For users that need to create a process based on quotas and privileges
from System User Authorization (SYSUAF) data, the following item codes
return data in a form ready to be used in a call to SYS$CREPRC:
To receive results of these item codes without authentication requires
you to use the ACMEVMS$_PREAUTHENTICATION_FLAG, which in turn requires
the IMPERSONATE privilege. No additional privilege for these item codes
is required.
ACMEVMS$_CREPRC_BASPRI
This output item code requests UAI data in a format suitable for
passing to SYS$CREPRC.
This output item code request UAI data in a format suitable for passing
to SYS$CREPRC.
ACMEVMS$_CREPRC_IMAGE
This output item code requests UAI data in a format suitable for
passing to SYS$CREPRC. The $ACM[W] client is responsible for creating a
descriptor for this string.
ACMEVMS$_CREPRC_PRCNAM
This output item code requests UAI data in a format suitable for
passing to SYS$CREPRC. The $ACM[W] client is responsible for creating a
descriptor for this string.
ACMEVMS$_CREPRC_PRVADR
This output item code requests UAI data in a format suitable for
passing to SYS$CREPRC.
ACMEVMS$_CREPRC_QUOTA
This output item code requests UAI data in a format suitable for
passing to SYS$CREPRC, regardless of what quota might be handled by
this service in the future.
ACMEVMS$_CREPRC_UIC
This output item code requests UAI data in a format suitable for
passing to SYS$CREPRC.
Generated Password Item Codes
Any generated password list is returned in the ACM Communications
Buffer, which is accessed by the context parameter. The following item
codes are used to affect this password list:
| Item Code |
Direction |
Size |
Data Provided |
|
ACMEVMS$_GENPWD_COUNT
|
Input
|
Longword
|
Unsigned
|
|
ACMEVMS$_GENPWD_MANDATORY_FLAG
|
Input
|
Longword
|
Boolean
|
|
ACMEVMS$_GENPWD_MAXLENGTH
|
Input
|
Longword
|
Unsigned
|
|
ACMEVMS$_GENPWD_MINLENGTH
|
Input
|
Longword
|
Unsigned
|
ACMEVMS$_GENPWD_COUNT
The value of this item code indicates the number of any passwords that
are generated, regardless of whether generation is due to the
UAI$V_GENPWD bit or the presence of the ACMEVMS$_GENPWD_MANDATORY_FLAG
input item code.
ACMEVMS$_GENPWD_MANDATORY_FLAG
The caller of SYS$AMCW requests password generation if this item code
is present. A value whose low bit is set indicates the caller wants to
force the use of the generated passwords, with the VMS ACME rejecting
any provided passwords that do not match a password on the list. A
value whose low bit is clear indicates that the generated password list
is just advisory, with no enforcement by the VMS ACME. However, VMS
ACME might actually enforce generated passwords anyway, depending on
the setting of the UAI$V_GENPWD bit within the UAI_FLAGS longword bit
mask.
ACMEVMS$_GENPWD_MAXLENGTH
The value of this item code indicates the maximum length of any
passwords that are generated, regardless of whether generation is due
to the UAI$V_GENPWD bit or the presence of the
ACMEVMS$_GENPWD_MANDATORY_FLAG input item code.
ACMEVMS$_GENPWD_MINLENGTH
The value of this item code indicates the minimum length of any
passwords that are generated, regardless of whether generation is due
to the UAI$V_GENPWD bit or the presence of the
ACMEVMS$_GENPWD_MANDATORY_FLAG input item code.
Backward Compatibility Item Codes
The ACME-specific item codes that provide backward compatibility are
listed in the following table:
| Item Code |
Direction |
Size |
Data Provided |
|
ACMEVMS$_LOGINOUT_CLI_FLAGS
|
Input
|
Longword
|
Boolean
|
|
ACMEVMS$_LOGINOUT_CREPRC_FLAGS
|
Input
|
Longword
|
Bit mask
|
|
ACMEVMS$_OLD_CONNECTION_FLAG
|
Input
|
Longword
|
Boolean
|
|
ACMEVMS$_OLD_DECWINDOWS_FLAG
|
Input
|
Longword
|
Boolean
|
|
ACMEVMS$_OLD_HASHED_PASSWORD_1
|
Input
|
Variable
|
String
|
|
ACMEVMS$_OLD_HASHED_PASSWORD_2
|
Input
|
Variable
|
String
|
|
ACMEVMS$_OLD_LGI_PHASE
|
Input
|
Longword
|
Code value
|
|
ACMEVMS$_OLD_LGI_STATUS
|
Input
|
Longword
|
Message code
|
|
ACMEVMS$_OLD_PROCESS_NAME
|
Input
|
Variable
|
String
|
ACMEVMS$_LOGINOUT_CLI_FLAGS
This input item code supplies the traditional LOGINOUT qualifiers to
the VMS ACME, including particularly the /LOCAL_PASSWORD and /CONNECT
qualifiers. This item is never provided on an initial call. It is only
provided in response to a dialogue step.
Use of this item code is reserved to LOGINOUT, and is enforced by the
VMS ACME to prevent spoofing.
ACMEVMS$_LOGINOUT_CREPRC_FLAGS
This input item code provides the CTL$GL_CREPRC_FLAGS longword
corresponding to the FLAGS argument used for process creation. The use
of this item code is reserved to LOGINOUT and is enforced by the VMS
ACME to prevent spoofing.
ACMEVMS$_OLD_CONNECTION_FLAG
This input item code is used by LOGINOUT to indicate to the VMS ACME
that a terminal user logging in has chosen to connect to a disconnected
process rather than proceed with a new process.
Use of this item code is reserved to LOGINOUT, and is enforced by the
VMS ACME to prevent spoofing.
ACMEVMS$_OLD_DECWINDOWS_FLAG
This input item code indicates the old DECwindows callout interface is
being used. Use of this item code is reserved to LOGINOUT, and is
enforced by the VMS ACME to prevent spoofing.
ACMEVMS$_OLD_HASHED_PASSWORD_1
This input item code specifies a primary password in an alternate form.
You can only use this item code when specifying a value of
ACMEVMS$_ARGUS for ACME$_AUTH_MECHANISM.
To use this item code, you need the IMPERSONATE privilege.
ACMEVMS$_OLD_HASHED_PASSWORD_2
This input item code specifies a secondary password in an alternate
form. You can only use this item code when specifying a value of
ACMEVMS$_ARGUS for ACME$_AUTH_MECHANISM.
To use this item code, you need the IMPERSONATE privilege.
ACMEVMS$_OLD_LGI_PHASE
This input item code specifies the phase of the latest LGI-callout. It
is used to provide processing equivalent so that when authentication is
performed inside LOGINOUT, the following actions occur:
- Allows LGI$_SKIPRELATED from an LGI-callout routine to be honored
by ACMEs.
- Allows the VMS ACME to update UAF$W_LOGFAILS and possibly
UAF$V_DISACNT even for a failure declared by an LGI-callout routine.
Use of this item code is reserved to LOGINOUT and is enforced by the
VMS ACME to prevent LGI$_SKIPRELATED spoofing. If you want to perform a
similar function, you should write an ACME.
ACMEVMS$_OLD_LGI_STATUS
This input item code specifies the status returned from the latest
LGI-callout. It is used to provide processing equivalent so that when
authentication is performed inside LOGINOUT, the following actions
occur.
- Allows LGI$_SKIPRELATED from an LGI-callout routine to be honored
by ACMEs.
- Allows the VMS ACME to update UAF$W_LOGFAILS and possibly
UAF$V_DISACNT even for a failure declared by an LGI-callout routine.
Use of this item code is reserved to LOGINOUT, enforced by the VMS ACME
to prevent LGI$_SKIPRELATED spoofing. If you want to perform a similar
function, you should write an ACME.
ACMEVMS$_OLD_PROCESS_NAME
This input item code is used by LOGINOUT to indicate to the VMS ACME
the process name after it has attempted to change the process name to
match the username.
Use of this item code is reserved to LOGINOUT, and is enforced by the
VMS ACME to prevent spoofing.
User Authorization Information (UAI) Item Codes
The VMS ACME supports the UAI codes that return SYSUAF values. SYSUAF
contents are required for authorization, initialization, and auditing.
The UAI codes are transmitted to the VMS ACME as ACME-specific codes.
For the definition of these item codes, refer to the SYS$GETUAI system
service in the HP OpenVMS System Services Reference Manual: GETUTC--Z.
When in dialogue mode and when you ask for the value in the fields, the
VMS ACME returns the value from that of the previous login, that is,
the login before the current login.
The following ACME UAI item codes are supported:
|
ACMEVMS$_UAI_ACCOUNTS
|
ACMEVMS$_UAI_NETWORK_ACCESS_P
|
|
ACMEVMS$_UAI_ACCOUNT_LIM
|
ACMEVMS$_UAI_NETWORK_ACCESS_S
|
|
ACMEVMS$_UAI_ASTLM
|
ACMEVMS$_UAI_OWNER
|
|
ACMEVMS$_UAI_AUDIT_FLAGS (*)
|
ACMEVMS$_UAI_PARENT_ID
|
|
ACMEVMS$_UAI_BATCH_ACCESS_P
|
ACMEVMS$_UAI_PASSWORD (*)
|
|
ACMEVMS$_UAI_BATCH_ACCESS_S
|
ACMEVMS$_UAI_PASSWORD2 (*)
|
|
ACMEVMS$_UAI_BIOLM
|
ACMEVMS$_UAI_PBYTLM
|
|
ACMEVMS$_UAI_BYTLM
|
ACMEVMS$_UAI_PGFLQUOTA
|
|
ACMEVMS$_UAI_CLITABLES
|
ACMEVMS$_UAI_PRCCNT
|
|
ACMEVMS$_UAI_CPUTIM
|
ACMEVMS$_UAI_PRI
|
|
ACMEVMS$_UAI_DEF_CLASS
|
ACMEVMS$_UAI_PRIMEDAYS
|
|
ACMEVMS$_UAI_DEFCLI
|
ACMEVMS$_UAI_PRIV
|
|
ACMEVMS$_UAI_DEFDEV
|
ACMEVMS$_UAI_PROXYIES
|
|
ACMEVMS$_UAI_DEFDIR
|
ACMEVMS$_UAI_PROXY_LIM
|
|
ACMEVMS$_UAI_DEF_PRIV
|
ACMEVMS$_UAI_PWD
|
|
ACMEVMS$_UAI_DFWSCNT
|
ACMEVMS$_UAI_PWD2
|
|
ACMEVMS$_UAI_DIOLM
|
ACMEVMS$_UAI_PWD_DATE
|
|
ACMEVMS$_UAI_DIALUP_ACCESS_P
|
ACMEVMS$_UAI_PWD2_DATE
|
|
ACMEVMS$_UAI_DIALUP_ACCESS_S
|
ACMEVMS$_UAI_PWD_LENGTH
|
|
ACMEVMS$_UAI_ENCRYPT
|
ACMEVMS$_UAI_PWD_LIFETIME
|
|
ACMEVMS$_UAI_ENCRYPT2
|
ACMEVMS$_UAI_QUEPRI
|
|
ACMEVMS$_UAI_ENQLM
|
ACMEVMS$_UAI_REMOTE_ACCESS_P
|
|
ACMEVMS$_UAI_EXPIRATION
|
ACMEVMS$_UAI_REMOTE_ACCESS_S
|
|
ACMEVMS$_UAI_FILLM
|
ACMEVMS$_UAI_RTYPE
|
|
ACMEVMS$_UAI_FLAGS
|
ACMEVMS$_UAI_SALT
|
|
ACMEVMS$_UAI_GRP
|
ACMEVMS$_UAI_SHRFILLM
|
|
ACMEVMS$_UAI_JTQUOTA
|
ACMEVMS$_UAI_SUB_ID
|
|
ACMEVMS$_UAI_LASTLOGIN_I
|
ACMEVMS$_UAI_TQCNT
|
|
ACMEVMS$_UAI_LASTLOGIN_N
|
ACMEVMS$_UAI_UIC
|
|
ACMEVMS$_UAI_LGICMD
|
ACMEVMS$_UAI_USER_DATA
|
|
ACMEVMS$_UAI_LOCAL_ACCESS_P
|
ACMEVMS$_UAI_USRDATOFF
|
|
ACMEVMS$_UAI_LOCAL_ACCESS_S
|
ACMEVMS$_UAI_USERNAME
|
|
ACMEVMS$_UAI_LOGFAILS
|
ACMEVMS$_UAI_USERNAME_TAG
|
|
ACMEVMS$_UAI_MAXACCTJOBS
|
ACMEVMS$_UAI_JSVERSION
|
|
ACMEVMS$_UAI_MAX_CLASS
|
ACMEVMS$_UAI_WSQUOTA
|
|
ACMEVMS$_UAI_MAXDETACH
|
|
|
ACMEVMS$_UAI_MAXJOBS
|
|
|
ACMEVMS$_UAI_MEM
|
|
|
ACMEVMS$_UAI_MIN_CLASS
|
|
* These items are defined for the following numeric calculations
purposes because the base for the ACME-specific UAI item codes is
ACMEVMS$K_UAI_BASE. ACMEVMS$K_UAI_BASE can be added to a UAI$_* code to
produce the corresponding ACMEVMS$_UAI_* code.
Class Scheduling Item Codes
The following table lists class scheduling item codes:
| Item Code |
Direction |
Size |
Data Provided |
|
ACMEVMS$_CLASS_DAYS
|
Output
|
Byte
|
Bit-mask
|
|
ACMEVMS$_CLASS_FLAGS
|
Output
|
Longword
|
Bit-mask
|
|
ACMEVMS$_CLASS_NAME
|
Output
|
Variable
|
String
|
|
ACMEVMS$_CLASS_NUMBER
|
Output
|
Word
|
Integer
|
|
ACMEVMS$_CLASS_PRIMEDAY_LIMIT
|
Output
|
24 bytes
|
Integer Array
|
|
ACMEVMS$_CLASS_SECONDAY_LIMIT
|
Output
|
24 bytes
|
Integer Array
|
ACMEVMS$_CLASS_DAYS
This item returns a 7-bit array, one for each day of the week starting
with Monday as the low-order bit.
If a given bit is set, it means the corresponding day of the week is to
be treated as a Secondary Day for purposes of class scheduling. If a
given bit is clear, the corresponding day of the week is to be treated
as a Primary Day for purposes of class scheduling. These designations
are overridden if the $GETSYI item code SYI$_DAY_OVERRIDE is set.
This data is intended primarily for LOGINOUT in setting up any class
scheduling required for a new process, although other callers of $ACM
are free to request it for their own purposes.
Data returned for this item code is 1 byte long, so a caller's buffer
should be at least that long.
ACMEVMS$_CLASS_FLAGS
This item code returns a 32-bit mask of flags used for class scheduling.
This data is intended primarily for LOGINOUT in setting up any class
scheduling required for a new process, although other callers of $ACM
are free to request it for their own purposes.
Data returned for this item code is 4 bytes long, so a caller's buffer
should be at least that long.
ACMEVMS$_CLASS_NAME
This item code returns a string indicating the Class Name for class
scheduling the VMS Username just authenticated.
This data is intended primarily for LOGINOUT in setting up any class
scheduling required for a new process, although other callers of $ACM
are free to request it for their own purposes.
Data returned for this item code is up to 16 characters long, so a
caller's buffer should be at least that long, with the number of bytes
allocated dependent on whether the ACME$M_UCS2_4 function code modifier
was specified on the call to $ACM[W].
ACMEVMS$_CLASS_NUMBER
This item code returns the Class Number for class scheduling the VMS
Username just authenticated. A Class Number of zero means no Class
applies to this VMS Username.
This data is intended primarily for LOGINOUT in setting up any class
scheduling required for a new process, although other callers of $ACM
are free to request it for their own purposes.
Data returned for this item code is 2 bytes long, so a caller's buffer
should be at least that long.
ACMEVMS$_CLASS_PRIMEDAY_LIMIT
This item code returns an array of 24 bytes, one for each hour of a
Primary Day, each containing a number from 1 to 100 indicating the
percentage of the overall system CPU time reserved for members of that
class.
This data is intended primarily for LOGINOUT in setting up any class
scheduling required for a new process, although other callers of $ACM
are free to request it for their own purposes.
Data returned for this item code is 24 bytes long, so a caller's buffer
should be at least that long.
ACMEVMS$_CLASS_SECONDAY_LIMIT
This item code returns an array of 24 bytes, one for each hour of a
Secondary Day, each containing a number from 1 to 100 indicating the
percentage of the overall system CPU time reserved for members of that
class.
This data is intended primarily for LOGINOUT in setting up any class
scheduling required for a new process, although other callers of $ACM
are free to request it for their own purposes.
Data returned for this item code is 24 bytes long, so a caller's buffer
should be at least that long.
Miscellaneous Item Codes
The following ACME-specific item codes cannot be classified into any of
the previous categories:
| Item Code |
Direction |
Size |
Data Provided |
|
ACMEVMS$_AUTOLOGIN_ALLOWED_FLAG
|
Input
|
Longword
|
Boolean
|
|
ACMEVMS$_CONFIRM_PASSWORD_1
|
Input
|
Variable
|
String
|
|
ACMEVMS$_CONFIRM_PASSWORD_2
|
Input
|
Variable
|
String
|
|
ACMEVMS$_CONFIRM_PASSWORD_SYS
|
Input
|
Variable
|
String
|
|
ACMEVMS$_NET_PROXY
|
Input
|
Variable
|
String
|
|
ACMEVMS$_PREAUTHENTICATION_FLAG
|
Input
|
Longword
|
Boolean
|
|
ACMEVMS$_REQUESTOR_PID
|
Input
|
Longword
|
Hexadecimal
|
|
ACMEVMS$_REQUESTOR_UIC
|
Input
|
Longword
|
Hexadecimal
|
|
ACMEVMS$_REQUESTOR_USERNAME
|
Input
|
Variable
|
String
|
|
ACMEVMS$_USES_SYSTEM_PASSWORD
|
Input
|
Longword
|
Boolean
|
ACMEVMS$_AUTOLOGIN_ALLOWED_FLAG
This input item code specifies that a particular access port is of a
type eligible for VMS Autologin. If the port is not specified in the
Autologin file read by the VMS ACME, then this item code has no effect.
ACMEVMS$_CONFIRM_PASSWORD_1
The VMS ACME uses this input item code as a separate verification
prompt when a new primary password is being specified. Use of a
separate dialogue step rather than the verification method built into
the Item Set definition allows some initial checking to be done for
acceptability of the proposed password before the user is asked to type
the password in again.
Some networked ACME agents are tied to network protocols that do not
allow independent checking of the acceptability of a proposed password,
so even when an item set with this item code is returned, the proposed
password could be rejected later.
This item code might be requested in a dialogue step.
ACMEVMS$_CONFIRM_PASSWORD_2
The VMS ACME uses this input item code as a separate verification
prompt when a new secondary password is being specified. Use of a
separate dialogue step rather than the verification method built into
the Item Set definition allows some initial checking to be done for
acceptability of the proposed password before the user is asked to type
the password again.
Some networked ACME agents are tied to network protocols that do not
allow independent checking of the acceptability of a proposed password,
so even when an item set with this item code is returned, the proposed
password could be rejected later. Most networked ACME agents do not
support secondary passwords, so after an item set with this item code
has been returned, rejection later is unlikely, though possible.
This item code might be requested in a dialogue step.
ACMEVMS$_CONFIRM_PASSWORD_SYS
The VMS ACME uses this input item code as a separate verification
prompt when a new system password is being specified. Use of a separate
dialogue step rather than the verification method built into the Item
Set definition allows full initial checking to be done for
acceptability of the proposed system password before the user is asked
to type the entire password in again.
This item code might be requested in a dialogue step.
ACMEVMS$_NET_PROXY
This input item code specifies the proxy user name for which a network
login is to be processed, without authentication information, just as
for a batch login or preauthenticated network login.
This item code requires the IMPERSONATE privilege.
ACMEVMS$_PREAUTHENTICATION_FLAG
This input item code specifies a login that is to be processed without
authentication information, such as for a batch login. When first
received by the VMS ACME, this item code causes the setting of the
WQE_PREAUTHENTICATED flag in the Work Queue Entry Context, which is
honored by all ACMEs.
To use this item code, you need the IMPERSONATE privilege.
ACMEVMS$_REQUESTOR_PID
This input item code specifies the Requestor Processor ID for use by
the VMS ACME in auditing and breakin detection. Combined with the codes
ACMEVMS$_REQUESTOR_UIC and ACMEVMS$_REQUESTOR_USERNAME, it is used when
the process calling $ACM is not actually the process to which the
authentication should be attributed. When first received by the VMS
ACME, the value of this item is stored in the REQUESTOR_PID longword in
the Request Context for later use. This item code is available to
support LGI-callout operations and other callers to
LGI$AUTHENTICATE_USER.
To use this item code, you need the IMPERSONATE privilege to guard
against spoofing.
ACMEVMS$_REQUESTOR_UIC
This input item code specifies the Requestor UIC for use by the VMS
ACME in auditing and breakin detection. When first received by the VMS
ACME, the value of this item is stored in the REQUESTOR_UIC longword in
the Request Context for later use. This item code is available to
support LGI-callout operations and other callers of
LGI$AUTHENTICATE_USER.
This item allows the caller of $ACM to provide an accurate value
because a call to SYS$GETJPI, based on the ACMEVMS$_REQUESTOR_PID
ACME-specific item code value, might produce inaccurate results due to
a subsequent assumption of a different persona in the requestor process.
To use this item code, you need the IMPERSONATE privilege to guard
against spoofing.
ACMEVMS$_REQUESTOR_USERNAME
This input item code specifies the Requestor Username for use by the
VMS ACME in auditing and breakin detection. When first received by the
VMS ACME, the value of this item is stored in the OWNER_USERNAME
varying string descriptor in the Request Context for later use. This
item code supports LGI-callout operations and other callers of
LGI$AUTHENTICATE_USER.
This item allows the caller of $ACM to provide an accurate value
because a call to SYS$GETJPI, based on the ACMEVMS$_REQUESTOR_PID item
code value, might produce inaccurate results due to a subsequent
assumption of a different persona in the requestor process.
To use this item code, you need the IMPERSONATE privilege to guard
against spoofing.
ACMEVMS$_USES_SYSTEM_PASSWORD
This input item code specifies that a particular access port is enabled
for use of the System Password. Other conditions, such as not having a
System Password defined, may mean that no Item Set requesting a System
Password is actually returned to the client. When first received by the
VMS ACME, the value of this item is stored in the
USES_SYSTEM_PASSWORD_FLAG boolean in the Request Context for later use.
To use this item code, you need the SECURITY privilege to guard against
password guessing.
The following table lists the output message categories specific to the
VMS ACME and their meanings:
