QM uses the underlying operating system to manage processes, files, devices, etc. Therefore, all issues of access permissions ultimately lie with the operating system. This section gives some guidance on setting permissions within a QM system but individual application needs should be taken into account.
The QMSYS Account
The only users who should be working in the QMSYS account are system administrators. It is reasonable that these people should have write access to QMSYS. No other user ever needs to create a new item in the QMSYS directory itself. Therefore the directory can be protected so that only administrators can write to it.
System administrators need write access to all items in the QMSYS account. The following table sets out the additional access rights needed for other users.
1.Write access to $MAP is only needed by users who execute the MAP command to create a catalogue map with the default destination file name.
2.Any user who is to be allowed to create new accounts will need write access to this file. Restricting write access on this file closes a potential security risk by preventing users creating synonyms to existing accounts that might subvert application level security mechanisms.
3.If error logging is enabled (see the ERRLOG configuration parameter), all users need full access to the optional errlog file. Any user that does not have write access will not log errors.
4.This file contains standard Pick style messages. Although rare, some applications may write to this file.
5.It is possible to restrict access to individual items in the gcat subdirectory. Users need read access (not execute access) to run a compiled QMBasic program.
In general, users should have free access to all files. Taking write access away on the VOC can be used to prevent users modifying its content but beware that some applications modify the VOC as part of their normal operation.