The level of system access a user enjoys depends
on your site requirements, that user's role in the organization,
and your management of his or her account. A site with low security
requirements and plenty of system resources may allow access at any
time of day whereas a site with moderate security requirements may
limit logins to daytime hours and permit dialup or network connections
only to a subset of users.
Using the Authorize utility, you control when
and how users can access the system. “Authorize Qualifiers Controlling Login Times and Conditions” identifies the applicable qualifiers.
Table 7-1 Authorize Qualifiers Controlling Login Times and Conditions
| Categories | Qaulifier | Description |
|---|
Time
of day | /ACCESS | By default,
a user has full access every day. By specifying an access time, you
prevent access at all other times. Identify hours on primary days
with the keyword PRIMARY; identify hours on secondary days with the
keyword SECONDARY. |
| | /DIALUP | Specifies hours of access permitted for
dialup logins. |
| | /LOCAL | Specifies hours of access for interactive
logins from local terminals. |
Days
of week | /PRIMEDAYS | Defines
the primary and secondary days of the week for logging in. |
Mode
of operation | /BATCH | Specifies
the hours of access permitted for batch jobs. |
| | /INTERACTIVE | Specifies the hours of access
for interactive logins. |
| | /NETWORK | Specifies the hours of access permitted
for network batch jobs. |
| | /REMOTE | Specifies hours during which access is
permitted for interactive logins from network remote terminals (with
the DCL command SET HOST). |
Allocation
of resources | /DEVICE | Specifies
the name of the user's default device at login. |
| | /DIRECTORY | Specifies the name of the user's
default directory at login. |
Validity
of account | /EXPIRATION | Specifies the expiration date and time of the account. |
| | /FLAGS=DISUSER | Disables the account so the user
cannot log in. |
External authentication | /FLAGS=EXTAUTH | Specifies that the user is externally
authenticated. |
| | /FLAGS=VMSAUTH | Specifies that the account can
use standard authentication (using SYSUAF) irrespective of whether
the EXTAUTH flag is set, which requires external authentication. For
more information on external authentication, see the section“Overriding External Authentication”. |
Restricting Work Times |
 |
AUTHORIZE qualifiers let you restrict system use
to certain days of the week and certain periods of the day. Restricting
work times is useful to better balance the workload on your system.
Restricting access to accounts is also an effective way of preventing
unauthorized use of the system outside of normal working hours.
Define primary and secondary days of the week
with the /PRIMEDAYS qualifier, or conform to the default where primary
days are Monday through Friday and secondary days are Saturday and
Sunday. For example, to modify the defaults for a user who works Tuesday
through Saturday, you would specify the /PRIMEDAYS qualifier as follows:
/PRIMEDAYS=(NOMONDAY,TUESDAY,WEDNESDAY,THURSDAY,FRIDAY,SATURDAY,NOSUNDAY) |
Occasionally an operational change occurs that
conflicts with the normal day assignments at your site, such as a
holiday falling on a primary day. To override the normal day assignment,
use the DCL command SET DAY, and specify the day-type interpretation
you want for the current day. This requires OPER privilege. Note that
this change applies to all logged-in users, as well as those who will
log in during the day. If users who are currently logged in are unauthorized
for the day-type once it changes, they are logged out of the system
at the next hour. (The job controller enforces time restrictions on
an hourly basis.)
Decide which types of login access should be restricted
to certain hours. The login access qualifiers are: /LOCAL, /REMOTE,
/DIALUP, /INTERACTIVE, /BATCH, and /NETWORK. However, if your site
applies one set of primary and secondary hours for all types of logins,
you can specify the /ACCESS qualifier, which applies to all modes
of access.
The following example shows how to apply the /BATCH
qualifier to a user's account to disable the user from running
batch jobs during normal working hours:
This specification permits the user to run batch
jobs only during the hours of 6:00 p.m. through 8:59 a.m. on primary
days but all day on secondary days.
Restricting Modes of Operation |
|
The following concerns might cause you to prohibit
network access for some of your users:
The user has data that
should be accessed only through the local node.
Penetration attempts are
more likely to occur over a network because of the increased anonymity
of the connection. (This concern is also relevant to dialup connections.)
Use the AUTHORIZE qualifier /NONETWORK to prevent
specific users from having network access, as shown in the following
example:
UAF> ADD JSMITH /NONETWORK, ... |
Any of the AUTHORIZE access mode qualifiers (/LOCAL,
/REMOTE, /DIALUP, /INTERACTIVE, /BATCH, or /NETWORK) can be negated
in this manner to restrict access to the system.
Restricting Account Duration |
|
It is good practice to set an account expiration
time that matches the maximum length of time you expect the user to
require access. When the expiration time arrives, the system automatically
prohibits access to the account. You must still remove the UAF record
and delete the user's files.
Use of the /EXPIRATION qualifier also forces you
to periodically review accounts and reauthorize only those that are
necessary.
To set the account expiration time, use the AUTHORIZE
qualifier /EXPIRATION in the user's UAF record. For example,
the following qualifier specifies that the user's account will
expire on the 30th of December 2008:
Disabling Accounts |
|
You
may want to severely restrict the use of certain accounts. For example,
you may want to disable specific accounts used only periodically,
such as the SYSTEST and FIELD accounts, to limit possible misuse of
these accounts. Disable the accounts with the /FLAGS=DISUSER qualifier.
Temporarily enable the accounts with the /FLAGS=NODISUSER qualifier
when needed.
Restricting Disk Volumes |
|
Identify the user's default device and directory
in the UAF record with the AUTHORIZE qualifiers /DEVICE and /DIRECTORY.
You can limit the number of blocks available to the user on that disk
(and any other disk) through the disk quota feature of the System
Management utility (SYSMAN), as described in the HP OpenVMS
System Management Utilities Reference Manual: A-L.
The volume protection in place on other disks
controls how much access a user can obtain to the disks. The user's
privileges, which can be extended or limited through the AUTHORIZE
qualifier /PRIVILEGES, also influence the access available (see “Giving Users Privileges”).
Marking Accounts for External Authentication |
|
Mark a user's account in the UAF record with
the AUTHORIZE qualifier /FLAGS=EXTAUTH to allow the user to be externally
authenticated.
See “Enabling External Authentication” for more information.
