.ps 58,70 .ap .p 0 .c;========================================== .c;IMU --- Identifier Management Utility V1.0 .c;========================================== .s .c;by .s .c;G. Beau Williamson .c;Rockwell International .c;1200 N. Alma Rd. .c;Richardson, TX. 75081 .c;(214) 996-5547 .s .c;October 6, 1986 .s2 .hl 1 INTRODUCTION IMU is a Rights Identifier Management utility program that permits authorized, non-privileged, users to "Grant" and "Revoke" certain Rights Identifiers to/from other users via an "Authorize" like set of commands. For example: .literal IMU> GRANT/ID identifier username .end literal IMU therefore allows the authorized users to manage their own generic Rights Identifiers (such as application or project oriented identifiers) specifically set up for them by the System Manager without needing access to the "Authorize" utility. Users may optionally be granted the ability to authorize other users to grant and revoke the Rights Identifiers under their control via the ACL editor. .hl 1 IMU COMPONENTS IMU is composed of the following components: .list .le;IMU.EXE image file. .le;IMU Directory. .le;Rights-ID files. .els .hl 2 IMU.EXE The IMU image "IMU.EXE" is the actual IMU program and must be installed with the "SYSPRV" privilege. IMU is activated by a "RUN SYS$SYSTEM:IMU" command and typically has a system-wide symbol setup to invoke IMU by typing "IMU". .hl 2 IMU Directory The "IMU Directory" is a special protected directory which contains the "Rights-ID" files that specify the users authorized to manage a single generic Rights-ID via IMU. The IMU directory is pointed to by the System Logical name "IMU$DIR" and normally resides under the [SYSMGR] directory with the following protection: .literal Directory SYS$COMMON:[SYSMGR] IMU.DIR 1/4 [SYSTEM,MANAGER] (RWE,RWE,RE,E) (DEFAULT_PROTECTION,SYSTEM:,OWNER:RWED,GROUP:,WORLD:) .end literal .hl 2 Rights-ID Files The Rights-ID files serve as the "Authorized Users List" for each Rights Identifier to be managed by IMU. Each Rights-ID is made up of a single empty file in the IMU directory and has a filename of the format: .literal identifier.ACL where: identifier is the name of the Rights Identifier. .end literal Each Rights-ID file contains an ACL with an ACE for each authorized user that may manage the identifier. When a user attempts to issue a command to the IMU program to "GRANT", "REVOKE", "LIST" or "SHOW" a Rights Identifier, IMU checks the Rights-ID file associated with the Rights Identifier to determine if the user is authorized to perform the requested command. The following table shows the functions enabled by READ, WRITE and CONTROL access to the Rights-ID file. .tp8 .literal ACCESS MEANING ------- ------------------------------------------------- READ Permits use of IMU "LIST" and "SHOW" commands. WRITE Permits use of IMU "GRANT" and "REVOKE" commands. CONTROL Permits the user to edit the Rights-ID file ACL. .end literal .hl 1 A SAMPLE SYSTEM Let's assume the following generic Rights Identifiers are to be managed by certain authorized users. .list .le;SYSENG ####--- System Engineering .le;PRICING ###--- Pricing Department .le;PROGRAMMER --- Programmers .els Assume also, that the System Manager has created the following Rights-ID files: .tp12 .literal Directory SYS$COMMON:[SYSMGR.IMU] SYSENG.ACL;1 0/0 [SYSTEM,MANAGER] (,RWED,,) (IDENTIFIER=[SMITH],ACCESS=READ+WRITE+CONTROL) (IDENTIFIER=[DAVIS],ACCESS=READ) PRICING.ACL;1 0/0 [SYSTEM,MANAGER] (,RWED,,) (IDENTIFIER=[CARTER],ACCESS=READ+WRITE+CONTROL) PROGRAMMERS.ACL;1 0/0 [SYSTEM,MANAGER] (,RWED,,) (IDENTIFIER=[SAMPSON],ACCESS=READ+WRITE+CONTROL) (IDENTIFIER=[DELBERT],ACCESS=READ+WRITE) .end literal This means that the above Rights-ID files permit the following functions to be performed by the following users for the indicated Rights Identifiers. .literal RIGHTS AUTHORIZED IDENTIFIER USER FUNCTIONS AUTHORIZED ---------- ---------- ---------------------------------- SYSENG SMITH GRANT, REVOKE, LIST, SHOW, Edit_ACL SYSENG DAVIS LIST, SHOW PRICING CARTER GRANT, REVOKE, LIST, SHOW, Edit_ACL PROGRAMMER SAMPSON GRANT, REVOKE, LIST, SHOW, Edit_ACL PROGRAMMER DELBERT GRANT, REVOKE, LIST, SHOW .end literal Notice that users granted CONTROL access to a Rights-ID file may edit the Rights-ID file's ACL. This enables the user to add/remove other users to/from the list of users that may manage the Rights Identifier. This is accomplished by adding or removing entries for those users to/from the ACL on the Rights-ID file. For example, user "SMITH" may invoke the ACL Editor by typing .literal $ EDIT/ACL/NOJOURNAL IMU$DIR:SYSENG.ACL .end literal to edit the ACL on "SYSENG.ACL" and remove the entry in the ACL for user DAVIS. This would remove the ability of user "DAVIS" to use IMU to LIST or SHOW the Rights Identifier "SYSENG" since user "DAVIS" would no longer have "READ" access to the "SYSENG.ACL" file. (Note that the /NOJOURNAL qualifier is necessary to avoid error messages from the ACL Editor since the user doesn't have write access to the IMU$DIR directory.) .hl 1 INSTALLING IMU The installation of IMU is accomplished in the following basic steps: .list .le;Loading the IMU files to disk .le;Building the IMU image and help library .le;Installing the IMU image with SYSPRV .le;Creating the IMU Directory .els .hl 2 Loading the IMU files Start by creating a working directory for the installation procedure. This directory can be deleted after the installation has been completed. Use the BACKUP utility to copy the IMU files to the IMUTMP directory. The actual commands used to create your temporary directory and copy the files will differ from site to site (and whether you are copying from a VAX Sig tape) but will be something like the following: .literal $ CREATE/DIRECTORY [.IMUTMP] $ SET DEFAULT [.IMUTMP] $ BACKUP $2$MUA0:IMU.BCK [] .end literal .hl 2 Building the IMU Image and Help Library Once the files have been copied to the temporary directory, the IMU image and the IMU Help library must be built and copied to their target directories. This is accomplished by executing the "IMUBUILD.COM" command procedure as follows: .literal $ @IMUBUILD .end literal This command procedure will result in the following IMU files being built and copied to their respective target directories. .literal SYS$SYSTEM:IMU.EXE SYS$HELP:IMUHELP.HLB .end literal .hl 2 Installing the IMU image Because the IMU image requires the SYSPRV privilege to make changes to the RIGHTSLIST.DAT file via System Services, it must be installed as a known object with the "SYSPRV" privilege. The following commands will accomplish this: .literal $ INSTALL == "INSTALL/COMMAND_MODE" $ INSTALL ADD/PRIV=(SYSPRV) SYS$SYSTEM:IMU .end literal These two lines should also be added to the System Startup command file SYSTARTUP.COM so that IMU is installed each time the system is booted. .hl 2 Creating the IMU Directory The final step is to create the IMU Directory and define the System Logical name "IMU$DIR" to point to this directory. The recommended location of this directory is "SYS$COMMON:[SYSMGR.IMU]". Assuming the recommended location of the IMU directory, the following commands will create the directory and define the logical name. .literal $ CREATE/DIRECTORY SYS$COMMON:[SYSMGR.IMU] $ SET ACL/ACL=(DEFAULT_PROTECTION,SYSTEM:,OWNER:RWED,GROUP:,WORLD:) - SYS$COMMON:[SYSMGR]IMU.DIR $ DEFINE/SYSTEM IMU$DIR SYS$COMMON:[SYSMGR.IMU] .end literal .hl 1 CREATING NEW RIGHTS IDENTIFIERS Once IMU has been installed, the System Manager creates the actual Rights Identifier and a Rights-ID file (with its associated ACL) for each Rights Identifier that is to be managed. This may be accomplished by the following commands. .literal $ RUN SYS$SYSTEM:AUTHORIZE ADD/ID identifier EXIT $ SET DEFAULT IMU$DIR $ CREATE identifier.ACL ^Z $ EDIT/ACL identifier.ACL .end literal The last step in the above procedure activates the ACL editor so that the ACL for the Rights-ID file may be created. (See the "VAX/VMS ACL Editor Manual" for details on the use of the ACL Editor.) .hl 1 RUNNING IMU It is recommended that the following system-wide symbol be defined (in SYS$SYLOGIN) to run the IMU program. .literal $ IMU == "RUN SYS$SYSTEM:IMU" .end literal This will permit users to invoke IMU by simply typing: .literal $ IMU .end literal When IMU is activated, it will return a prompt of "IMU>" indicating that it is ready to receive commands. .hl 1 IMU COMMANDS IMU implements the following subset of "Authorize" utility commands: .list .le;GRANT/ID .le;REVOKE/ID .le;SHOW/ID .le;LIST/ID .le;EXIT .le;HELP .els Since these IMU commands are identical to the "Authorize" utility commands, you will find detailed documentation on these commands in the "VAX/VMS Authorize Utility Manual".