HP OpenVMS Systems Documentation
OpenVMS System Management Utilities Reference Manual
When you add a new account, specify values for fields that you want to be different. Typically, changing the default values for limits1, priority, privileges, or the command interpreter is not necessary. As a result, you enter only the password, UIC, directory, owner, account, and device.
When you add a record to the UAF, create a directory for the new user. Specify the device name, directory name, and UIC in the UAF record. The following DCL command creates a directory for user ROBIN:
UAF> ADD ROBIN /PASSWORD=SP0152/UIC=[014,006] - _/DEVICE=SYS$USER/DIRECTORY=[ROBIN]/OWNER="JOSEPH ROBIN" /ACCOUNT=INV %UAF-I-ADDMSG, user record successfully added %UAF-I-RDBADDMSGU, identifier ROBIN value: [000014,000006] added to RIGHTSLIST.DAT %UAF-I-RDBADDMSGU, identifier INV value: [000014,177777] added to RIGHTSLIST.DAT
This example illustrates the typical ADD command and qualifiers. The resulting record from this command appears in the description of the SHOW command.
UAF> ADD WELCH /PASSWORD=SP0158/UIC=[014,051] - _/DEVICE=SYS$USER/DIRECTORY=[WELCH]/OWNER="ROB WELCH"/FLAGS=DISUSER - _/ACCOUNT=INV/LGICMD=SECUREIN %UAF-I-ADDMSG, user record successfully added %UAF-I-RDBADDMSGU, identifier WELCH value: [000014,000051] added to RIGHTSLIST.DAT UAF> MODIFY WELCH/FLAGS=(RESTRICTED,DISNEWMAIL,DISWELCOME,NODISUSER,EXTAUTH)- _/NODIALUP=SECONDARY/NONETWORK=PRIMARY/CLITABLES=DCLTABLES - _/NOACCESS=(PRIMARY, 9-16, SECONDARY, 18-8) %UAF-I-MDFYMSG, user records updated
The commands in this example add a record for a restricted account. Because of the number of qualifiers required, a MODIFY command is used in conjunction with the ADD command. This helps to minimize the possibility of typing errors.
In the ADD command line, setting the DISUSER flag prevents the user from logging in until all the account parameters are set up. In the MODIFY command line, the DISUSER flag is disabled (by specifying NODISUSER) to allow access to the account. The EXTAUTH flag causes the system to consider the user as authenticated by an external user name and password, not by the SYSUAF user name and password.
The record that results from these commands and an explanation of the restrictions the record imposes appear in the description of the SHOW command.
1 Note that limits are also set by system parameters. To be effective, the limits you set through AUTHORIZE must be within the minimum limits determined by the corresponding system parameters (particularly those beginning with the PQL prefix).
Adds only an identifier to the rights database. It does not add a user account.
id-nameSpecifies the name of the identifier to be added to the rights database. If you omit the name, you must specify the /USER qualifier. The identifier name is a string of 1 to 31 alphanumeric characters. The name can contain underscores and dollar signs. It must contain at least one nonnumeric character.
/ATTRIBUTES=(keyword[,...])Specifies attributes to be associated with the new identifier. The following keywords are valid:
DYNAMIC Allows unprivileged holders of the identifier to remove and to restore the identifier from the process rights list by using the DCL command SET RIGHTS_LIST. HOLDER_HIDDEN Prevents people from getting a list of users who hold an identifier, unless they own the identifier themselves. NAME_HIDDEN Allows holders of an identifier to have it translated, either from binary to ASCII or from ASCII to binary, but prevents unauthorized users from translating the identifier. NOACCESS Makes any access rights of the identifier null and void. If a user is granted an identifier with the No Access attribute, that identifier has no effect on the user's access rights to objects. This attribute is a modifier for an identifier with the Resource or Subsystem attribute. RESOURCE Allows holders of an identifier to charge disk space to the identifier. Used only for file objects. SUBSYSTEM Allows holders of the identifier to create and maintain protected subsystems by assigning the Subsystem ACE to the application images in the subsystem. Used only for file objects.
By default, none of these attributes is associated with the new identifier.
/USER=user-specScans the UAF record for the specified user and creates the corresponding identifier. Specify user-spec by user name or UIC. You can use the asterisk wildcard to specify multiple user names or UICs. Full use of the asterisk and percent wildcards is permitted for user names; UICs must be in the form [*,*], [n,*], [*,n], or [n,n]. A wildcard user name specification (*) creates identifiers alphabetically by user name; a wildcard UIC specification ([*,*]) creates them in numerical order by UIC.
/VALUE=value-specifierSpecifies the value to be attached to the identifier. The following formats are valid for the value-specifier:
IDENTIFIER:n An integer value in the range of 65,536 to 268,435,455. You can also specify the value in hexadecimal (precede the value with %X) or octal (precede the value with %O).
The system displays this type of identifier in hexadecimal. To differentiate general identifiers from UIC identifiers, the system adds %X80000000 to the value you specify.
UIC:uic A UIC value in standard UIC format consists of a member name and, optionally, a group name enclosed in brackets. For example, [360,031].
In numeric UICs, the group number is an octal number in the range of 1 to 37776; the member number is an octal number in the range of 0 to 177776. You can omit leading zeros when you are specifying group and member numbers.
Regardless of the UIC format you use, the system translates a UIC to a 32-bit numeric value.
Alphanumeric UICs are not allowed.
Typically, system managers add identifiers as UIC values to represent system users; the system applies identifiers in integer format to system resources.
UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORY %UAF-I-RDBADDMSGU, identifier INVENTORY value: [000300,000011] added to RIGHTSLIST.DAT
The command in this example adds an identifier named INVENTORY to the rights database. By default, the identifier is not marked as a resource.
UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) - _/VALUE=IDENTIFIER:%X80011 PAYROLL %UAF-I-RDBADDMSGU, identifier PAYROLL value: %X80080011 added to RIGHTSLIST.DAT
This command adds the identifier PAYROLL and marks it as a resource. To differentiate identifiers with integer values from identifiers with UIC values, %X80000000 is added to the specified code.
Adds an entry to the network proxy authorization files, NETPROXY.DAT and NET$PROXY.DAT, and signals DECnet to update its volatile database. Proxy additions take effect immediately on all nodes in a cluster that share the proxy database.
ADD/PROXY node::remote-user local-user[,...]
nodeSpecifies a DECnet node name. If you provide a wildcard character (*), the specified remote user on all nodes is served by the account defined as local-user.
remote-userSpecifies the user name of a user at a remote node. If you specify an asterisk, all users at the specified node are served by the local user.
For systems that are not OpenVMS and that implement DECnet, specifies the UIC of a user at a remote node. You can specify a wildcard character (*) in the group and member fields of the UIC.
local-userSpecifies the user names of 1 to 16 users on the local node. If you specify an asterisk, a local-user name equal to remote-user name will be used.
/DEFAULTEstablishes the specified user name as the default proxy account. The remote user can request proxy access to an authorized account other than the default proxy account by specifying the name of the proxy account in the access control string of the network operation.
The ADD/PROXY command adds an entry to the network proxy authorization files, NETPROXY.DAT and NET$PROXY.DAT, and signals DECnet to update its volatile database. Proxy additions take effect immediately on all nodes in a cluster that share the proxy database.
You can grant a remote user access to one default proxy account and up to 15 other local accounts. To access proxy accounts other than the default proxy account, remote users specify the requested account name in an access control string. To change the default proxy account, use the AUTHORIZE command MODIFY/PROXY.
Proxy login is an effective way to avoid specifying (and, possibly, revealing) passwords in command lines. However, you must use caution in granting access to remote users. While logged in to the local system, remote users can apply the full DCL command set (with the exception of SET HOST). A remote user receives the default privileges of the local user and, therefore, becomes the owner of the local user's files when executing any DCL commands.
To avoid potential security compromises, Compaq recommends that you create proxy accounts on the local node that are less privileged than a user's normal account on the remote node. By adding an extension such as _N, you can identify the account as belonging to a remote user, while distinguishing it from a native account with the same name on the local node. For example, the following command creates a JONES_N proxy account on the local node that allows the user JONES to access the account from the remote node SAMPLE:
UAF> ADD/PROXY SAMPLE::JONES JONES_N/DEFAULT %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
For more information about creating proxy accounts, refer to the OpenVMS Guide to System Security.
UAF> ADD/PROXY SAMPLE::WALTER ROBIN/DEFAULT %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
Specifies that user WALTER on remote node SAMPLE has proxy access to user ROBIN's account on local node AXEL. Through proxy login, WALTER receives the default privileges of user ROBIN when he accesses node AXEL remotely.
UAF> ADD/PROXY MISHA::* MARCO/DEFAULT, OSCAR %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
Specifies that any user on the remote node MISHA can, by default, use the MARCO account on the local node for DECnet tasks such as remote file access. Remote users can also access the OSCAR proxy account by specifying the user name OSCAR in the access control string.
UAF> ADD/PROXY MISHA::MARCO */DEFAULT %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
Specifies that user MARCO on the remote node MISHA can use only the MARCO account on the local node for remote file access.
UAF> ADD/PROXY TAO::MARTIN MARTIN/D,SALES_READER %UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to MARTIN added %UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to SALES_READER added
Adds a proxy from TAO::MARTIN to the local accounts MARTIN (the default) and SALES_READER on a system running DECnet-Plus.
Creates a new SYSUAF record that duplicates an existing UAF record.
COPY oldusername newusername
oldusernameName of an existing user record to serve as a template for the new record.
newusernameName for the new user record. The user name is a string of 1 to 12 alphanumeric characters.
All the qualifiers listed under the ADD command apply to the COPY command.
The COPY command creates a new SYSUAF record that duplicates an existing SYSUAF record. The command requires the /PASSWORD qualifier. If you do not specify additional qualifiers to the COPY command, the fields in the record you create are the same as those in the record being copied.
For example, you could add a record for a new user named Thomas Sparrow that is identical to that of Joseph Robin (but presumably different from the default record), as follows:
UAF> COPY ROBIN SPARROW /PASSWORD=SP0152
However, to add a record for Thomas Sparrow that differs from Joseph Robin's in the UIC, directory name, password, and owner, specify the following command:
UAF> COPY ROBIN SPARROW /UIC=[200,13]/DIRECTORY=[SPARROW] - _/PASSWORD=THOMAS/OWNER="THOMAS SPARROW"
You can also use the COPY command to create a set of template records to meet the specific needs of various user groups. For example, if you have programmers, administrators, and data entry personnel working on the same system, you can create records such as PROGRAMMER, ADMINISTRATOR, and DATA_ENTRY, each tailored to the needs of a particular group. To add an account for a new user in one of these groups, copy the appropriate template record and specify a new user name, password, UIC, directory, and owner.
If you omit the /PASSWORD qualifier when you create an account, AUTHORIZE displays the following error message:
%UAF-W-DEFPWD, copied or renamed records must receive new password
To specify a password for the account, use the MODIFY command with the /PASSWORD qualifier.
UAF> COPY ROBIN SPARROW /PASSWORD=SP0152 %UAF-I-COPMSG, user record copied %UAF-E-RDBADDERRU, unable to add SPARROW value: [000014,00006] to RIGHTSLIST.DAT -SYSTEM-F-DUPIDENT, duplicate identifier
The command in this example adds a record for Thomas Sparrow that is identical, except for the password, to that of Joseph Robin. Note that because the UIC value has no change, no identifier is added to RIGHTSLIST.DAT. AUTHORIZE issues a "duplicate identifier" error message.
UAF> COPY ROBIN SPARROW /UIC=[200,13]/DIRECTORY=[SPARROW] - _/PASSWORD=THOMAS/OWNER="THOMAS SPARROW" %UAF-I-COPMSG, user record copied %UAF-I-RDBADDMSGU, identifier SPARROW value: [000200,000013] added to RIGHTSLIST.DAT
The command in this example adds a record for Thomas Sparrow that is the same as Joseph Robin's except for the UIC, directory name, password, and owner. Note that you could use a similar command to copy a template record when adding a record for a new user in a particular user group.
Creates and initializes the network proxy authorization files. The primary network proxy authorization file is NET$PROXY.DAT. The file NETPROXY.DAT is maintained for compatibility.
Do not delete NETPROXY.DAT because DECnet Phase IV and many layered products still use it.
NETPROXY.DAT is created with no records and is assigned the following protection:
NET$PROXY.DAT is created with no records and is assigned the following protection:
If NETPROXY.DAT or NET$PROXY.DAT already exist, AUTHORIZE reports the following error message:
%UAF-W-NAFAEX, NETPROXY.DAT already exists
To create a new file, you must either delete or rename the old one.
UAF> CREATE/PROXY UAF>
The command in this example creates and initializes the network proxy authorization file.
Creates and initializes the rights database, RIGHTSLIST.DAT.
RIGHTSLIST.DAT is created with no records and is assigned the following protection:
Note that the file is created only if the file does not already exist.
UAF> CREATE/RIGHTS %UAF-E-RDBCREERR, unable to create RIGHTSLIST.DAT -RMS-E-FEX, file already exists, not superseded
You can use the command in this example to create and initialize a new rights database. Note, however, that RIGHTSLIST.DAT is created automatically during the installation process. Thus, you must delete or rename the existing file before creating a new one. For more information about rights database management, refer to the OpenVMS Guide to System Security.
Modifies the SYSUAF's DEFAULT record.
See the qualifiers listed under the ADD command.
Modify the DEFAULT record when qualifiers normally assigned to a new user differ from the Compaq-supplied values. The following qualifiers correspond to fields in the default record that are commonly modified:
Qualifier Reason for Modification /CLI If the command interpreter is MCR. /DEVICE If most users have the same default device. /LGICMD When automation of initial housekeeping chores at login time is desired through a specific login command file. The system automates the execution of login command file in the following way:
- First the system checks whether the logical name SYS$SYLOGIN has been defined. If it has, the name is translated (in most cases to SYLOGIN.COM), and the named command file is executed. (This command file can call other login command files.)
- When it completes, the system makes another check:
- If the user's LGICMD field in the UAF specifies a command file, that file is executed.
- If LGICMD is blank, the user's file LOGIN.COM is executed automatically if the command interpreter is DCL. (In this case, all users must name their login command files LOGIN.COM.)
- If the command interpreter is MCR, the user's file LOGIN.CMD is executed automatically.
Thus, the login protocol generally consists of a systemwide login command file followed by a user-specific login command file.
/PRIVILEGES When users are given different privileges than those supplied by Compaq. Quota qualifiers When the default quotas are insufficient or inappropriate for mainstream work.
UAF> DEFAULT /DEVICE=SYS$USER/LGICMD=SYS$MANAGER:SECURELGN - _UAF> /PRIVILEGES=(TMPMBX,GRPNAM,GROUP) %UAF-I-MDFYMSG, user record(s) updated
The command in this example modifies the DEFAULT record, changing the default device, default login command file, and default privileges.