John Bardessono writes: >After loading MPE/ix 5.0, I signed on as a normal user (ie with >capabilities of ia, ba, ns, sf) and tried some new commands CHDIR. > >Now any user can change from there default logon group and account to >any group and account on the system! I'll most liking lock this down >with a UDC but, what is your opinion of this. > >I prefer to keep users in there logon group/account and would prefer >to beable to ad some ACD (access control definintions) to our normal >MPE groups/accounts. It's a very common misunderstanding to associate your Current Working Directory (CWD) with your logon group, since in the past your logon group doubled as both the CWD and the logon group. The logon group is instrumental in determining what access you have to files (determining whether or not you belong to the group user (GU) class). It also is the location that your CPU and connect time account to when you log off. The CWD is a naming shortcut. It allows you to say FOO instead of FOO.GROUP.ACCOUNT. It has no bearing on security or access to a file, or the ability to create or purge a file. >From your message, it appears that you believe that allowing a user to place their CWD (via the :CHDIR command) to another group or account provides some type of additional access to the files there. Let me assure you that that is not the case! Placing your CWD into PUB.SYS (or /SYS/PUB - whichever way you prefer) makes no difference in the access that you have to files in that location. You cannot create files, purge files, read, write, or do anything else, unless you already had the ability to do that (i.e. you had SM capability). All it lets you do is say :PRINT CATALOG, rather than :PRINT CATALOG.PUB.SYS. The thing that makes this confusing is the :CHGROUP command. :CHGROUP makes it hard to see the difference between the logon group and the CWD. Whenever you do a :CHGROUP, it actually logs you off and then back on, very quickly. Check the CPU and connect times of the old group (via the :REPORT command) just after you do a :CHGROUP and you'll see that they were updated with the amount of time you spent in that group before you "moved" over to your new group. The :CHDIR command makes the difference between the CWD and logon group obvious by allowing you to shortcut your naming independently of changing your logon group. Of course, the logon group must stay within your logon account, and so the :CHGROUP command will (still) not allow you to move your logon group outside that realm. By the way, the :CHGROUP command still changes both the CWD and the logon group, so that if they were pointing to different locations before a :CHGROUP, afterwards they'd both be pointing to the same group. Another interesting thing that you noted was that you'd like to be able to place ACDs on groups and accounts. We've kicked this idea around for a long time and really like the idea. It'd allow things like "hiding" groups and accounts from curious people doing :LISTFs. The way that you could help us get to do this would be to work through SIGMPE to get this enhancement voted in. IPROF is just wrapping up now, but Interex in Toronto will be coming up! I hope I've cleared things up and not made them more confusing! Craig