[Digital logo]

OpenVMS System Manager's Manual

Previous | Contents

See Section 6.11 for a list of privileges, limits, and quotas that you can specify in the resource control and privileges fields of the UAF record.



The following example shows a typical user record for a restricted user account. Callouts describe the fields.

Username: WELCH                            Owner:  ROB WELCH   (1)
Account:  INVOICE                          UIC:    [21,51] ([INV,WELCH]) 
CLI:      DCL                              Tables: DCLTABLES   (2)
Default:  USER3:[WELCH] 
Login Flags:  Diswelcome Disnewmail                            (3)
Primary days:    Mon Tue Wed Thu Fri 
Secondary days:                     Sat Sun 
Primary   000000000011111111112222  Secondary 000000000011111111112222 
Day Hours 012345678901234567890123  Day Hours 012345678901234567890123 
Network:  ------ No access -------            ----- Full access ------ 
Batch:    #########--------#######            ---------#########------ 
Local:    #########--------#######            ---------#########------ 
Dialup:   ----- Full access ------            ------ No access ------- 
Remote:   ----- Full access ------            ------ No access ------- 
Expiration:            (none)    Pwdminimum:  6   Login Fails:     0 
Pwdlifetime:            30       Pwdchange:   15-APR-1996 13:58 
Last Login:            (none) (interactive),            (none) (non-interactive) 
Maxjobs:         0  Fillm:        20  Bytlm:         8192      (4)
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0 
Maxdetach:       0  BIOlm:        10  JTquota:       1024 
Prclm:           2  DIOlm:        10  WSdef:          150 
Prio:            4  ASTlm:        10  WSquo:          256 
Queprio:         4  TQElm:        10  WSextent:       512 
CPU:        (none)  Enqlm:       100  Pgflquo:      10240 
Authorized Privileges:                                         
Default Privileges: 
Identifier (6)                    Value              Attributes (7)
  PROJECT_X                        %X8001001E         RESOURCE NODYNAMIC 
  DOCU_PROC                        %X80010044         NORESOURCE NODYNAMIC 

  1. User identification fields contain information used by the system for accounting purposes and user identification.
  2. Default fields contain the default specifications for the following:
  3. Login characteristics fields impose specific login restrictions that do the following:
  4. Resource control fields control system resources by:
  5. Privileges fields specify the privileges that allow use of restricted and sensitive system functions.
  6. Identifier fields list the ACL identifiers that the user holds and that are recorded in the rights database file.
  7. Attributes fields list the characteristics specified when adding identifiers to the rights database or when granting identifiers to users.

    6.5 Preparing to Add User Accounts

    This section describes what to do before adding a user account.

    6.5.1 Choosing an Account Type

    How you set up a user account depends on the needs of the individual user. Table 6-5 lists the account types and their characteristics.

    Table 6-5 Account Types
    Account Type Characteristics
    Interactive This account has access to the system software. Work of a general nature, such as program development or text editing, is performed in this account. Usually, such an account is considered an individual account.
    Limited Access This account provides controlled login to the system and, in some cases, has only a subset of user software available. Limited-access accounts ensure that the system login command procedure (SYLOGIN.COM) and the process login command procedure (specified by the /LGICMD qualifier in the UAF), as well as any command procedures they call, are executed. (See the OpenVMS Guide to System Security for information about writing limited access account command procedures.) The two types of limited accounts are: restricted and captive.
    Restricted Used for network objects like Mail, for network proxy accounts, or for implementing user authentication systems like smart cards.
    Captive Limited by function; that is, only those who perform a particular function can use it (for example, an inventory system). Anyone whose job entails inventory control can access your system, but that person cannot access other subsystems or the base software. You might also use a captive account to run batch operations during unsupervised periods or to run applications programs with information you want to keep private.

    6.5.2 Performing Additional Tasks

    When adding a user account, you must do the following:

    1. Select a user name and password.
    2. Select a user identification code (UIC).
    3. Decide where the account's files will reside (which device and directory).
    4. Use the System Management utility (SYSMAN) to add a disk quota entry for this UIC, if disk quotas are in effect. You can do this only after you have created the user's account with the Authorize utility.
    5. Create a default directory on the appropriate volume, using the following DCL command format:
      CREATE/DIRECTORY directory-spec/OWNER_UIC=uic 
    6. Determine the security needs of the account (that is, the level of file protection, privileges, and access control).
    7. Establish any login/logout command procedures.

    These tasks are described in detail in the sections that follow. When you have completed the tasks for preparing to add a user account, you are ready to add the account by following one of the methods described in Section 6.6. Selecting a User Name and Password

    To determine a user name and password, use naming conventions that take into consideration the nature of the account. For example, some installations use the name of the person who will use the account.

    Captive accounts, on the other hand, often use a name that describes the function of the account. Thus, an interactive or restricted account for Robert Jones might have a user name of JONES, while a captive account for an inventory system might be called INV103289, which gives some indication of the function of the account but is not easy to guess. Remember to assign unique user names.

    For interactive accounts, it is best to let the person using the account control the password. Initially, provide a password that is not easy to guess. The user will be forced to change the password at first login. Only the person using the account should know the password. Encourage all users to set obscure passwords of at least eight characters and to change them frequently, or force the use of generated passwords with the /FLAGS=GENPWD and /GENERATE_PASSWORD qualifiers.

    You can use the /PWDMINIMUM and /PWDLIFETIME qualifiers with the AUTHORIZE command ADD or MODIFY to enforce timely password modifications. The following table lists the qualifiers and specific action.
    Qualifier Action
    /PWDMINIMUM Specifies the minimum password length in characters (default is 6).
    /PWDLIFETIME Specifies a delta-time value. One week before that date, the system issues a warning message to the user. On that date, the password expires if it has not been changed.
    /GENERATE_PASSWORD Invokes a password generator to generate user passwords.
    /FLAGS=GENPWD Allows you to force use of the automatic password generator when a user changes a password. Consider using the password generator for privileged accounts or whenever a user has access to sensitive data.

    For captive accounts, the degree of sensitivity of the data used by the account should determine the type of password. For example, the password for a payroll application should be obscure, while the password for a suggestions account might not even be required; it could be null (in which case users would not be prompted for the password).

    Prohibit users from changing the passwords of captive accounts. To do this, specify /FLAGS=LOCKPWD when you create the captive account. Change the password whenever you feel it might be compromised (for example, if a person using the account moves to another job).

    To change a user's password, use the following command format at the UAF> prompt:

    MODIFY user-name/PASSWORD=new_password 

    See the OpenVMS System Management Utilities Reference Manual for more information about AUTHORIZE. Assigning the User Identification Code

    Assign each account a unique user identification code (UIC). A UIC has two formats: alphanumeric and numeric.

    The alphanumeric UIC consists of a member name and, optionally, a group name separated by a comma and enclosed within brackets (for example, [DOCO,PRICE]). These identifiers might also appear as numeric characters consisting of a group identifier and a member identifier in octal (for example, [11,200]).

    Assign accounts the same group number if their owners perform similar work, access the same files frequently, or use many of the same logical names. See the OpenVMS Guide to System Security for a detailed discussion of the user identification code.


    Digital reserves UIC group 1 and groups 300--377. Adding a Disk Quota Entry

    Disk quotas limit the amount of disk space available to individual users on a particular volume. If disk quotas are in effect for a disk volume, run the System Management utility (SYSMAN) and use the DISKQUOTA command to add an entry for the new UIC as follows:

    1. Invoke SYSMAN.
    2. Define the management environment to be node LARRY.
    3. Add a disk quota entry on the volume DISK$USER for UIC [014,JONES]. The entry has a permanent quota of 2000 blocks and an overdraft of 500 blocks.
    4. Exit from the utility.



    The sum of the quota and overdraft values is the absolute maximum number of blocks allotted to the user, which in this example is 2500 blocks. For more information on SYSMAN and establishing disk quotas, see the OpenVMS System Management Utilities Reference Manual. Setting the User Default Device for an Interactive Account

    For each interactive account, create a top-level (default) directory (using the DCL command CREATE/DIRECTORY). In the directory place a login file, login file template, and/or logout file, as appropriate. The interactive user creates and maintains files and subdirectories in this directory. Make the owner of the directory the UIC for the new account. Usually, you also use the name of the account for the default directory.


    If you decided on an account name of JONES and a UIC of [014,1], you would enter the following DCL command to create a default directory for the account on the volume DISK$USER:


    The volume on which the directory is established depends on which devices you reserve for interactive accounts and how much space is available on each.

    The default file specification you provide the new account (when you run AUTHORIZE) should be the name of the device and the name of the top-level directory you used in the DCL command CREATE/DIRECTORY. Setting the User Default Device for a Captive Account

    For a captive account, whether you create a top-level directory depends on the nature of the user system. If people use files in a particular directory, make that directory the default directory specification. For example, if the inventory system uses the files DISK$DATA:[INV]STOCK1.DAT and DISK$DATA:[INV]STOCK2.DAT, make the default device specification DISK$DATA: and make the default directory specification [INV].

    6.5.3 Understanding Account Security

    The level of security that you establish for an account depends on the purpose of the account and whether it is shared with other users or groups. For an interactive user account, the default UIC-based protection is usually adequate.

    Protecting Users' Files

    The default protection for top-level directories is no world access. However, for new user directories, you might want to change the default to world execute access so that users will not have to change directory protection to allow other users read access to files in that directory.

    Users can further protect their files and subdirectories on an individual basis with the DCL command SET SECURITY.

    Using Access Control Lists (ACLs)

    In some cases, such as project accounts, you might want to set up an additional level of protection by using access control lists (ACLs). ACL-based protection provides a more refined level of security in cases where different groups or members of overlapping groups share access to an account such as a project account. ACLs offer a way to grant or deny users access to any security-relevant object.

    Section 6.9.2 describes how to set up a project account with ACL-based protection. For more information on how to set up and edit ACLs, see the OpenVMS Guide to System Security and the OpenVMS System Management Utilities Reference Manual.

    Using AUTHORIZE to Maintain the Rights Database

    The rights database (RIGHTSLIST.DAT) is a file that associates users of the system with access-controlling identifiers. When a user logs in, the system checks the rights database for the identifiers that the user holds. You use the Authorize utility (AUTHORIZE) to maintain the rights database by adding or deleting identifiers as needed.

    By allowing a group of users to hold common identifiers, you can create a group protection scheme that is more intricate than that provided by the UIC-based protection.

    Using Protected Subsystems

    Protected subsystems provide conditional access to data. In a protected subsystem, an application protected by normal access controls serves as a gatekeeper to objects belonging to the subsystem. While users are running the application, their process rights list contains identifiers giving them access to objects owned by the subsystem. As soon as users exit from the application, these identifiers and, therefore, the users' access rights to objects are taken away. For more information, see the OpenVMS Guide to System Security.

    6.6 Adding User Accounts

    The following sections explain how to use two different methods for adding user accounts:

    6.6.1 Adding a User Account with AUTHORIZE

    Once you analyze the purpose of a user account and decide which attributes and resources it requires, you can use the Authorize utility (AUTHORIZE) to create the account.

    How to Perform This Task

    1. Give yourself the SYSPRV privilege:
    2. Enter the following commands to set your default device and directory to SYS$SYSTEM and invoke AUTHORIZE:
    3. Use the AUTHORIZE command ADD to specify attributes in the UAF fields as shown in the following example:

    Choosing Qualifiers

    This section lists the qualifiers that you can use when setting up an account with AUTHORIZE. Table 6-6 lists the qualifiers under the account attribute that they affect. See Section 6.11.2 for a detailed description of each qualifier. For a complete list of AUTHORIZE qualifiers, see the OpenVMS System Management Utilities Reference Manual.

    Table 6-6 Qualifiers Used with AUTHORIZE
    Limits and Quotas¹
    Login Access Controls ³

    ¹Default values are adequate in most cases.
    ²Default values are usually adequate for accounts not running real-time processes.
    ³By default, users are allowed to log in at any hour of any day. To override the setting of a particular day, use the DCL command SET DAY. Use this command if a holiday occurs on a day that would normally be treated as a primary day and you want it treated as a secondary day. See Section 6.8 for a discussion of using these fields to restrict login times and functions.
    4Not all FLAGS fit into this category.

    6.6.2 Adding a User Account with a Command Procedure

    As an alternative to using the Authorize utility, you can use a command procedure to create user accounts. The ADDUSER.COM procedure, which is located in the SYS$EXAMPLES directory, is an example of such a procedure; it supplies prompts and several default values for creating the new account.

    You can modify ADDUSER.COM as appropriate for the needs of your system. To run ADDUSER.COM, log in to the SYSTEM account and enter the following command:


    ADDUSER.COM prompts you to enter values in a number of UAF record fields. If you press Return without specifying a value for a field, ADDUSER supplies the following default values:
    UAF Field Default Value
    User name No default; must supply
    Owner No default; must supply
    Password User name specified
    UIC group number 200
    UIC member number No default; must supply number
    Account name Optional
    Privileges TMPMBX,NETMBX
    Login directory User name specified
    Login device $DISK1
    Disk quota 1000
    Overdraft quota 100

    The UIC must be unique for the system. For example, each account in the UIC group 200 must have a unique member number. You can list the UICs currently assigned to users by entering a question mark ( ? ) after the UIC member number prompt. The account is not created until you have answered all of the questions in the procedure. The final prompt in the procedure is the following:

    Is everything satisfactory with the account [YES]?

    If you press Return, the account is created and remains in SYSUAF.DAT as specified. If you enter NO, the account is removed.


    If you press Ctrl/Y before, during, or directly after the system displays the characteristics of the account (that is, before you respond to the "satisfactory?" prompt), the account, or portions of it, will still be added.

    Make sure users log in to their accounts promptly to change the password.

    6.7 Maintaining User Accounts

    As system manager, you perform a certain number of user account maintenance tasks, such as modifying and deleting accounts. The following sections explain how to perform these tasks:
    Task Section
    Using command procedures for interactive accounts Section 6.7.1
    Modifying a user account Section 6.7.2
    Listing user accounts Section 6.7.3
    Maintaining the user environment Section 6.7.4
    Deleting a user account Section 6.7.5
    Using BACKUP to remove user files Section 6.7.6
    Disabling a user account Section 6.7.7

    6.7.1 Using Command Procedures for Interactive Accounts

    For all accounts, login command procedures contain commands commonly executed at the beginning of every user session. These commands do such tasks as the following:

    Login command procedures are useful for saving keystrokes and standardizing operations.

    In establishing login command procedures for interactive accounts, you have the following choices:
    Login Command Procedure Description
    System As system manager, you normally create and maintain a standard login command procedure in the system directory (the file is usually named SYS$MANAGER:SYLOGIN.COM). You then assign the logical name SYS$SYLOGIN to the name of the file so that whenever a user logs in, the procedure is executed.
    Individual For any or all accounts, you can specify an additional login command procedure with the /LGICMD qualifier of the AUTHORIZE commands ADD, MODIFY, or COPY. You can give the login command procedure any valid file specification. Whenever the user logs in, the additional procedure is executed after SYS$SYLOGIN.
    User-specified command file If system (and, optionally, individual) login command procedures are not implemented, the system looks for a command file called LOGIN.COM in the user's login directory as defined by the UAF (user authorization file) record device and directory fields. If the file is found, the system executes it. The user develops and maintains this command file, which should follow these conventions:
    • Device and directory names must take the default file specification for the account.
    • The file name and file type must be LOGIN.COM.

    You can provide an aid to new users by copying a login command procedure template into newly created top-level directories. However, to ensure proper ownership of the file, change the owner UIC (user identification code) of the file to that of the user. Make this change with the DCL command SET FILE/OWNER.

    Example 6-1 illustrates typical systemwide login command procedures.

    Example 6-1 Sample Systemwide SYS$MANAGER:SYLOGIN.COM Login Command Procedure

    $ V = F$VERIFY(0) 
    $ ! 
    $ SET NOCONTROL=Y         ! Do not allow Ctrl/Y to exit procedure 
    $ SET NOON 
    $ ! 
    $ !     Allow network jobs to start faster 
    $ ! 
    $ ! 
    $ !     Enable Ctrl/T handling by DCL 
    $ ! 
    $ ! 
    $ !     Define Foreign Commands For Installed Utilities 
    $ ! 
    $ USERS             ==    "SHOW USERS" 
    $ INFO              ==    "SHOW PROCESS/CONTINUOUS" 
    $ SUSPEND           ==    "SET PROCESS/SUSPEND" 
    $ RESUME            ==    "SET PROCESS/RESUME" 
    $ SETNAME           ==    "SET PROCESS/NAME" 
    $ ! 
    $ !     Define a symbol indicating whether the terminal 
    $ !     is on a dialup port 
    $ ! 
    $ TT == F$GETDVI("TT","DEVNAM")-"_" 
    $ DIALUP == ((TT .GES. "TTG0:" .AND. TT .LES. "TTG4:") - 
            .OR. (TT .GES. "TTH1:" .AND. TT .LES. "TTH4:") - 
            .OR. (TT .EQS. "TTI5:")) 
    $ ! 
    $ EXIT 

    Previous | Next | Contents | [Home] | [Comments] | [Ordering info] | [Help]


      OSSG Documentation
      22-NOV-1996 14:21:37.89

    Copyright © Digital Equipment Corporation 1996. All Rights Reserved.