Building the Subsystem

Once managers of the subsystem have the appropriate identifiers and access rights as described in “System Management Requirements”, they can add the necessary ACEs to a subsystem image. Two kinds of ACEs are necessary to construct a subsystem: the application image receives a Subsystem ACE, and the objects managed by the subsystem receive Identifier ACEs. Therefore, building a subsystem requires the following steps:

In the following example, the subsystem manager uses the DCL command SET SECURITY to associate the subsystem identifier with the images that make up the subsystem. First, the subsystem manager adds a Subsystem ACE with the identifier MEMBERS_SUBSYSTEM to the ACL of the application image MEMBER_LIST.EXE:

$ SET SECURITY/ACL=(SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,-
_$ ATTRIBUTES=RESOURCE) MEMBER_LIST.EXE

Then the subsystem manager adds an Identifier ACE with the subsystem identifier MEMBERS_SUBSYSTEM to the data files managed by the subsystem:

$ SET SECURITY/ACL=(IDENTIFIER=MEMBERS_SUBSYSTEM,-
_$ ACCESS=READ+WRITE) MEMBER_DATA*.DAT

The DCL command SHOW SECURITY displays the security attributes of the files. For example:

$ SHOW SECURITY MEMBER_LIST.EXE

MEMBER_LIST.EXE object of class FILE

     Owner: [STAFF]
     Protection: (System: RWED, Owner: RWED, Group, World: RE)
     Access Control List: (SUBSYSTEM,IDENTIFIER=MEMBERS_SUBSYSTEM,ATTRIBUTES=RESOURCE)

$ SHOW SECURITY MEMBER_DATA*.DAT

MEMBER_DATA_1.DAT object of class FILE

     Owner: MEMBERS_SUBSYSTEM
     Protection: (System: RWED, Owner: RWED, Group, World)
     Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,ACCESS=READ+WRITE)

MEMBER_DATA_2.DAT object of class FILE

     Owner: MEMBERS_SUBSYSTEM
     Protection: (System: RWED, Owner: RWED, Group, World)
     Access Control List: (IDENTIFIER=MEMBERS_SUBSYSTEM,
            ACCESS=READ+WRITE)