![[Digital logo]](../../IMAGES/DIGITAL-LOGO.GIF){kind=logo}
![[HR]](../../IMAGES/REDBAR.GIF)
As with a file or directory, you can use UIC-based or ACL-based protection to control access to a queue.
See the OpenVMS Guide to System Security for detailed information about establishing system security.
UIC-based protection restricts the jobs and the users who have access to a queue. Operations that apply to queues are controlled by UIC-based protection in the same way that access to other protected objects (such as files) is controlled.
When you create a queue, the queue is assigned an owner UIC and a protection code. The default owner is [SYSTEM], but you can specify another owner with the /OWNER_UIC qualifier.
The queue class provides the following default UIC-based security profile:
System:Manager,Owner:Delete,Group:Read,World:Submit
Jobs are assigned an owner UIC equal to the UIC of the process that submitted the job, unless the job was submitted with the /USER qualifier. Each job in a queue (and each operation that is performed on a queue) is checked against the UIC of the owner, the protection of the queue, and the privileges of the requester.
All operations are checked as follows:
| Operations that apply to... | Are checked against... |
|---|---|
| Jobs | The read and delete protection specified for the queue and the owner UIC of the job. |
| Queues | The submit and manage protection specified for the queue and the owner UIC of the queue. |
The following table lists the types of access that the queue class supports:
| Access Type | Gives you the right to... |
|---|---|
| Read | See the security elements of a queue or a job in a queue. |
| Submit | Place jobs in the queue. |
| Delete | Delete a job in the queue or modify the elements of a job. |
| Manage | Affect any job in the queue. You can start, stop, or delete a queue and change its status and any elements that are unrelated to security. |
| Control | Modify the protection elements and owner of a queue. |
Note that when a process receives read or delete access through a protection code, it can operate on only its job in the queue. However, when granted through an ACL, read and delete access allow a process to operate on all jobs in the queue.
Privileges Required
You need SYSNAM and OPER privilege to stop or start the queue manager. OPER is necessary to create and delete queues, or to change the symbiont definition.
Kinds of Auditing Performed
The following events can be audited, provided the security administrator enables auditing for the event class:
| Event Audited | Audit Occurs When... |
|---|---|
| Access | A job is submitted to the queue and when either a job or queue is modified. |
| Creation | A queue is initialized. |
| Deletion | A process deletes a job from the queue or when the queue itself is deleted. (To enable auditing for queue deletions, enable auditing for manage [M] access to the queue.) |
For more information on queue security, see the OpenVMS Guide to System Security.
Use the following commands to set and show UIC-based protection on queues:
| Command | Description |
|---|---|
|
INITIALIZE/QUEUE/PROTECTION=(
ownership[:access],...)
START/QUEUE/PROTECTION=( ownership[:access],...) SET QUEUE/PROTECTION=( ownership[:access],...) |
Specifies the protection of a queue:
|
|
INITIALIZE/QUEUE/OWNER_UIC=
uic
START/QUEUE/OWNER_UIC= uic SET QUEUE/OWNER_UIC= uic |
Enables you to change the UIC of a queue. The default UIC is [1,4]. |
| SHOW QUEUE/FULL | Displays complete information about a queue, including the protection currently set for the queue. |
| SET SECURITY/CLASS=QUEUE/OWNER= uic | Modifies the owner element of a queue. Specify the UIC in the standard format. |
|
SET SECURITY/CLASS=QUEUE/
PROTECTION= ownership[:access] |
Modifies the protection code of a queue. The protection code defines the type of access allowed to users, based on their relationship to the object's owner. |
| SHOW SECURITY/CLASS=QUEUE | Shows protection currently set for objects of the queue class. |
Examples
$ INITIALIZE/QUEUE/GENERIC=(SYS_QUE1,SYS_QUE2)/ PROTECTION=(S:M,O:D,G:R,W:R) - _$ /OWNER_UIC=[1,8]/RETAIN=ERROR SYS_PRINT $ SHOW QUEUE/FULL SYS_PRINT Generic printer queue SYS_PRINT/GENERIC=(SYS_QUE1,SYS_QUE2) - _$ /OWNER=[1,8]/PROTECTION=(S:M,O:D,G:R,W:R)/RETAIN=ERROR
$ SET SECURITY/CLASS=QUEUE/OWNER=[AGBELL]/PROTECTION=O:MD -
_$ TELEPHONE_QUE
$ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE
TELEPHONE_QUEUE object of class QUEUE
Owner: [INVENTORS,AGBELL]
Protection: (System: M, Owner: MD, Group: R, World: S)
Access Control List: <empty>
In addition to UIC-based protection, you can associate access control lists (ACLs) with a queue. ACL-based protection provides a more refined level of protection when certain members of a project group require access to a queue, excluding others of the same UIC group or of other groups.
See the OpenVMS Guide to System Security for detailed information about establishing ACLs for protected objects.
Use the following commands to set and show ACL-based protection on queues:
| Command | Description |
|---|---|
|
SET SECURITY/ACL=(IDENTIFIER=(
identifier, -
_ACCESS= access-type)[,...])CLASS=QUEUE |
Sets ACL protection on a queue. |
| SHOW QUEUE/FULL | Shows any ACLs set on a queue. |
| SHOW SECURITY/CLASS=QUEUE | Shows any ACLs set on a queue. |
For more information on ACL-based security, see the OpenVMS Guide to System Security.
Examples
$ SET QUEUE/PROTECTION=(S,O,G,W)
$ SET SECURITY/CLASS=QUEUE SYS_QUE1 -
_$/ACL=((IDENTIFIER=ULTRA_LITE, ACCESS=READ+SUBMIT+MANAGE+DELETE), -
_$ (IDENTIFIER=MINUTES, ACCESS=READ+SUBMIT))
$ SHOW QUEUE/FULL SYS_QUE1
Batch queue SYS_QUE1, stopped
/BASE_PRIORITY=4 /JOB_LIMIT=1 /OWNER=[1,4] /PROTECTION=(S,O,G,W)
(IDENTIFIER=ULTRA_LITE,ACCESS=READ+SUBMIT+MANAGE+DELETE)
(IDENTIFIER=MINUTES,ACCESS=READ+SUBMIT)
$ SET QUEUE/PROTECTION=(S,O,G,W) $ SET SECURITY/CLASS=QUEUE SYS_QUE1 - _$/ACL=((IDENTIFIER=ULTRA_LITE, ACCESS=READ+SUBMIT+MANAGE+DELETE), - _$ (IDENTIFIER=MINUTES, ACCESS=READ))
$ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE
TELEPHONE_QUEUE object of class QUEUE
Owner: [INVENTORS,AGBELL]
Protection: (System: M, Owner: MD, Group: R, World: S)
Access Control List: <empty>
$ SET SECURITY/CLASS=QUEUE/ACL=(ID=[AGBELL],ACCESS=CONTROL) TELEPHONE_QUEUE
$ SHOW SECURITY/CLASS=QUEUE TELEPHONE_QUEUE
TELEPHONE_QUEUE object of class QUEUE
Owner: [INVENTORS,AGBELL]
Protection: (System: M, Owner: MD, Group: R, World: S)
Access Control List:
(IDENTIFIER=[CLASS,AGBELL],ACCESS=CONTROL)
Certain account privileges allow users to access a queue in spite of UIC-based and ACL-based protection. The following table lists these account privileges and the type of access they allow on a queue:
| Privilege | Access |
|---|---|
| OPER | Manage and control access to all queues. |
| BYPASS | Manage and control access to all queues. |
| READALL | Read access to all jobs and to queue security information. |
| SYSPRV | The access specified for users with system UICs. |
| GRPPRV | The access specified for users with system or group UICs. |
Job retention options allow users to retain a job in a queue after the job completes. System managers can use job retention options to keep information about all jobs in the queue after the jobs complete; this is helpful when tracking jobs submitted by other users.
Users can set job retention, as can system managers. The following sections explain how each can perform this task.
User Commands
Users can request that a job be retained in a queue after the job completes by using the /RETAIN qualifier with the PRINT or SUBMIT command. For example:
PRINT/RETAIN
SUBMIT/RETAIN
System Manager Commands
By default, no job retention option is set on a queue. To specify a job retention option, use one of the following commands:
INITIALIZE/QUEUE/RETAIN=option
START/QUEUE/RETAIN=option
SET QUEUE/RETAIN=option
You can specify one of the following options:
| Option | Description |
|---|---|
| ALL | Holds all jobs in the queue after execution (default). |
| ERROR | Holds jobs in the queue only if they complete unsuccessfully. |
The following command specifies that the queue retain all jobs that complete with a status other than success:
$ SET QUEUE/RETAIN=ERROR BATCH_QUE
For example, if you need to know all batch jobs that do not complete successfully on a specific queue, set the queue to retain jobs that complete with an error status. You can enter SHOW QUEUE to display a list of jobs (including their completion status) that completed unsuccessfully. If a job completes unsuccessfully, this message helps determine why. The displays also include the date and time at which a retained job completed.
The job retention option you specify on a queue overrides any job retention option requested by a user for a job in that queue. Figure 13-10 shows how job retention affects a job submitted to a generic queue.
Figure 13-10 Determining Job Retention
Whether and where a job is retained is determined by the following:
If jobs are retained in queues, periodically delete the jobs that no longer need to be retained.
Users can specify timed job retention. For example:
$ SUBMIT/RETAIN=UNTIL=19-MAY-1996:07:31:0.0 MYFILE.DAT
This eliminates the need to delete retained jobs from queues. Encourage users who include the /RETAIN qualifier to also use timed retention.
To change the user-specified retention policy for a job, use the /RETAIN=option qualifier with the SET ENTRY command in the following format:
SET ENTRY/RETAIN=option entry-number
You can specify one of the following options:
| Option | Description |
|---|---|
| ALWAYS | Holds the job in the queue regardless of the job's completion status. |
| DEFAULT | Holds the job in the queue as specified by the queue's retention option. If no option has been set on the queue, the job is not retained. |
| ERROR | Holds the job in the queue only if the job completes unsuccessfully. |
| UNTIL= time-value | Holds the job in the queue for a specified length of time, regardless of the job's completion status. This lets you retain the job in the queue only as long as the job is needed and eliminates the need to delete the job from the queue later. The time value you specify is interpreted first as a delta time, then as a combination time, and finally as an absolute time. For information about specifying time values, see the OpenVMS User's Manual. |
For example, the following command retains job 172 in the queue until 3 hours after the job completes. At that time, the job will automatically be deleted from the queue.
$ SET ENTRY/RETAIN=UNTIL="+3:00" 172
To remove a job retention option from a queue, use the /NORETAIN qualifier with INITIALIZE/QUEUE, START/QUEUE, or SET QUEUE.
A characteristic is any attribute of a print or batch job that is relevant to your environment. For example, characteristics for a printer could refer to the color of the ink, the type of paper, or the location of the printer. Once you define the characteristics for a queue, users can specify the characteristics they want to associate with their job when they enter the PRINT or SUBMIT command.
A print job can be processed on an execution queue if the job's characteristics are a subset of the queue's characteristics. However, if any of the characteristics associated with the job are not associated with the queue, the job remains pending until you correct the characteristic mismatch as explained in Section 13.8.2.2.
How to Perform This Task
To specify queue characteristics, perform the following steps:
Example
You manage three LN03 printers in each of the four corners of a building. A generic queue LN03$PRINT feeds execution queues for each printer. You can define the characteristics EAST, WEST, NORTH, and SOUTH.
When a user submits a print job to LN03$PRINT with the EAST characteristic, the job prints on the first idle LN03 printer in the eastern corner of the building. If the system has queues for printers on multiple floors, you can further define a characteristic for each floor, for example, FIRST, SECOND, and THIRD.
Commands for Specifying Queue Characteristic Options
Use the following commands when working with characteristics:
| Command | Description |
|---|---|
| DEFINE/CHARACTERISTIC | Creates a characteristic and assigns a name and number. |
| DELETE/CHARACTERISTIC | Deletes a characteristic. |
| SHOW QUEUE/CHARACTERISTICS | Displays information about characteristics defined for the system. |
|
INITIALIZE/QUEUE/CHARACTERISTICS
SET QUEUE/CHARACTERISTICS START/QUEUE/CHARACTERISTICS |
Specifies one or more characteristics for processing jobs on a queue. |
| SHOW QUEUE/FULL | Displays information about a queue, including any characteristics assigned to the queue. |
|
PRINT/CHARACTERISTICS
SUBMIT/CHARACTERISTICS SET ENTRY/CHARACTERISTICS |
Specifies the name or number of one or more characteristics to be associated with the job. |
The following sections describe how to specify queue characteristics.
No characteristics are defined by default. To define a characteristic, use the DEFINE/CHARACTERISTIC command in the following format:
DEFINE/CHARACTERISTIC characteristic-name characteristic-number
You cannot define more than one characteristic name to a number.
If your queue configuration requires more than one characteristic name for a single number, you can define logical names to achieve the same result.
In an OpenVMS Cluster environment, you must define the logical names on every node that requires them.
Note
If you want to define a characteristic name that is also an existing logical name, read the description of logical names in the OpenVMS User's Manual.
Example
In the following example, the characteristic name SECOND_FLOOR is assigned to characteristic number 2. The logical names SALES_FLOOR and SALES_DEPT are defined as equivalent to the characteristic name SECOND_FLOOR. As a result, the logical names SALES_FLOOR and SALES_DEPT are equivalent to the characteristic name SECOND_FLOOR and characteristic number 2. These logical names can be specified as the characteristic-name value for any /CHARACTERISTIC=characteristic-name qualifier.
$ DEFINE/CHARACTERISTIC SECOND_FLOOR 2 $ DEFINE/SYSTEM/EXECUTIVE_MODE SALES_FLOOR SECOND_FLOOR $ DEFINE/SYSTEM/EXECUTIVE_MODE SALES_DEPT SECOND_FLOOR
To see the characteristics defined on a system, enter SHOW QUEUE/CHARACTERISTICS.
Example
$ SHOW QUEUE/CHARACTERISTICS Characteristic name Number ------------------- ------ EAST 1 WEST 2 NORTH 3 SOUTH 4
No characteristics are assigned to a queue by default. To assign characteristics to a queue, include the /CHARACTERISTICS qualifier with INITIALIZE/QUEUE, START/QUEUE, or SET QUEUE.
Example
$ SET QUEUE/CHARACTERISTICS=(EAST) LN03_1
To determine the characteristics defined for a queue, enter SHOW QUEUE/FULL.
Example
$ SHOW QUEUE/FULL LN03_1 Printer queue LN03_1, idle, on HERA::TTA3, mounted form DEFAULT <Printer queue on node HERA for an LN03 printer> /BASE_PRIORITY=4 /CHAR=(1) /DEFAULT=(FLAG=ONE,FORM=LN03$PORTRAIT (stock=DEFAULT)) /LIBRARY=LN03LIBRARY Lowercase /OWNER=[SYSTEM] /PROCESSOR=LATSYM /PROTECTION=(S:M,O:D,G:R,W:R) /SEPARATE=(RESET=(ANSI$RESET))
To cancel characteristics assigned to a queue, specify the /NOCHARACTERISTICS qualifier with INITIALIZE/QUEUE, START/QUEUE, or SET QUEUE.
To delete a characteristic definition, enter DELETE/CHARACTERISTIC. You must specify the characteristic-name with DELETE/CHARACTERISTIC.
If you know the number assigned to the characteristic but do not know the name, enter SHOW QUEUE/CHARACTERISTICS to display the names and numbers assigned to characteristics on the system.
If the system displays the following messages, a queue or job refers to the characteristic:
%DELETE-E-NOTDELETED, error deleting characteristic -JBC-E-REFERENCED, existing references prevent deletion
You must remove all references to the characteristic before you can delete the characteristic. For information about removing references to a characteristic, see Section 13.8.5.
You can use queue options to control batch job performance and the use of system resources by processes executing batch jobs.
Use the following qualifiers with INITIALIZE/QUEUE, START/QUEUE, or SET QUEUE to set these queue options:
| Qualifier | Description |
|---|---|
| /JOB_LIMIT= n | Specifies the number of jobs that can execute concurrently in the queue. |
| /[NO]DISABLE_SWAPPING | Specifies whether the processes running jobs on the queue can be swapped in and out of memory. |
| /CPUDEFAULT= time | Specifies the default CPU time limit for all jobs in the queue. The time cannot exceed the time limit set with the /CPUMAXIMUM qualifier. |
| /CPUMAXIMUM= time | Specifies the maximum CPU time limit for all jobs in the queue. |
Although the following qualifiers are not specific to batch queues, they are commonly used to control batch job performance and the use of system resources by batch processes:
| Option | Description |
|---|---|
| /BASE_PRIORITY= n | Specifies the base process priority at which jobs are initiated from a batch queue. |
| /WSDEFAULT= n | Specifies the default working set size for jobs executed in a batch queue. (For output queues, specifies the default working set size for symbiont processes.) |
| /WSEXTENT= n | Specifies the working set extent for jobs executed in a batch queue. (For output queues, specifies the working set extent for symbiont processes.) |
| /WSQUOTA= n | Specifies the working set quota for jobs executed in a batch queue. (For output queues, specifies the working set quota for symbiont processes.) |
For more information about these limits, quotas, and priorities, see the following manuals:
By default, a process running a batch job uses values taken from the UAF record of the user submitting the job or from system parameter settings. If you specify values for any of these options, processes for jobs executed in the queue will use the values you set unless the user specifies values when the job is submitted. (A user can specify values for CPU time and for the working set options default, quota, and extent.)
A user-specified value cannot exceed the value you set for the queue. If you did not specify a value, the user-specified value cannot exceed the value specified in the associated UAF limit or system parameter.
The following sections provide guidelines for choosing values for these options:
| Option | For More Information |
|---|---|
| Base process priority | Section 13.6.4.1 |
| Job limit | Section 13.6.4.2 |
| Working set default, quota, and extent | Section 13.6.4.3 |
| CPU default and maximum | Section 13.6.4.4 |
| Swapping | Section 13.6.4.5 |
| Options for memory-constrained systems | Section 13.6.4.6 |
| Optimizing for the Sort/Merge utility | Section 13.6.4.7 |
Choose a value based on how quickly you will allow batch jobs to progress. If you choose a value equal to the system parameter value DEFPRI (typically 4), jobs in this queue will progress at the same rate as typical interactive jobs. This choice might be appropriate for systems that have an abundance of available CPU time.
6017P040.HTM OSSG Documentation 22-NOV-1996 14:22:14.72
Copyright © Digital Equipment Corporation 1996. All Rights Reserved.