General: Background
You need both read and write access to a file in order to issue an ALTER command against it. To rename a file, you also need purge access if you are not the super ID.
The FUP INFO command can be used to identify all Guardian files that have LICENSED, PROGID, CLEARONPURGE and/or TRUST set. It also can display the underlying Guardian security of a file protected by Safeguard at the individual file level.
FUP is used to license SQL/MP object program files. They cannot be licensed through SQLCI. For SQL/MP files, GIVE applies only to object files. You must use SQLCI to give away ownership of other SQL/MP files.
Similarly, PURGE and PURGEDATA apply only to object files and SQLCI must be used for other objects. FUP can display information about OSS files (including their security vectors and whether they are protected by OSS ACLs), SQL/MP object program files and SQL/MX files, but cannot manipulate them in any way.
Non-Safeguard-protected files: background
You can preserve the source file’s owner ID and Guardian security vector in the copied file if you use SAVEID or SAVEALL with FUP DUP. The LICENSE attribute is preserved only if the PAID of the current FUP is SUPER.SUPER and the target file resides on the node where FUP is running.
The same rules apply to PROGID, except that it also is preserved if the PAID of the current FUP is the file owner. CLEARONPURGE is transferred unconditionally. You need to be either the owner or SUPER.SUPER to GIVE ownership of a file.
If you are not SUPER.SUPER, you also need purge access to the file. GIVE clears PROGID. After the GIVE you need to use SECURE to set it again; the usual rules apply. You can use REVOKE to reset CLEARONPURGE and PROGID if you are either the file owner or SUPER.SUPER. You must be SUPER.SUPER to revoke a file’s LICENSE attribute.
Safeguard-protected files: background
You need create access to the destination volume and subvolume as well as read access to the input file in order to duplicate a Safeguard protected file.
Caution: If you use DUP with the PURGE option but do not have create access to the target file, the original file at the target location is purged but the new version is not created.
Caution: A file’s Safeguard protection is not automatically inherited by the target file. It will inherit any applicable volumelevel and subvolume-level ACLs on the target volume, and will not be Safeguard-protected if none apply.
You will need to use SAFECOM to restore or set Safeguard protection for the new file. As with non-Safeguard-protected files, for FUP DUP both SAVEID and SAVEALL transfer the source file’s owner and corresponding security to the target file.
General: Best practices
You can set the NOPURGEUNTIL attribute to prevent a file from being purged before a specified date and time.
You can use FUP INFO to identify all of the Guardian files owned by a specific user. You can find out what processes and associated users have an Enscribe or SQL/MX file open by using the LISTOPENS command.
Caution: PURGEDATA does not physically purge the file contents; it simply resets the end of file to zero. This applies whether or not the file (or system) has CLEARONPURGE set. PURGE access allows deletion of both a file and its contents, but you can effectively purge the contents of a file without PURGE access through a combination of PURGEDATA and DEALLOCATE.
Caution: When a file with CLEARONPURGE set is purged, its disk process is going to rewrite the contents with zeros up to the end of the last allocated extent. The disk process has some built-in pacing for the writes, but this activity still has the potential to negatively affect application and system performance.
You need both read and write access to a file in order to issue an ALTER command against it. To rename a file, you also need purge access if you are not the super ID.
The FUP INFO command can be used to identify all Guardian files that have LICENSED, PROGID, CLEARONPURGE and/or TRUST set. It also can display the underlying Guardian security of a file protected by Safeguard at the individual file level.
FUP is used to license SQL/MP object program files. They cannot be licensed through SQLCI. For SQL/MP files, GIVE applies only to object files. You must use SQLCI to give away ownership of other SQL/MP files.
Similarly, PURGE and PURGEDATA apply only to object files and SQLCI must be used for other objects. FUP can display information about OSS files (including their security vectors and whether they are protected by OSS ACLs), SQL/MP object program files and SQL/MX files, but cannot manipulate them in any way.
Non-Safeguard-protected files: background
You can preserve the source file’s owner ID and Guardian security vector in the copied file if you use SAVEID or SAVEALL with FUP DUP. The LICENSE attribute is preserved only if the PAID of the current FUP is SUPER.SUPER and the target file resides on the node where FUP is running.
The same rules apply to PROGID, except that it also is preserved if the PAID of the current FUP is the file owner. CLEARONPURGE is transferred unconditionally. You need to be either the owner or SUPER.SUPER to GIVE ownership of a file.
If you are not SUPER.SUPER, you also need purge access to the file. GIVE clears PROGID. After the GIVE you need to use SECURE to set it again; the usual rules apply. You can use REVOKE to reset CLEARONPURGE and PROGID if you are either the file owner or SUPER.SUPER. You must be SUPER.SUPER to revoke a file’s LICENSE attribute.
You need create access to the destination volume and subvolume as well as read access to the input file in order to duplicate a Safeguard protected file.
Caution: If you use DUP with the PURGE option but do not have create access to the target file, the original file at the target location is purged but the new version is not created.
Caution: A file’s Safeguard protection is not automatically inherited by the target file. It will inherit any applicable volumelevel and subvolume-level ACLs on the target volume, and will not be Safeguard-protected if none apply.
You will need to use SAFECOM to restore or set Safeguard protection for the new file. As with non-Safeguard-protected files, for FUP DUP both SAVEID and SAVEALL transfer the source file’s owner and corresponding security to the target file.
General: Best practices
You can set the NOPURGEUNTIL attribute to prevent a file from being purged before a specified date and time.
You can use FUP INFO to identify all of the Guardian files owned by a specific user. You can find out what processes and associated users have an Enscribe or SQL/MX file open by using the LISTOPENS command.
Caution: PURGEDATA does not physically purge the file contents; it simply resets the end of file to zero. This applies whether or not the file (or system) has CLEARONPURGE set. PURGE access allows deletion of both a file and its contents, but you can effectively purge the contents of a file without PURGE access through a combination of PURGEDATA and DEALLOCATE.
Caution: When a file with CLEARONPURGE set is purged, its disk process is going to rewrite the contents with zeros up to the end of the last allocated extent. The disk process has some built-in pacing for the writes, but this activity still has the potential to negatively affect application and system performance.
No comments:
Post a Comment