See Section 6.11 for a list of privileges, limits, and quotas that you can specify in the resource control and privileges fields of the UAF record.
$ RUN SYS$SYSTEM:AUTHORIZE UAF> SHOW WELCH
The following example shows a typical user record for a restricted user account. Callouts describe the fields.
Username: WELCH Owner: ROB WELCH (1) Account: INVOICE UIC: [21,51] ([INV,WELCH]) CLI: DCL Tables: DCLTABLES (2) Default: USER3:[WELCH] LGICMD: Login Flags: Diswelcome Disnewmail (3) Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ------ No access ------- ----- Full access ------ Batch: #########--------####### ---------#########------ Local: #########--------####### ---------#########------ Dialup: ----- Full access ------ ------ No access ------- Remote: ----- Full access ------ ------ No access ------- Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: 30 Pwdchange: 15-APR-1996 13:58 Last Login: (none) (interactive), (none) (non-interactive) Maxjobs: 0 Fillm: 20 Bytlm: 8192 (4) Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 10 JTquota: 1024 Prclm: 2 DIOlm: 10 WSdef: 150 Prio: 4 ASTlm: 10 WSquo: 256 Queprio: 4 TQElm: 10 WSextent: 512 CPU: (none) Enqlm: 100 Pgflquo: 10240 Authorized Privileges: TMPMBX NETMBX (5) Default Privileges: TMPMBX NETMBX Identifier (6) Value Attributes (7) PROJECT_X %X8001001E RESOURCE NODYNAMIC DOCU_PROC %X80010044 NORESOURCE NODYNAMIC
This section describes what to do before adding a user account.
6.5.1 Choosing an Account Type
How you set up a user account depends on the needs of the individual user. Table 6-5 lists the account types and their characteristics.
|Interactive||This account has access to the system software. Work of a general nature, such as program development or text editing, is performed in this account. Usually, such an account is considered an individual account.|
This account provides controlled login to the system and, in some
cases, has only a subset of user software available. Limited-access
accounts ensure that the system login command procedure
(SYLOGIN.COM) and the process login command procedure (specified by the
/LGICMD qualifier in the UAF), as well as any command procedures they
call, are executed. (See the OpenVMS Guide to System Security for information about
writing limited access account command procedures.) The two types of
limited accounts are: restricted and captive.
When adding a user account, you must do the following:
These tasks are described in detail in the sections that follow. When
you have completed the tasks for preparing to add a user account, you
are ready to add the account by following one of the methods described
in Section 6.6.
188.8.131.52 Selecting a User Name and Password
To determine a user name and password, use naming conventions that take into consideration the nature of the account. For example, some installations use the name of the person who will use the account.
Captive accounts, on the other hand, often use a name that describes the function of the account. Thus, an interactive or restricted account for Robert Jones might have a user name of JONES, while a captive account for an inventory system might be called INV103289, which gives some indication of the function of the account but is not easy to guess. Remember to assign unique user names.
For interactive accounts, it is best to let the person using the account control the password. Initially, provide a password that is not easy to guess. The user will be forced to change the password at first login. Only the person using the account should know the password. Encourage all users to set obscure passwords of at least eight characters and to change them frequently, or force the use of generated passwords with the /FLAGS=GENPWD and /GENERATE_PASSWORD qualifiers.
You can use the /PWDMINIMUM and /PWDLIFETIME qualifiers with the AUTHORIZE command ADD or MODIFY to enforce timely password modifications. The following table lists the qualifiers and specific action.
|/PWDMINIMUM||Specifies the minimum password length in characters (default is 6).|
|/PWDLIFETIME||Specifies a delta-time value. One week before that date, the system issues a warning message to the user. On that date, the password expires if it has not been changed.|
|/GENERATE_PASSWORD||Invokes a password generator to generate user passwords.|
|/FLAGS=GENPWD||Allows you to force use of the automatic password generator when a user changes a password. Consider using the password generator for privileged accounts or whenever a user has access to sensitive data.|
For captive accounts, the degree of sensitivity of the data used by the account should determine the type of password. For example, the password for a payroll application should be obscure, while the password for a suggestions account might not even be required; it could be null (in which case users would not be prompted for the password).
Prohibit users from changing the passwords of captive accounts. To do this, specify /FLAGS=LOCKPWD when you create the captive account. Change the password whenever you feel it might be compromised (for example, if a person using the account moves to another job).
To change a user's password, use the following command format at the UAF> prompt:
See the OpenVMS System Management Utilities Reference Manual for more information about AUTHORIZE.
184.108.40.206 Assigning the User Identification Code
Assign each account a unique user identification code (UIC). A UIC has two formats: alphanumeric and numeric.
The alphanumeric UIC consists of a member name and, optionally, a group name separated by a comma and enclosed within brackets (for example, [DOCO,PRICE]). These identifiers might also appear as numeric characters consisting of a group identifier and a member identifier in octal (for example, [11,200]).
Assign accounts the same group number if their owners perform similar work, access the same files frequently, or use many of the same logical names. See the OpenVMS Guide to System Security for a detailed discussion of the user identification code.
NoteDigital reserves UIC group 1 and groups 300--377.
Disk quotas limit the amount of disk space available to individual users on a particular volume. If disk quotas are in effect for a disk volume, run the System Management utility (SYSMAN) and use the DISKQUOTA command to add an entry for the new UIC as follows:
$ RUN SYS$SYSTEM:SYSMAN SYSMAN> SET ENVIRONMENT/NODE=LARRY SYSMAN> DISKQUOTA ADD [014,JONES]/DEVICE=DISK$USER/PERMQUOTA=2000/OVERDRAFT=500 SYSMAN> EXIT
The sum of the quota and overdraft values is the absolute maximum
number of blocks allotted to the user, which in this example is 2500
blocks. For more information on SYSMAN and establishing disk quotas,
see the OpenVMS System Management Utilities Reference Manual.
220.127.116.11 Setting the User Default Device for an Interactive Account
For each interactive account, create a top-level (default) directory (using the DCL command CREATE/DIRECTORY). In the directory place a login file, login file template, and/or logout file, as appropriate. The interactive user creates and maintains files and subdirectories in this directory. Make the owner of the directory the UIC for the new account. Usually, you also use the name of the account for the default directory.
If you decided on an account name of JONES and a UIC of [014,1], you would enter the following DCL command to create a default directory for the account on the volume DISK$USER:
$ CREATE/DIRECTORY DISK$USER:[JONES]/OWNER_UIC=[014,1]
The volume on which the directory is established depends on which devices you reserve for interactive accounts and how much space is available on each.
The default file specification you provide the new account (when you
run AUTHORIZE) should be the name of the device and the name of the
top-level directory you used in the DCL command CREATE/DIRECTORY.
18.104.22.168 Setting the User Default Device for a Captive Account
For a captive account, whether you create a top-level directory depends
on the nature of the user system. If people use files in a particular
directory, make that directory the default directory specification. For
example, if the inventory system uses the files
DISK$DATA:[INV]STOCK1.DAT and DISK$DATA:[INV]STOCK2.DAT, make the
default device specification DISK$DATA: and make the default directory
6.5.3 Understanding Account Security
The level of security that you establish for an account depends on the purpose of the account and whether it is shared with other users or groups. For an interactive user account, the default UIC-based protection is usually adequate.
Protecting Users' Files
The default protection for top-level directories is no world access. However, for new user directories, you might want to change the default to world execute access so that users will not have to change directory protection to allow other users read access to files in that directory.
Users can further protect their files and subdirectories on an individual basis with the DCL command SET SECURITY.
Using Access Control Lists (ACLs)
In some cases, such as project accounts, you might want to set up an additional level of protection by using access control lists (ACLs). ACL-based protection provides a more refined level of security in cases where different groups or members of overlapping groups share access to an account such as a project account. ACLs offer a way to grant or deny users access to any security-relevant object.
Section 6.9.2 describes how to set up a project account with ACL-based protection. For more information on how to set up and edit ACLs, see the OpenVMS Guide to System Security and the OpenVMS System Management Utilities Reference Manual.
Using AUTHORIZE to Maintain the Rights Database
The rights database (RIGHTSLIST.DAT) is a file that associates users of the system with access-controlling identifiers. When a user logs in, the system checks the rights database for the identifiers that the user holds. You use the Authorize utility (AUTHORIZE) to maintain the rights database by adding or deleting identifiers as needed.
By allowing a group of users to hold common identifiers, you can create a group protection scheme that is more intricate than that provided by the UIC-based protection.
Using Protected Subsystems
Protected subsystems provide conditional access to data. In a protected
subsystem, an application protected by normal access controls serves as
a gatekeeper to objects belonging to the subsystem. While users are
running the application, their process rights list contains identifiers
giving them access to objects owned by the subsystem. As soon as users
exit from the application, these identifiers and, therefore, the users'
access rights to objects are taken away. For more information, see the
OpenVMS Guide to System Security.
6.6 Adding User Accounts
The following sections explain how to use two different methods for adding user accounts:
Once you analyze the purpose of a user account and decide which attributes and resources it requires, you can use the Authorize utility (AUTHORIZE) to create the account.
How to Perform This Task
$ SET PROCESS/PRIVILEGE=SYSPRV
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE UAF>
UAF> ADD JONES/PASSWORD=LPB57WM/UIC=[014,1] - _UAF> /DEVICE=DISK$USER/DIRECTORY=[JONES] - _UAF> /LGICMD=DISK$USER:[NEWPROD]GRPLOGIN - _UAF> /OWNER="ROBERT JONES"/ACCOUNT=DOC
This section lists the qualifiers that you can use when setting up an account with AUTHORIZE. Table 6-6 lists the qualifiers under the account attribute that they affect. See Section 6.11.2 for a detailed description of each qualifier. For a complete list of AUTHORIZE qualifiers, see the OpenVMS System Management Utilities Reference Manual.
|Limits and Quotas¹|
|Login Access Controls ³|
As an alternative to using the Authorize utility, you can use a command procedure to create user accounts. The ADDUSER.COM procedure, which is located in the SYS$EXAMPLES directory, is an example of such a procedure; it supplies prompts and several default values for creating the new account.
You can modify ADDUSER.COM as appropriate for the needs of your system. To run ADDUSER.COM, log in to the SYSTEM account and enter the following command:
ADDUSER.COM prompts you to enter values in a number of UAF record fields. If you press Return without specifying a value for a field, ADDUSER supplies the following default values:
|UAF Field||Default Value|
|User name||No default; must supply|
|Owner||No default; must supply|
|Password||User name specified|
|UIC group number||200|
|UIC member number||No default; must supply number|
|Login directory||User name specified|
The UIC must be unique for the system. For example, each account in the UIC group 200 must have a unique member number. You can list the UICs currently assigned to users by entering a question mark ( ? ) after the UIC member number prompt. The account is not created until you have answered all of the questions in the procedure. The final prompt in the procedure is the following:
Is everything satisfactory with the account [YES]?
If you press Return, the account is created and remains in SYSUAF.DAT as specified. If you enter NO, the account is removed.
NoteIf you press Ctrl/Y before, during, or directly after the system displays the characteristics of the account (that is, before you respond to the "satisfactory?" prompt), the account, or portions of it, will still be added.
Make sure users log in to their accounts promptly to change the
6.7 Maintaining User Accounts
As system manager, you perform a certain number of user account maintenance tasks, such as modifying and deleting accounts. The following sections explain how to perform these tasks:
|Using command procedures for interactive accounts||Section 6.7.1|
|Modifying a user account||Section 6.7.2|
|Listing user accounts||Section 6.7.3|
|Maintaining the user environment||Section 6.7.4|
|Deleting a user account||Section 6.7.5|
|Using BACKUP to remove user files||Section 6.7.6|
|Disabling a user account||Section 6.7.7|
For all accounts, login command procedures contain commands commonly executed at the beginning of every user session. These commands do such tasks as the following:
Login command procedures are useful for saving keystrokes and standardizing operations.
In establishing login command procedures for interactive accounts, you have the following choices:
|Login Command Procedure||Description|
|System||As system manager, you normally create and maintain a standard login command procedure in the system directory (the file is usually named SYS$MANAGER:SYLOGIN.COM). You then assign the logical name SYS$SYLOGIN to the name of the file so that whenever a user logs in, the procedure is executed.|
|Individual||For any or all accounts, you can specify an additional login command procedure with the /LGICMD qualifier of the AUTHORIZE commands ADD, MODIFY, or COPY. You can give the login command procedure any valid file specification. Whenever the user logs in, the additional procedure is executed after SYS$SYLOGIN.|
|User-specified command file||
If system (and, optionally, individual) login command procedures are
not implemented, the system looks for a command file called LOGIN.COM
in the user's login directory as defined by the UAF (user authorization
file) record device and directory fields. If the file is found, the
system executes it. The user develops and maintains this command file,
which should follow these conventions:
You can provide an aid to new users by copying a login command procedure template into newly created top-level directories. However, to ensure proper ownership of the file, change the owner UIC (user identification code) of the file to that of the user. Make this change with the DCL command SET FILE/OWNER.
Example 6-1 illustrates typical systemwide login command procedures.
Example 6-1 Sample Systemwide SYS$MANAGER:SYLOGIN.COM Login Command Procedure
$ V = F$VERIFY(0) $START: $ ! $ SET NOCONTROL=Y ! Do not allow Ctrl/Y to exit procedure $ SET NOON $ ! $ ! Allow network jobs to start faster $ ! $ IF F$MODE() .EQS. "NETWORK" THEN GOTO EXIT $ ! $ ! Enable Ctrl/T handling by DCL $ ! $ SET CONTROL=T $ ! $ ! Define Foreign Commands For Installed Utilities $ ! $ USERS == "SHOW USERS" $ DISPLAY == "MONITOR PROCESSES/TOPCPU" $ INFO == "SHOW PROCESS/CONTINUOUS" $ SUSPEND == "SET PROCESS/SUSPEND" $ RESUME == "SET PROCESS/RESUME" $ SETNAME == "SET PROCESS/NAME" $ ! $ ! Define a symbol indicating whether the terminal $ ! is on a dialup port $ ! $ TT == F$GETDVI("TT","DEVNAM")-"_" $ DIALUP == ((TT .GES. "TTG0:" .AND. TT .LES. "TTG4:") - .OR. (TT .GES. "TTH1:" .AND. TT .LES. "TTH4:") - .OR. (TT .EQS. "TTI5:")) $ IF DIALUP THEN SET TERMINAL/INQUIRE $ ! $EXIT: $ IF V THEN SET VERIFY . . . $ SET CONTROL=Y $ EXIT
6017P015.HTM OSSG Documentation 22-NOV-1996 14:21:37.89
Copyright © Digital Equipment Corporation 1996. All Rights Reserved.