HP OpenVMS Systems

Content starts here

HP Advanced Server for OpenVMS
Concepts and Planning Guide

Previous Contents Index

3.10 Auditing User Actions

You can monitor the activities of users by auditing their actions and resources on your server. Auditing an action or resource causes an entry to be written to the security event log whenever that activity is performed or a resource is accessed. This helps to ensure that users are accountable for their actions.

Auditing in the Advanced Server is configured on the domain level. Every server in a domain is covered by the domain's audit policy.

You can specify that an audit entry is written to the security event log when certain actions are performed or files are accessed. An audit entry shows the action, the user, and the date and time of the action. Both successful and failed logon attempts can be audited. The audit trail shows who performed which actions on a network, and who tried to perform actions that are not permitted.

Table 3-3 lists the categories of events that you can choose to audit and which events are covered by each category. For each of the categories listed, you can choose whether to audit only successful actions in that category, failed attempts to perform actions in that category, both, or neither.

Table 3-3 Event Audit Categories
Category Events
Logon and Logoff Logon attempts, logoff attempts, and the creating and breaking of network connections to servers.
Object Access Accesses of a directory or a file that is set for auditing in File Manager; uses of a printer managed by the computer.
Privilege Use Successful uses of user or group rights, and failed attempts to use rights not assigned to users or groups.
Account Management Creation, deletion, and modification of user and group accounts.
Security Policy Changes Granting or revoking user rights to users and groups; changing the Audit policy; establishing and breaking trust relationships with other domains.
Restart 1, Shutdown 1, and System Shutdowns and restarts of the computer, the filling up of the audit log, and the discarding of audit entries if the audit log is already full.
Process Tracking 1 Starts and stops of processes on the computer.

1Applies only to the Windows NT Server.

Using ADMINISTER commands, you specify which types of security events are audited; designate which files are audited and how; set the size of the event log files; and save or clear the event logs when they become full.

Table 3-4 shows the types of directory and file accesses you can audit.

Table 3-4 Auditing Directories and Files
Directory access File access
Displaying names of files in the directory Displaying the file's data
Displaying directory attributes Displaying file attributes
Changing directory attributes Displaying the file's owner and permissions
Creating subdirectories and files Changing the file
Going to the directory's subdirectories Changing file attributes
Displaying the directory's owner and permissions Running the file
Deleting the directory Deleting the file
Changing directory permissions Changing the file's permissions
Changing directory ownership Changing the file's ownership

For more information, see your Server Administrator's Guide.

Chapter 4

By organizing users into domains and setting up trust relationships, you can manage and track the actions of users while allowing them access to the resources they need.

In addition, you can arrange users into groups. Using groups makes it easier and faster to grant multiple users access to resources. You perform only one task to grant rights or permissions to a group; those rights and permissions are then active for all current and future group members.

Another advantage to using groups is evident when a new user joins the network. For example, a new accountant is hired and a group called Accountants has permissions to all of the network resources needed by accountants. Adding the new user to the Accountants group gives the new accountant all of the permissions that are needed.


Advanced Server groups do not map in any way to OpenVMS groups.

This chapter describes the types of groups and identifies some strategies you can use to make your network simpler to administer and easier to maintain.

4.1 What Is a Group?

A group is an account containing other accounts called members. The permissions granted to a group are also granted to its members. Groups are a convenient means of granting common access and user rights to collections of user accounts.

You can use the ADMINISTER commands to create and manage user and group accounts, to grant permissions for files and directories to users and groups, and to give users and groups access to printers.

On Advanced Servers, rights are granted and restricted on the domain level; if a group has a right within a domain, its members have the right on all servers in the domain (but not on Windows NT workstation computers participating in the domain).

4.2 Types of Groups

You can group users who have similar jobs or resource needs into the following types of groups:

  • Global group --- A group that can be used in its own domain, on servers and workstations of the domain, and in trusting domains. In all of these instances, global groups can be granted rights and permissions and can become members of local groups. However, global groups can contain only user accounts from their own domains. A global group provides a way to create a set of users from inside the domain that can be used both in and out of the domain.
  • Local group --- A group that can be granted permissions and rights only for the servers of its own domain. However, it can contain user accounts and global groups both from its own domain and from trusted domains. Local groups provide a way to create sets of users from both inside and outside the domain that can be used only on servers of the domain.

Table 4-1 shows the contents of both local and global groups.

Table 4-1 Contents of Local and Global Groups
A global group contains . . . A local group contains . . .
Name (up to 20 characters) Name (up to 20 characters)
Description Description
Members' user names Members' user names or global group names; names of users and global groups from trusted domains

4.3 Global Groups

A global group is a collection of user accounts from one domain that are assembled under a single group name. A global group can contain user accounts from only one domain --- the domain in which the global group was created. After a global group is created, it is available globally; that is, it can be granted permissions and rights in its own domain as well as in any domain that trusts that domain. A global group can contain only user accounts; it cannot contain other global groups or local groups.

Figure 4-1 shows the global group Accounting, which can contain only users from the Finance domain, but which can appear in permissions lists in any domain that trusts Finance. In this example, the Accounting group can be granted permissions in the Sales domain. Likewise, the global group Planners can contain users only from the Sales domain, but the Planners group can appear in permissions lists in the Production domain.

Figure 4-1 Understanding Global Groups

4.4 Local Groups

A local group is a collection of users and global groups from one or more domains that have been assembled under a single group name. Although a local group in a domain can contain users and global groups from that domain and any domain trusted by that domain, you can grant rights and permissions to a local group only for resources located in the domain in which the local group is defined.

Local groups also can be used to classify users and give them predefined sets of rights and permissions. For example, to make an account for a print operator in a domain, you would add the account to the Print Operators local group in the domain. The account then would have all the rights and abilities required for a print operator. The use of that group is local to the servers in that domain. A local group can contain users and global groups, but it cannot contain any other local groups.

In Figure 4-2, a local group, Accounting, has been added to the Sales domain. Although Accounting can contain users and global groups from Finance (and any other domains that Sales trusts), Accounting can be assigned permissions and rights only in Sales.

Local groups also exist on Windows NT workstation computers. A local group on a workstation can contain user accounts from the workstation itself, and users and global groups from the workstation's domain and domains trusted by the workstation's domain.

Figure 4-2 Understanding Local Groups

4.5 Differences Between Global and Local Groups

The terms global group and local group indicate the scope of a group, not the contents of the group; they refer to the rights and permissions that a group can be granted. Local groups can contain global groups, but global groups cannot contain either local groups or other global groups. Although global and local groups serve similar functions, different rules apply to their creation and use.

As shown in Figure 4-2, a global group, Accounting, created in the Finance domain can:

  • Contain users from the Finance domain
  • Be used in any domain that trusts the Finance domain

A local group created in the Sales domain can:

  • Contain users and global groups from the Sales domain and any domain that the Sales domain trusts
  • Be used on servers in the Sales domain only

4.6 Using Global and Local Groups

This section discusses strategies for using global and local groups that can make your network easier to administer and maintain.

If you organize your domains so that each represents a division or department of your company, you can think of a global group as being a group of users from the same department. This group of users can be assigned permissions and rights in other domains. In this way, the global group becomes a means of exporting a group of users as a single unit to other domains in the company.

When administering an Advanced Server, you may see that a global group name is preceded by the domain name in which the global group is located. You see both the types of users that the group represents (by the group name) and the origin or location of that group (by the domain name). For example, when you view file permissions on a server in the Sales domain, if the Accounting global group in the Finance domain has permissions, they are shown as Finance\Accounting. In this way, you can positively identify a global group when it is referred to in a domain other than its own. (A global group viewed in its own domain has no domain name prefix. For example, when you view file permissions on a server in the Sales domain, global groups located in the Sales domain, such as Planners in Figure 4-2, are shown by their group names only.)

A local group can include users and global groups from other trusted domains. Therefore, it is a way to import users and global groups from other domains into a single unit for use in the local domain.

For example, suppose that a domain called Engineering has a server with a shared directory containing documents that explain the new technologies that the company is investigating. If managers in other departments (domains) are interested in seeing these documents, network administrators can provide this ability by performing the following procedure:

  1. Create global groups in the other domains (such as Marketing\Managers and Sales\Managers).
  2. In the Engineering domain, create a local group called All Managers.
  3. Put the Marketing\Managers and Sales\Managers global groups in the All Managers local group.
  4. Grant All Managers permission to read the files in the directory.

In this example, you could give permission to read the files to all the Managers global groups from the other domains and thus bypass the step of creating the local group. However, in many cases, creating the local group saves time later. For example, imagine that later on you add two new directories containing files of interest to managers. If you have not created the All Managers local group, you need to grant access for the new directories separately to all the Managers global groups, instead of to the single local group. If the All Managers local group contains many global groups rather than just the two in this example, creating it could represent a significant savings of effort.

As this example illustrates, a local group is a way of assembling global groups and assigning them permissions in one step. If another global group needs the same permissions as an existing global group, you can add the new global group to the appropriate local group to give it all the permissions it needs.

Table 4-2 summarizes the uses of global and local groups.

Table 4-2 Purposes of Global and Local Groups
Purpose Use Comments
Group users of a domain into a single unit for use in other domains Global group The global group can be put into local groups, or given permissions and rights directly, in other domains.
Need permissions and rights only in one domain Local group The local group can contain users and global groups from other domains.
Need permissions to access resources on Windows NT workstation computers Global group A domain's global groups can be given permissions on Windows NT workstation computers, but a domain's local groups cannot.
Contain other groups Local group The local group can contain global groups and individual users; no group of any type can contain other local groups.
Include users from multiple domains Local group The local group can contain users and global groups. The local group can be used only in the domain in which it is created.

4.7 Built-In Groups

The actions that a user can perform depend on the group memberships of the user's account. The Advanced Server provides several default groups that have established collections of rights and abilities. Built-in groups are Advanced Server default groups that have established rights and abilities. The Advanced Server provides both global and local types of built-in groups:

  • Built-in local groups --- Groups that contain users from multiple domains. The Advanced Server provides the following types of built-in local groups: Administrators, Users, Guests, Server Operators, Print Operators, Backup Operators, and Account Operators.
  • Built-in global groups --- Groups that put users of a domain into a single unit for use in both their own and other domains. The Advanced Server provides the following types of built-in global groups: Domain Admins, Domain Users, and Domain Guests.

The built-in groups are explained in the sections that follow.

4.7.1 Built-In Local Groups

When the Advanced Server is installed on any computer, several default built-in local groups are created. Table 4-3 lists the built-in local groups, their initial contents, and who can modify them.

Table 4-3 Built-In Local Groups
Local Group+ Initial Contents Who Can Modify
Administrators Domain Admins (global group) Administrator (user account) Administrators
Server Operators None Administrators
Account Operators None Administrators
Print Operators None Administrators
Backup Operators None Administrators
Users Domain Users (global group) Administrators, Account Operators
Guests Domain Guests (global group) Administrators, Account Operators

+You cannot delete any of these built-in local groups.

In addition to these built-in local groups, an identity called Everyone represents all known people on the network, including administrators, all types of operators, users, users from other domains, and guests. You cannot change the membership of Everyone; it always contains all users. Everyone is not actually a local group and does not appear when groups are displayed, but you can assign file permissions and rights to Everyone.

Membership in built-in local groups gives a user certain privileges.

Table 4-4 shows the rights and abilities held by each built-in local group on an Advanced Server domain. The built-in global groups of a domain are not shown in this table because built-in global groups receive their rights and abilities indirectly through their memberships in built-in local groups.

Table 4-4 Rights and Abilities of Built-In Local Groups
Right or Ability Admin-
Server Operators Account Operators Print Operators Backup Operators Every-
Users Guests
Log on locally 1 X X X X X      
Access this computer from network X         X X X
Take ownership of files X              
Manage auditing and security log X              
Change system time 1 X X            
Shut down system 1 X X X X X      
Force shutdown from a remote system 1 X X            
Back up files and directories 1 X X     X      
Restore files and directories 1 X X     X      
Right or Ability Admin-
Server Operators Account Operators Print Operators Backup Operators Every-
Users Guests
Create and manage user accounts X   X 2          
Create and manage global groups X   X 2          
Share and stop sharing directories X X            
Share and stop sharing printers X X   X        

1Applies only to the Windows NT Server.
2Account Operators cannot modify Administrators' accounts, the Domain Admins global group, or the Administrators, Server Operators, Account Operators, Print Operators, or Backup Operators local groups.

The following sections describe the built-in local groups in the Advanced Server. For information about built-in local groups on a Windows NT Server, see the Microsoft Windows NT Server Concepts and Planning Guide.

Previous Next Contents Index