%META:TOPICINFO{author="ChrisBartram" date="1170458305" format="1.1" version="1.1"}% %META:TOPICPARENT{name="Hp3000Security"}% ---+ HP3000 Accounting Structure The HP3000 uses a hierarchical file system (HFS), which at its low level is POSIX compliant (complete with a "/" root directory), but also has a "native" MPE filesystem superimposed on this structure. The full HFS structure was only added with the MPE/iX operating system releases; before that all that existed was the basic "native" MPE account structure. This native file system consists of (multiple) "accounts" at the root level; each account contained "groups" (directories for holding files) as well as "users". Users were assigned a "home" group, but could see and move around among the other groups within their home account. The same username could exist in more than one account, but they would not be related; user1.account1 had no relation to user1.account2 - they could have separate passwords, capabilities, and other attributes. Likewise the same group name could exist in more than one account, but would have no relation to one another. Each account was very much like it's own unique Unix system in that regard. Groups could not contain other groups; only files. Note that while there is no set limit on how MANY files can be contained in a group, there are system table limits which can impact the limit - and issues resulting from too many files in a group. See [[Hp3000GroupFileLimitIssues]] Accounts had capabilities (many more than Unix systems), and users within an account could also be assigned capabilities up to the maximum level of access the account had. Account Capabilities: * [[Hp3000SystemManagerCapability][System Manager (SM)]] * [[Hp3000AccountManagerCapability][Account Manager (AM)]] * [[Hp3000OperatorCapability][Operator (OP)]] * [[Hp3000AccountLibrarianCapability][Account Librarian (AL)]] * Group Librarian (GL) * Diagnostician (DI) * Create Volumes (CV) * Use Volumes (UV) * Logging (LG) * (PS) * (NA) * (NM) * (CS) * Non Sharable Devices (ND) * Save Files (SF) * Batch Access (BA) * Interactive Access (IA) * Privileged Mode (PM) * Multiple Rins (MR) * Data Segments (DS) * Process Handling (PH) Groups could also be assigned capabilities (and filespace and connect time limits) up to the limit of the account they resided in. Files are also assigned capabilities, as well as many specialized tags relating to the file and its contents. Items such as the file type, date last accessed, date last modified, date created, username that created the file, number of records in the file, size of each record, plus a security matrix which defines what other users can read, write, append, lock, or execute the file. -- Main.ChrisBartram - 02 Feb 2007