OpenVMS restricts various resources and functions to those users with the associated privileges. The system manager can assign the appropriate privileges to each user. Some of the privileges can affect the access a user receives regardless of the access assigned by UICs and ACLs. When creating a user account, grant only those privileges consistent with both responsibility and need. By carefully constructing operational procedures, you can often minimize, or even eliminate, apparent requirements for privileges.
A user has default privileges and privileges available with SET PROC/PRIV. When granting a user a privilege with the power to disrupt the system, recommend that they turn on the privilege just long enough to accomplish a task for which it is required. This minimizes the chances of a serious system error.
The following table summarizes OpenVMS privileges a GT.M user may need.
|
VMS Privileges Affecting GT.M Users | ||
|
VMS PRIV |
CONTROLS GT.M FACILITY |
NOTES |
|
ACNT |
JOB command; NOACCOUNTING parameter |
Disables accounting |
|
ALTPRI |
JOB command; PRIORITY= parameter |
Permits raising the priority of the detached process |
|
DETACH |
JOB command; DETACH parameter |
Permits creation of detached processes with other UICs |
|
GROUP |
$ZGETJPI() and $ZPID() of other processes |
Within the group |
|
GRPNAM & TMPMBX |
Temporary mailbox creation |
Needs both privileges |
|
PRMMBX & SYSNAM |
Permanent mailbox creation |
Needs both privileges |
|
PSWAPM |
JOB command; NOSWAPPING parameter |
Permits swapping of a detached process to be disabled |
|
WORLD |
$ZGETJPI() and $ZPID() of other processes |
Allows access to all processes |
|
all |
$ZSETPRIV() - change specified privilege |
GT.M cannot grant privileges unless they are available to the account. |
![[Note]](images/note.jpg) | |
You do not need to grant privileges to GT.M users who access mailboxes created by another user. |
The $Z functions affected by privileges are analogues to VMS lexical functions, and would likely be used to perform operational tasks. Refer to the previous table for the $Z functions affected.
In assigning groups and privileges, remember that MUPIP STOP requires GROUP or WORLD privilege to stop processes outside the user's UIC.