Defining Times and Conditions for System Access

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Managing System Access

Assigning Appropriate Accounts to Users

Defining Times andConditions for System Access

The level of system access a user enjoys depends on your siterequirements, that user's role in the organization, and your managementof his or her account. A site with low security requirements andplenty of system resources may allow access at any time of day whereasa site with moderate security requirements may limit logins to daytimehours and permit dialup or network connections only to a subsetof users.

Using the Authorize utility, you control when and how userscan access the system. Authorize Qualifiers Controlling Login Times and Conditions identifies the applicable qualifiers.

Table 1 Authorize Qualifiers Controlling Login Times and Conditions
Categories Qaulifier Description

Time of day
/ACCESS
By default, a user has fullaccess every day. By specifying an access time, you prevent accessat all other times. Identify hours on primary days with the keywordPRIMARY; identify hours on secondary days with the keyword SECONDARY.

/DIALUP
Specifies hours of accesspermitted for dialup logins.

/LOCAL
Specifies hours of accessfor interactive logins from local terminals.

Days of week
/PRIMEDAYS
Defines the primary andsecondary days of the week for logging in.

Mode of operation
/BATCH
Specifies the hours of accesspermitted for batch jobs.

/INTERACTIVE
Specifies the hours of accessfor interactive logins.

/NETWORK
Specifies the hours of accesspermitted for network batch jobs.

/REMOTE
Specifies hours during whichaccess is permitted for interactive logins from network remote terminals(with the DCL command SET HOST).

Allocationof resources
/DEVICE
Specifies the name of theuser's default device at login.

/DIRECTORY
Specifies the name of theuser's default directory at login.

Validity ofaccount
/EXPIRATION
Specifies the expirationdate and time of the account.

/FLAGS=DISUSER
Disables the account sothe user cannot log in.

External authentication
/FLAGS=EXTAUTH
Specifies that the user is externallyauthenticated.

**Table 1** **Authorize Qualifiers Controlling Login Times and Conditions**
Categories	Qaulifier	Description
Time of day	/ACCESS	By default, a user has fullaccess every day. By specifying an access time, you prevent accessat all other times. Identify hours on primary days with the keywordPRIMARY; identify hours on secondary days with the keyword SECONDARY.
	/DIALUP	Specifies hours of accesspermitted for dialup logins.
	/LOCAL	Specifies hours of accessfor interactive logins from local terminals.
Days of week	/PRIMEDAYS	Defines the primary andsecondary days of the week for logging in.
Mode of operation	/BATCH	Specifies the hours of accesspermitted for batch jobs.
	/INTERACTIVE	Specifies the hours of accessfor interactive logins.
	/NETWORK	Specifies the hours of accesspermitted for network batch jobs.
	/REMOTE	Specifies hours during whichaccess is permitted for interactive logins from network remote terminals(with the DCL command SET HOST).
Allocationof resources	/DEVICE	Specifies the name of theuser's default device at login.
	/DIRECTORY	Specifies the name of theuser's default directory at login.
Validity ofaccount	/EXPIRATION	Specifies the expirationdate and time of the account.
	/FLAGS=DISUSER	Disables the account sothe user cannot log in.
External authentication	/FLAGS=EXTAUTH	Specifies that the user is externallyauthenticated.

Restricting Work Times

AUTHORIZE qualifiers let you restrict system use to certaindays of the week and certain periods of the day. Restricting worktimes is useful to better balance the workload on your system. Restrictingaccess to accounts is also an effective way of preventing unauthorizeduse of the system outside of normal working hours.

Define primary and secondary days of the week with the /PRIMEDAYSqualifier, or conform to the default where primary days are Mondaythrough Friday and secondary days are Saturday and Sunday. For example, tomodify the defaults for a user who works Tuesday through Saturday,you would specify the /PRIMEDAYS qualifier as follows:

/PRIMEDAYS=(NOMONDAY,TUESDAY,WEDNESDAY,THURSDAY,FRIDAY,SATURDAY,NOSUNDAY)

Occasionally an operational change occurs that conflicts withthe normal day assignments at your site, such as a holiday fallingon a primary day. To override the normal day assignment, use theDCL command SET DAY, and specify the day-type interpretation youwant for the current day. This requires OPER privilege. Note thatthis change applies to all logged-in users, as well as those whowill log in during the day. If users who are currently logged inare unauthorized for the day-type once it changes, they are loggedout of the system at the next hour. (The job controller enforcestime restrictions on an hourly basis.)

Decide which types of login access should be restricted tocertain hours. The login access qualifiers are: /LOCAL, /REMOTE,/DIALUP, /INTERACTIVE, /BATCH, and /NETWORK. However, if your siteapplies one set of primary and secondary hours for all types oflogins, you can specify the /ACCESS qualifier, which applies toall modes of access.

The following example shows how to apply the /BATCH qualifierto a user's account to disable the user from running batch jobsduring normal working hours:

/NOBATCH=(PRIMARY, 9-17)

This specification permits the user to run batch jobs onlyduring the hours of 6:00 p.m. through 8:59 a.m. on primary daysbut all day on secondary days.

Restricting Modes of Operation

The following concerns might cause you to prohibit networkaccess for some of your users:

The user has data that should be accessedonly through the local node.

Penetration attempts are more likely to occur overa network because of the increased anonymity of the connection.(This concern is also relevant to dialup connections.)

Use the AUTHORIZE qualifier /NONETWORK to prevent specificusers from having network access, as shown in the following example:

UAF> ADD JSMITH /NONETWORK, ...

Anyof the AUTHORIZE access mode qualifiers (/LOCAL, /REMOTE, /DIALUP,/INTERACTIVE, /BATCH, or /NETWORK) can be negated in this mannerto restrict access to the system.

Restricting Account Duration

It is good practice to set an account expiration time thatmatches the maximum length of time you expect the user to requireaccess. When the expiration time arrives, the system automaticallyprohibits access to the account. You must still remove the UAF recordand delete the user's files.

Use of the /EXPIRATION qualifier also forces you to periodicallyreview accounts and reauthorize only those that are necessary.

To set the account expiration time, use the AUTHORIZE qualifier/EXPIRATION in the user's UAF record. For example, the followingqualifier specifies that the user's account will expire on the 30thof December 2001:

/EXPIRATION=30-DEC-2001

Disabling Accounts

Youmay want to severely restrict the use of certain accounts. For example,you may want to disable specific accounts used only periodically,such as the SYSTEST and FIELD accounts, to limit possible misuseof these accounts. Disable the accounts with the /FLAGS=DISUSERqualifier. Temporarily enable the accounts with the /FLAGS=NODISUSERqualifier when needed.

Restricting Disk Volumes

Identify the user's default device and directory in the UAFrecord with the AUTHORIZE qualifiers /DEVICE and /DIRECTORY. Youcan limit the number of blocks available to the user on that disk(and any other disk) through the disk quota feature of the SystemManagement utility (SYSMAN), as described in the HP OpenVMSSystem Management Utilities Reference Manual: A-L.

The volume protection in place on other disks controls howmuch access a user can obtain to the disks. The user's privileges,which can be extended or limited through the AUTHORIZE qualifier/PRIVILEGES, also influence the access available (see Giving Users Privileges).

MarkingAccounts for External Authentication

Mark a user's account in the UAF record with the AUTHORIZEqualifier /FLAGS=EXTAUTH to allow the user to be externally authenticated.

See Enabling External Authentication formore information.

Assigning Appropriate Accounts to Users