 |
HP OpenVMS System Management Utilities Reference
Manual
When you modify a password, the new password expires automatically; it
is valid only once (unless you specify /NOPWDEXPIRED). On login, the
user is forced to change the password (unless you specify
/FLAGS=DISFORCE_PWD_CHANGE).
Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually
exclusive.
/PBYTLM
This flag is reserved for HP.
/PGFLQUOTA=value
Specifies the paging file limit. This is the maximum number of pages
that the person's process can use in the system paging file. By
default, the value is 32768 pages on VAX systems and 256,000 pagelets
on Alpha and I64 systems.
If decompressing libraries, make sure to set PGFLQUOTA to twice the
size of the library.
/PRCLM=value
Specifies the subprocess creation limit. This is the maximum number of
subprocesses that can exist at one time for the specified user's
process. By default, the value is 2 on VAX systems and 8 on Alpha and
I64 systems.
/PRIMEDAYS=([NO]day[,...])
Defines the primary and secondary days of the week for logging in.
Specify the days as a list separated by commas, and enclose the list in
parentheses. To specify a secondary day, prefix the day with NO (for
example, NOFRIDAY). To specify a primary day, omit the NO prefix.
By default, primary days are Monday through Friday and secondary days
are Saturday and Sunday. If you omit a day from the list, AUTHORIZE
uses the default value. (For example, if you omit Monday from the list,
AUTHORIZE defines Monday as a primary day.)
Use the primary and secondary day definitions in conjunction with such
qualifiers as /ACCESS, /INTERACTIVE, and /BATCH.
/PRIORITY=value
Specifies the default base priority. The value is an integer in the
range of 0 to 31 on VAX systems and 0 to 63 on Alpha and I64 systems.
By default, the value is set to 4 for timesharing users.
/PRIVILEGES=([NO]privname[,...])
Specifies which privileges the user is authorized to hold, although
these privileges are not necessarily enabled at login. (The
/DEFPRIVILEGES qualifier determines which ones are enabled.) A NO
prefix removes the privilege from the user. The keyword NOALL disables
all user privileges. Many privileges have varying degrees of power and
potential system impact (see the HP OpenVMS Guide to System Security for a detailed
discussion). By default, a user holds TMPMBX and NETMBX privileges.
Privname is the name of the privilege.
/PWDEXPIRED (default)
/NOPWDEXPIRED
Specifies the password is valid for only one login. A user must change
a password immediately after login or be locked out of the system. The
system warns users of password expiration. A user can either specify a
new password, with the DCL command SET PASSWORD, or wait until
expiration and be forced to change. By default, a user must change a
password when first logging in to an account. The default is applied to
the account only when the password is being modified.
/PWDLIFETIME=time (default)
/NOPWDLIFETIME
Specifies the length of time a password is valid. Specify a delta time
value in the form [dddd-] [hh:mm:ss.cc]. For example, for a lifetime of
120 days, 0 hours, and 0 seconds, specify /PWDLIFETIME="120-". For a
lifetime of 120 days 12 hours, 30 minutes and 30 seconds, specify
/PWDLIFETIME="120-12:30:30". If a period longer than the specified time
elapses before the user logs in, the system displays a warning message.
The password is marked as expired.
To prevent a password from expiring, specify the time as NONE. By
default, a password expires in 90 days.
/PWDMINIMUM=value
Specifies the minimum password length in characters. Note that this
value is enforced only by the DCL command SET PASSWORD. It does not
prevent you from entering a password shorter than the minimum length
when you use AUTHORIZE to create or modify an account. By default, a
password must have at least 6 characters. The value specified by the
/PWDMINIMUM qualifier conflicts with the value used by the
/GENERATE_PASSWORD qualifier or the DCL command SET PASSWORD/GENERATE,
the operating system chooses the lesser value. The maximum value for
generated passwords is 10.
/QUEPRIO=value
Reserved for future use.
/REMOTE[=(range[,...])]
Specifies hours during which access is permitted for interactive logins
from network remote terminals (with the DCL command SET HOST). For a
description of the range specification, see the /ACCESS qualifier. By
default, remote logins have no access restrictions.
/SHRFILLM=value
Specifies the maximum number of shared files that the user can have
open at one time. By default, the system assigns a value of 0, which
represents an infinite number.
/TQELM
Specifies the total number of entries in the timer queue plus the
number of temporary common event flag clusters that the user can have
at one time. By default, a user can have 100.
/UIC=value
Specifies the user identification code (UIC). The UIC value is a group
number in the range from 1 to 37776 (octal) and a member number in the
range from 0 to 177776 (octal), which are separated by a comma and
enclosed in brackets. HP reserves group 1 and groups 300--377 for its
own use.
Each user must have a unique UIC. By default, the UIC value is
[200,200].
/WSDEFAULT=value
Specifies the default working set limit. This represents the initial
limit to the number of physical pages the process can use. (The user
can alter the default quantity up to WSQUOTA with the DCL command SET
WORKING_SET.) By default, a user has 256 pages on VAX systems and 4096
pagelets on Alpha and I64 systems.
The value cannot be greater than WSMAX. This quota value replaces
smaller values of PQL_MWSDEFAULT.
/WSEXTENT=value
Specifies the working set maximum. This represents the maximum amount
of physical memory allowed to the process. The system provides memory
to a process beyond its working set quota only when it has excess free
pages. The additional memory is recalled by the system if needed.
The value is an integer equal to or greater than WSQUOTA. By default,
the value is 1024 pages on VAX systems and 16384 pagelets on Alpha and
I64 systems. The value cannot be greater than WSMAX. This quota value
replaces smaller values of PQL_MWSEXTENT.
/WSQUOTA=value
Specifies the working set quota. This is the maximum amount of physical
memory a user process can lock into its working set. It also represents
the maximum amount of swap space that the system reserves for this
process and the maximum amount of physical memory that the system
allows the process to consume if the systemwide memory demand is
significant.
The value cannot be greater than the value of WSMAX and cannot exceed
8,192 pagelets on Alpha and I64 systems. This quota value replaces
smaller values of PQL_MWSQUOTA.
Description
Modify the DEFAULT record when qualifiers normally assigned to a new
user differ from the HP-supplied values. The following qualifiers
correspond to fields in the default record that are commonly modified:
| Qualifier |
Reason for Modification |
|
/CLI
|
Specifies the default Command Line Interpreter to be used for this
user. (Most OpenVMS users use the DCL command interpreter.)
|
|
/DEVICE
|
If most users have the same default login device, allows you to specify
a default login device for newly-created users.
The use of a logical name is recommended.
|
|
/LGICMD
|
Specifies the filename of a command procedure to be invoked during the
login of the user.
- OpenVMS first looks for a systemwide login command procedure, using
the systemwide logical name SYS$SYLOGIN. If this logical name
successfully translates to a valid file specification, the command
interpreter invokes the resulting command procedure during login.
If the file specification does not include a file extension, the
command interpreter applies a default value that is specific to that
command interpreter. In the case of the DCL interpreter, the default
file extension is .COM.
- OpenVMS then looks for a LGICMD specification. If it finds this
specification, OpenVMS invokes the command procedure.
If the LGICMD specification does not include a file extension, the
current command interpreter applies a default value. In the case of the
DCL interpreter, the default file extension is .COM.
You can disable or override the command procedure invocation during
login by specifying qualifiers such as /NOCOMMAND or /LGICMD at the
login username prompt.
Also see the CAPTIVE and RESTRICTED flags.
|
|
/PRIVILEGES
|
When users are given different privileges than those supplied by HP.
|
|
Quota qualifiers
|
When the default quotas are insufficient or inappropriate for
mainstream work.
|
Example
|
UAF> DEFAULT /DEVICE=SYS$USER/LGICMD=SYS$MANAGER:SECURELGN -
_UAF> /PRIVILEGES=(TMPMBX,GRPNAM,GROUP)
%UAF-I-MDFYMSG, user record(s) updated
|
The command in this example modifies the DEFAULT record, changing the
default device, default login command file, and default privileges.
Enables you to exit from AUTHORIZE and return to DCL command level. You
can also return to command level by pressing Ctrl/Z.
Format
EXIT
Parameters
None.
Qualifiers
None.
Assigns the specified identifier to the user and documents the user as
a holder of the identifier in the rights database.
Format
GRANT/IDENTIFIER id-name user-spec
Parameters
id-name
Specifies the identifier name. The identifier name is a string of 1 to
31 alphanumeric characters that can contain underscores and dollar
signs. The name must contain at least one nonnumeric character.
user-spec
Specifies the UIC identifier that uniquely identifies the user on the
system. This type of identifier appears in alphanumeric format. For
example: [GROUP1,JONES].
Qualifier
/ATTRIBUTES=(keyword[,...])
Specifies attributes to be associated with the identifier. The
following are valid keywords:
|
DYNAMIC
|
Allows unprivileged holders of the identifier to remove and to restore
the identifier from the process rights list by using the DCL command
SET RIGHTS_LIST.
|
|
HOLDER_HIDDEN
|
Prevents people from getting a list of users who hold an identifier,
unless they own the identifier themselves.
|
|
NAME_HIDDEN
|
Allows holders of an identifier to have it translated, either from
binary to ASCII or from ASCII to binary, but prevents unauthorized
users from translating the identifier.
|
|
NOACCESS
|
Makes any access rights of the identifier null and void. If a user is
granted an identifier with the No Access attribute, that identifier has
no effect on the user's access rights to objects. This attribute is a
modifier for an identifier with the Resource or Subsystem attribute.
|
|
RESOURCE
|
Allows holders of an identifier to charge disk space to the identifier.
Used only for file objects.
|
|
SUBSYSTEM
|
Allows holders of the identifier to create and maintain protected
subsystems by assigning the Subsystem ACE to the application images in
the subsystem. Used only for file objects.
|
To remove an attribute from the identifier, add a NO prefix to the
attribute keyword. For example, to remove the Resource attribute,
specify /ATTRIBUTES=NORESOURCE.
Example
|
UAF> GRANT/IDENTIFIER INVENTORY [300,015]
%UAF-I-GRANTMSG, identifier INVENTORY granted to CRAMER
|
The command in this example grants the identifier INVENTORY to the user
named Cramer who has UIC [300,015]. Cramer becomes the holder of the
identifier and any resources associated with it. The following command
produces the same result:
UAF> GRANT/IDENTIFIER INVENTORY CRAMER
|
Displays information concerning the use of AUTHORIZE, including formats
and explanations of commands, parameters, and qualifiers.
Format
HELP [keyword[,...]]
Parameter
keyword[,...]
Specifies one or more keywords that refer to the topic, command,
qualifier, or parameter on which you want information from the
AUTHORIZE HELP command.
Qualifiers
None.
Description
If you do not specify a keyword, HELP displays information about the
topics and commands for which help is available. It then prompts you
with "Topic?". You can supply a topic or a command name, or
press Return. When you specify a command name and qualifiers, you get
detailed information about that command. If you respond by pressing
Return, you exit from help. You can also exit from help by pressing
Ctrl/Z.
If the command you request accepts qualifiers, the display of the help
information about the command is followed by the prompt
"Subtopic?". Respond to this prompt with a qualifier name, or
press Return. If you respond by pressing Return, HELP prompts with
"Topic?". If you want to exit from help directly from this
level, press Ctrl/Z.
Examples
The HELP command in this example displays information about the ADD
command:
ADD
Adds a user record to the SYSUAF and corresponding identifiers to
the rights database.
Format
ADD newusername
Additional information available:
Parameter Qualifiers
/ACCESS /ACCOUNT /ADD_IDENTIFIER /ALGORITHM /ASTLM /BATCH
/BIOLM /BYTLM /CLI /CLITABLES /CPUTIME /DEFPRIVILEGES
/DEVICE /DIALUP /DIOLM /DIRECTORY /ENQLM /EXPIRATION
/FILLM /FLAGS /GENERATE_PASSWORD /INTERACTIVE /JTQUOTA
/LGICMD /LOCAL /MAXACCTJOBS /MAXDETACH /MAXJOBS /NETWORK
/OWNER /PASSWORD /PBYTLM /PGFLQUOTA /PRCLM /PRIMEDAYS /PRIORITY
/PRIVILEGES /PWDEXPIRED /PWDLIFETIME
/PWDMINIMUM /REMOTE /SHRFILLM /TQELM /UIC
/WSDEFAULT /WSEXTENT /WSQUOTA
Examples /IDENTIFIER /PROXY
ADD Subtopic?
|
The command in this example displays information about the /ACCOUNT
qualifier:
ADD
/ACCOUNT=account-name
Specifies the default name for the account (for example, a billing
name or number). The name can be a string of 1 to 8 alphanumeric
characters. By default, AUTHORIZE does not assign an account name.
|
Writes reports for selected UAF records to a listing file, SYSUAF.LIS,
which is placed in the current default directory.
Note
LIST/IDENTIFIER, LIST/PROXY, and LIST/RIGHTS are documented as separate
commands.
|
Format
LIST [user-spec]
Parameter
user-spec
Specifies the user name or UIC of the requested UAF record. Without the
user-spec parameter, AUTHORIZE lists the user records
of all users. The asterisk (*) and percent sign (%) wildcards are
permitted in the user name.
Qualifiers
/BRIEF
Specifies that a brief report be written to SYSUAF.LIS. The /BRIEF
qualifier is the default qualifier. SYSUAF.LIS is placed in the default
directory.
/FULL
Specifies that a full report be written to SYSUAF.LIS, including
identifiers held by the user. SYSUAF.LIS is placed in the SYS$SYSTEM
directory.
Description
The LIST command creates a listing file of reports for selected UAF
records. Print the listing file, SYSUAF.LIS, with the DCL command PRINT.
Specification of a user name results in a single-user report.
Specification of the asterisk wildcard character following the LIST
command results in reports for all users in ascending sequence by user
name. Specification of a UIC results in reports for all users with that
UIC. (HP recommends that you assign each user a unique UIC, but if
users share a UIC, the report will show all users with that UIC.) You
can use the asterisk wildcard character to specify the UIC.
The following table shows how to specify a UIC with the LIST command
and use the asterisk wildcard character with the UIC specification to
produce various types of reports:
| Command |
Description |
|
LIST [14,6]
|
Lists a full report for the user (or users) with member number 6 in
group 14.
|
|
LIST [14,*] /BRIEF
|
Lists a brief report for all users in group 14, in ascending sequence
by member number.
|
|
LIST [*,6] /BRIEF
|
Lists a brief report for all users with a member number of 6.
|
|
LIST [*,*] /BRIEF
|
Lists a brief report for all users, in ascending sequence by UIC.
|
Although you must provide separate UICs for each user, the LIST command
reports users with the same UIC in the order in which they were added
to the SYSUAF. Full reports list the details of the limits, privileges,
login flags, and command interpreter. Brief reports do not include the
limits, login flags, or command interpreter, nor do they summarize the
privileges. AUTHORIZE never displays the password for an account.
See the SHOW command for examples of brief and full reports.
Examples
| #1 |
UAF> LIST ROBIN/FULL
%UAF-I-LSTMSG1, writing listing file
%UAF-I-LSTMSG2, listing file SYSUAF.LIS complete
|
This command lists a full report for the user record ROBIN.
| #2 |
UAF> LIST *
%UAF-I-LSTMSG1, writing listing file
%UAF-I-LSTMSG2, listing file SYSUAF.LIS complete
|
This command results in brief reports for all users in ascending
sequence by user name. Note, however, that this is the same result you
would produce had you omitted the asterisk wildcard.
| #3 |
UAF> LIST [300,*]
%UAF-I-LSTMSG1, writing listing file
%UAF-I-LSTMSG2, listing file SYSUAF.LIS complete
|
This command lists a brief report for all user records with a group UIC
of 300.
Creates a listing file (RIGHTSLIST.LIS) in which identifier names,
attributes, values, and holders are written.
Format
LIST/IDENTIFIER [id-name]
Parameter
id-name
Specifies an identifier name. You can specify the asterisk wildcard
character (*) to list all identifiers. If you omit the identifier name,
you must specify /USER or /VALUE.
Qualifiers
/BRIEF
Specifies a brief listing in which only the identifier name, value, and
attributes appear.
/FULL
Specifies a full listing, in which the names of the identifier's
holders are displayed along with the identifier's name, value, and
attributes. The /FULL qualifier specifies the default listing format.
/USER=user-spec
Specifies one or more users whose identifiers are to be listed. The
user-spec can be a user name or UIC. You can use the asterisk
wildcard character (*) to specify multiple user names or UICs. UICs
must be in the form [*,*], [n,*], [*,n], or [n,n]. A wildcard user name
specification (*) lists identifiers alphabetically by user name; a
wildcard UIC specification ([*,*]) lists them numerically by UIC.
/VALUE=value-specifier
Specifies the value of the identifier to be listed. The following
formats are valid for the value-specifier:
|
IDENTIFIER:n
|
An integer value in the range 65,536 to 268,435,455. You can also
specify the value in hexadecimal (precede the value with %X) or octal
(precede the value with %O).
To differentiate general identifiers from UIC identifiers,
%X80000000 is added to the value you specify.
|
|
GID:n
|
GID is the POSIX group identifier. It is an integer value in the range
0 to 16,777,215 (%XFFFFFF). The system will add %XA400.0000 to the
value you specify and then enter this new value into the system
RIGHTSLIST as an identifier.
|
|
UIC:uic
|
A UIC value in the standard UIC format.
|
Description
The LIST/IDENTIFIER command creates a listing file in which identifier
names, attributes, values, and holders are displayed in various formats
depending on the qualifiers specified. Two of these formats are
illustrated in the description of the SHOW/IDENTIFIER command.
Print the listing file named RIGHTSLIST.LIS with the DCL command PRINT.
Examples
| #1 |
UAF> LIST/IDENTIFIER INVENTORY
%UAF-I-LSTMSG1, writing listing file
%UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS complete
|
The command in this example generates a full listing for the identifier
INVENTORY, including its value (in hexadecimal), holders, and
attributes.
| #2 |
UAF> LIST/IDENTIFIER/USER=ANDERSON
%UAF-I-LSTMSG1, writing listing file
%UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS complete
|
This command lists an identifier associated with the user ANDERSON,
along with its value and attributes. Note, however, that this is the
same result you would produce had you specified ANDERSON's UIC with the
following forms of the command:
UAF> LIST/IDENTIFIER/USER=[300,015]
|
UAF> LIST/IDENTIFIER/VALUE=UIC:[300,015]
|
|
