced Server is designed to interpret C: correctly.
  For example, if the OpenVMS directory that you want to share is DUA1:[SHARE1], specify the share path as follows:

  C:\DUA1\SHARE1

  
  By default, the C: device is defined as PWRK$LMROOT:[000000]. To add this share, use the following path name:

  C:\SHARE1

  
  In this case, the actual OpenVMS specification is PWRK$LMROOT:[SHARE1].

To display and modify the OpenVMS share from a Windows NT Server, use the following share path:

C:\vmsdevicename\directorypath

For example, if you add a share using the ADMINISTER command ADD SHARE, and you specify $1$DUA2:[SHARE.LEVEL2] as the share path for share LEVEL2, when you display this share from the Windows NT Server Manager, the share path is displayed in the following format:

C:\$1$DUA2\SHARE\LEVEL2

4.4 Unicode and Extended Character Sets

Unicode and extended character sets provide an extensive character coding system and standard designed to support written texts of the diverse languages of the modern world, independent of the platform, application, or language. It provides applications a consistent way of encoding multilingual plain text and brings order to a chaotic state of affairs that made it difficult to exchange text files internationally.

Previous to the development of this coding system, hundreds of encoding systems existed, but none of these was extensive enough to include all possible characters --- including punctuation and other special characters, symbols, or glyphs --- in a given language. Any given computer (especially servers) needs to support many different encodings; yet whenever data is passed between different encodings or platforms, that data always runs the risk of misinterpretation. That is, two encodings might use the same number for two different characters, or use different numbers for the same character. This conflict between the encodings causes a misrepresentation of the character set.

The design of extended character sets is based on the simplicity and consistency of the ASCII encoding, but goes far beyond ASCII's limited ability to encode only the Latin alphabet. Ultimately, the design provides the capacity to encode all of the characters used for the written languages of the world. To keep character coding simple and efficient, it assigns each character a unique 16-bit value, and does not require the use of complex modes or escape codes. It provides codes for diacritics, which are modifying character marks (such as the tilde (~)) that are used in conjunction with base characters to encode accented or vocalized letters (for example, ñ).

As an overview of character sets, codes, and encoding, the simplest and most widely known example is the 7-bit ASCII character set. The character codes defined by the ASCII standard assigns positive integers or code numbers, consecutively, to an ordered set of 128 characters. The character set includes the writable letters of the English alphabet (A to Z, and a to z), the digits (0 to 9), the space character, and the punctuation and symbols found on the standard English keyboard, plus several control characters (such as linefeed (LF) and escape (ESC)). The ASCII standard specifies a character encoding in which each code number is assigned a unique 8-bit character with the same value. (Although ASCII uses 7 bits, the encoding refers to 8-bit characters because all standard computers are designed to handle 8-bit bytes.) Octets (code values or positions) 128 through 255 are not used in ASCII. Code values 0 to 31 and 127 do not correspond to printable characters. The ASCII character set is a common denominator contained in all other common character sets.

The ASCII coding had many limitations. Previous to V7.3 of the Advanced Server for OpenVMS, the only character set other than ASCII supported by the file server on OpenVMS V7.2 systems was the 8-bit ISO Latin-1 character set (ISO-8859-1). The ISO Latin-1 character set includes the ASCII characters (occupying code positions 0 to 127) plus various accented characters and other letters for writing languages of Western Europe, and some special characters (these latter groups occupy positions 160 to 255; positions 127 through 160, as well as 0 through 31, are reserved for control characters).

MS-DOS and Windows 3.1 developed language-specific character sets called code pages to expand beyond the limitations of the ASCII set. They are ordered sets of 255 characters with an 8-bit numeric index to represent each character. Language-specific code pages were developed because the sum of characters used in languages worldwide exceeds 255. All the language-specific code pages overlay the same set of 8-bit representations. For example, a specific 8-bit coding in a code page used for the English language can be used for another character in a code page used for the Cyrillic language. An application has to be set to interpret the codes in the context of the selected code page.

Each 8-bit index value or code position in a code page is called a code point or code value. Most code pages, including those of the Advanced Server, map characters 0 to 128 to the ASCII character set.

ISO 10646 is an international standard that defines thousands of characters. Unicode is a standard that defines a character set and character code compatible with ISO 10646, and also defines a character encoding. It includes coding for virtually all character sets around the world. The Unicode encoding UCS-2 presents each code number as a two-byte integer. It is the most common Unicode set in use today.

A client computer that supports Unicode, or which is configured to use a code page that is not related to a Western European language, can create files with characters in the file name that are not part of the ISO Latin-1 character set. However, any Advanced Server for OpenVMS previous to V7.3 could not store files using these file names.

The latest version of the Advanced Server for OpenVMS file server can now support certain Unicode characters or extended character sets that are foreign to the Western European languages. The characters that the Advanced Server for OpenVMS can support at any time depend on the language configured for the server. Each language is associated with one of the ISO-8859 character sets supported by the Advanced Server. Each ISO-8859 character set supports one or more languages.

You can configure any one of over 40 languages. Table 4-10 lists each configurable language and the associated client code page and ISO-8859 character set. Notice that two of these languages provide support for the Euro currency symbol:

English (USA) + Euro
Western Europe + Euro.

For an up-to-date list of languages that are officially supported by the Advanced Server, refer to the Software Product Description (SPD).

Table 4-10 Configurable Languages

	Language	Code Page	Character Set
1	Afrikaans	CP850	ISO8859-1
2	Albanian	CP852	ISO8859-2
3	Basque	CP850	ISO8859-1
4	Belarussian	CP866	ISO8859-5
5	Bulgarian	CP866	ISO8859-5
6	Catalan	CP850	ISO8859-1
7	Croatian	CP852	ISO8859-2
8	Czech	CP852	ISO8859-2
9	Danish	CP850	ISO8859-1
10	Dutch	CP850	ISO8859-1
11	English (USA)	CP437	ISO8859-1
12	English (USA) + Euro	CP437	ISO8859-1-EURO
13	English (Other)	CP850	ISO8859-1
14	Faeroese	CP850	ISO8859-1
15	Finnish	CP850	ISO8859-1
16	French	CP850	ISO8859-1
17	French (Canada MS-DOS)	CP863	ISO8859-1
18	German	CP850	ISO8859-1
19	Greek	CP737	ISO8859-7
20	Greek (IBM)	CP869	ISO8859-7
21	Hebrew	CP862	ISO8859-8
22	Hungarian	CP852	ISO8859-2
23	IBM Cyrillic	CP855	ISO8859-5
24	Icelandic	CP850	ISO8859-1
25	Icelandic (MS-DOS)	CP861	ISO8859-1
26	Indonesian	CP850	ISO8859-1
27	Italian	CP850	ISO8859-1
28	Nordic L. (MS-DOS)	CP865	ISO8859-1
29	Norwegian	CP850	ISO8859-1
30	Polish	CP852	ISO8859-2
31	Portuguese	CP850	ISO8859-1
32	Portuguese (MS-DOS)	CP860	ISO8859-1
33	Romanian	CP852	ISO8859-2
34	Russian	CP866	ISO8859-5
35	Serbian (Cyrillic)	CP866	ISO8859-5
36	Serbian (Latin)	CP852	ISO8859-2
37	Slovak	CP852	ISO8859-2
38	Slovenian	CP852	ISO8859-2
39	Spanish	CP850	ISO8859-1
40	Swedish	CP850	ISO8859-1
41	Turkish	CP857	ISO8859-9
42	Ukrainian	CP866	ISO8859-5
43	Western Europe + Euro	CP850	ISO8859-1-EURO

The langagues and their associated ISO-8859 character sets are a subset of the Unicode (UCS-2) character sets supported on OpenVMS ODS-5 disk structures. As mentioned, you configure the Advanced Server to support one, and only one, of the languages at a time.

Support of the extended character set characters makes available a broader set of characters for objects manageable by the Advanced Server, including file names, user names, group names, and file and print share names. Each character set also applies to text strings (such as descriptions) that users can specify when managing any of these objects. Windows NT-compatible Advanced Server printer description and location fields support all Unicode characters. (These characters are not supported in computer names, alias names, domain names, and trusted domain names.)

Each character set maps the 8-bit code point values (0 to 255) to 16-bit UCS-2 (Unicode) characters, and thus are much more extensive than the standard 7-bit ASCII character set.

	privacy and legal statement
6543PRO_012.HTML