Generic Profiles

A generic profile defines a group of objects that are treated as a unit by an ESM when it protects and grants authorization to resources. For example, the ESM can give users authorized for a group of objects authorization for objects that are added to the group. If an ESM defines a group as all the files in the VMSYSU:USERX directory, then users authorized for that group (the directory) are authorized for any file added to VMSYSU:USERX.

SFS file pool servers use the generic profile query when they do operations like the CMS RELOCATE command, which moves an object, such as a directory subtree, to another directory. The server first checks whether there is a generic profile for the source directory; if there is, all subdirectories of that directory are protected. Next, the server checks whether there is a generic profile for the target directory. If there is a generic profile for the source, but not for the target, there may be a security exposure if the subtree is relocated, so the server rejects the request. (The server does a separate check for write authority to the target directory.)

The SFS server uses a generic profile query when it processes a request to erase a directory with the FILES option, in order to ensure a user authorized to erase the directory is also authorized to erase every file in the directory. If a generic profile does not cover all the files in the directory, the server rejects the request, to avoid the security exposure.

The SFS server also uses a generic profile query to make the ACCESS command more efficient. When a user accesses a directory, the SFS server checks whether a generic profile covers the directory. If it does, the SFS server knows all objects within it are protected. Otherwise, the SFS server would have to call the ESM for each file, external object, or directory to determine whether the object was protected.