[Digital logo]

OpenVMS System Manager's Manual

Previous | Contents

As the example shows, you can disable the Ctrl/Y function (which suspends execution of the current image and invokes the command interpreter) to force execution of the complete login command procedure whenever the user logs in. Do this with the DCL command SET NOCONTROL=Y. Before the login command procedure exits, add the DCL command that resets the Ctrl/Y function (SET CONTROL=Y).

Example 6-2 shows typical abbreviations and symbols that a user might define in a login file.

Example 6-2 Sample Login Command Procedure (LOGIN.COM) for a User Account

$ ! 
$ ! Define abbreviations for often used commands 
$ ! 
$ PU*RGE        ==     PURGE/LOG 
$ ! 
$ ! 
$ ! Other useful abbreviations 
$ ! 
$ SHP           ==     "SHOW PROCESS/PRIVILEGES" 
$ PRI*NT        ==     "PRINT/NOTIFY" 
$ SHD           ==     "SHOW DEFAULT" 
$ UP            ==     "SET DEFAULT [-]" 
$ SP            ==     "SET PROCESS/PRIVILEGES=" 
$ SQ            ==     "SHOW QUEUE/BATCH/ALL/DEVICE" 
$ H*OME         ==     "SET DEFAULT SYS$LOGIN" 
$ SUB*MIT       ==     "SUBMIT/NOTIFY" 
$ SYS           ==     "SHOW SYSTEM" 
$ DAY           ==     "SHOW TIME" 
$ ! 
$ ! Set /LOG for all commands 
$ ! 
$ BACK*UP       ==     "BACKUP/LOG" 
$ DEL*ETE       ==     "DELETE/LOG" 
$ LIB*RARY      ==     "LIBRARY/LOG" 
$ PUR*GE        ==     "PURGE/LOG" 
$ REN*AME       ==     "RENAME/LOG" 
$ ! 
$ ! End of LOGIN.COM processing 
$ ! 
$ VN            ==     "SET TERMINAL/WIDTH=80" 
$ VW            ==     "SET TERMINAL/WIDTH=132" 
$ ! 
$ ! Symbols for network users 
$ ! 
$ SYSA          ==     "SET HOST SYSA" 
$ SYSB          ==     "SET HOST SYSB" 
$ SYSC          ==     "SET HOST SYSC" 
$ EXIT                             ! End of interactive login 
$ SET VERIFY                       ! End of batch login 

Using Logout Command Procedures

The system does not provide for automatic execution of a command procedure at logout time. However, you can supply one as follows.

How to Perform This Task

  1. Create a systemwide logout command procedure that executes whenever a user logs out. (The file is usually named SYS$MANAGER:SYLOGOUT.COM.)
  2. To ensure that this command procedure executes, include a command in SYS$MANAGER:SYLOGIN.COM that equates the most commonly used abbreviation of the LOGOUT command (often LO) to the execution of the logout command procedure.



The last line of the logout command procedure then uses an alternate form of the LOGOUT command, such as a LOGOUTNOW command. (You can create any command name you like beginning with LO.) You cannot use the same abbreviation as used for the symbol (in this case LO) because it will start the procedure again. As an alternative, you could add the following command, just above the last line:


Note that this technique works in some situations but it is not foolproof; there are many alternative ways to terminate a process.

6.7.2 Modifying a User Account

To change a user account's quotas, default directory, password, authorized privileges, or any other characteristics assigned by AUTHORIZE, use the MODIFY command. You can use the MODIFY command to change any field in an existing user account. However, a user must log out and log in again for the modifications to take effect.


  1. When a user forgets a password and cannot log in, use the AUTHORIZE command MODIFY/GENERATE_PASSWORD to reset a user password. For example, the following command generates a new password for user WELCH:

    By default, after logging in, user WELCH must change the password.
  2. Any changes that you make to a user's record will take effect after the user next logs in. For example, suppose that user JONES currently has an open file quota (FILLM) of 20. To increase user Jones' open file limit to 40, you would use the following command in AUTHORIZE:

    Any process of user JONES that is logged in at the time that you modify the user authorization file continues to have a file limit of 20. In order to have an open file limit of 40, user JONES must log out and then log in again, after you have made the modification to the user authorization file (UAF) using AUTHORIZE.

6.7.3 Listing User Accounts

Use the AUTHORIZE command LIST to create the file SYSUAF.LIS, containing a summary of all user records in the UAF. By default, the LIST command produces a brief report containing the following information from the UAF:

Use the /FULL qualifier to create a full report of all the information (except user passwords) contained within the UAF.


The following example writes a brief report of the UAF to the output file SYSUAF.LIS:

%UAF-I-LSTMSG1, writing listing file
%UAF-I-LSTMSG2, listing file SYSUAF.LIS complete

The system displays the same messages when you use the /FULL qualifier. However, a full report is written to the output file.

6.7.4 Maintaining the User Environment

As the work requirements of your system change, you might have to do the following:

With the Authorize utility, you can perform these maintenance operations by modifying or deleting records in the UAF.

Creating Additional Default Record Templates

On systems where all users perform the same type of work, you typically use the system-supplied default record, DEFAULT, as the template for adding new user records. You might find, however, that your system supports several different user categories, each category performing a specific type of work and requiring unique record attributes. Instead of always using the system-supplied default record as a template and making numerous changes each time you add a user record, you can create additional default UAF records to serve as templates for each user category.

Before you create additional default records, you must decide the following:

How to Perform This Task

Once you define a user category and establish which record attributes are needed, you can create the default record.


  1. The following command creates a default record for a category of user that requires a special captive account:

    The command in this example uses the system-supplied default record DEFAULT to create the record DEFAULT2 and changes the LGICMD, login flags, default device, and default directory fields.
  2. You can then use the AUTHORIZE command COPY to create additional records having the same attributes as DEFAULT2. The COPY command creates a new UAF record that uses the specified default record except where you explicitly override field values.

    This example uses DEFAULT2 as a template to create a duplicate record for the user PALOOKA. Notice that only the password and UIC values are changed.

6.7.5 Deleting a User Account

The main problem in deleting an account, especially an interactive or restricted account, is deleting the files used by the account.

How to Perform This Task

The following steps are suggested:

  1. Copy (or have the outgoing user of the account copy) any files of value to the ownership of another account. Be sure to change the owner UIC of the files to match the owner UIC of the new owner. You can also use the Backup utility (BACKUP) to save the files to a backup tape or disk.
  2. Change the password and log in as a user of that account if you are working from a nonprivileged account. This avoids inadvertently deleting files that might point to other files of different ownership.
  3. Delete the account's files and directories from the deepest level up to the top level, using the following procedure:
    1. Locate and examine all subdirectories using the DCL command DIRECTORY [directory-spec...], where directory-spec is the name of the account's default directory.
    2. Delete the files in each subdirectory, and then delete the subdirectory. Note that directory files are protected against owner deletion; therefore, you must change the protection before deleting directory files.
    3. Delete the account's top-level directory. The command procedure in the next example deletes an account's files from the bottom level up. Do not, however, execute this command procedure from a privileged account.
  4. Exit from the user account and return to a privileged account. Remove the user's account, using the Authorize utility (AUTHORIZE).
    When you run AUTHORIZE to remove a user's UAF record, AUTHORIZE also removes the user's connections as a holder of identifiers in the rights database. However, if a departed user is the only remaining holder of a given identifier, remove that identifier to avoid future confusion. See the OpenVMS Guide to System Security.
  5. Remove the user's disk quota entry from the disk quota file, if one existed, with SYSMAN.
  6. Remove associated mail information by entering the MAIL command REMOVE username. (See the OpenVMS User's Manual for more information.)

The command procedure template in Example 6-3 deletes an account's files.


Do not execute this command procedure from a privileged account.

Example 6-3 Command Procedure Template for Deleting an Account's Files

$ !     DELTREE.COM - deletes a complete directory tree 
$ ! 
$ !     P1 = pathname of root of tree to delete 
$ ! 
$ !     All files and directories in the tree, including 
$ !     the named root, are deleted. 
$ ! 
$ IF P1 .NES. "" THEN GOTO 20 
$ INQUIRE P1 "Root" 
$ GOTO 10 
$ IF F$SEARCH("*.*;*") .NES. "" THEN DELETE *.*;* 
$ DIR = (F$DIRECTORY()-"]"-">")-F$PARSE("[-]",,,- 
$ DELETE [-]'DIR'.DIR;1 

6.7.6 Using BACKUP to Remove User Files

If each user has a unique UIC, you can use the Backup utility (BACKUP) to remove the user's files, even if the files are scattered throughout the directory structure. See the Backup utility section in the OpenVMS System Management Utilities Reference Manual for more information.


  1. The following is an example of a BACKUP command used to remove files:

    This BACKUP command copies and deletes only those files owned by the specified UIC on disk PUBLIC. The files are copied into a save set named PUBLICUIC.SAV on device MTA0. Note that the BACKUP/DELETE command does not delete the directory files (file type .DIR) for the account.
  2. To recover lost files, enter the ANALYZE/DISK_STRUCTURE command in the following format:

    See Section 8.12.3 for a complete description of how to recover lost files. See the OpenVMS System Management Utilities Reference Manual for information on using the Analyze/Disk_Structure utility.

6.7.7 Disabling a User Account

To disable an account without deleting it, set the disable user flag (/FLAGS=DISUSER) using AUTHORIZE. If the user is logged in, the account is disabled only after the user logs out.

6.8 Restricting the Use of Accounts

Workload schedules often dictate the days and times your system is used to perform specific operations. Depending on the nature of the work performed at your site, you might want to control when certain users are allowed to log in. Use the Authorize utility (AUTHORIZE) to place controls in the login characteristics fields of the UAF record to restrict the days and times a user can log in and to inhibit certain login functions.

The following sections describe how to perform these tasks:
Task Section
Setting day types Section 6.8.1
Restricting logins to specific times Section 6.8.2
Restricting login functions Section 6.8.3
Using login command procedures for restricted or captive accounts Section 6.8.4
Setting priorities for user processes Section 6.8.5

For a detailed description of the qualifiers used to restrict the use of accounts, see the Authorize utility section in the OpenVMS System Management Utilities Reference Manual.

6.8.1 Setting Day Types

You can restrict the use of certain accounts by defining the days of the week as either PRIMARY or SECONDARY, and then assigning login restrictions to these day types. For example, if you define the days Saturday and Sunday as SECONDARY days, then any restrictions you assign to the SECONDARY day type apply to both.

You can assign two types of login restrictions to either day type:
Restriction Description
Time restrictions Limits logins to specific hours of the day
Function restrictions Limit types of login

The default user record defines the five weekdays (Monday through Friday) as PRIMARY days, and the two weekend days (Saturday and Sunday) as SECONDARY days.

The way you define days and assign restrictions depends on your site. For example, suppose that on weekdays your system supports a large number of interactive users, but on weekends it is used for certain operations that require dedicated system resources. By assigning restrictions to the SECONDARY day type, you can restrict users from accessing the system during the days defined as SECONDARY. You can change these day type definitions for any account using the following AUTHORIZE qualifier:


The /PRIMEDAYS qualifier uses a list of day names to define the PRIMARY and SECONDARY days of the week. To define a day as a SECONDARY day, use the prefix NO before the day name. Any days you omit from the list take their default value.

6.8.2 Restricting Logins to Specific Times

By default, there are no restrictions on login hours. You can specify login time restrictions using the following AUTHORIZE qualifiers:
Qualifier Meaning
/[NO]ACCESS Specifies access hours for all modes of logins
/[NO]DIALUP Specifies access hours for interactive logins from dialup terminals
/[NO]INTERACTIVE Specifies access hours for interactive logins from any terminal
/[NO]LOCAL Specifies access hours for interactive logins from local terminals
/[NO]REMOTE Specifies access hours for interactive logins from network remote terminals (SET HOST)

Users still logged in when the access time has expired receive the following warning message and have 2 minutes to log out before their processes are terminated by the job controller:

JBC-W-RESTRICT, UAF restricts access at this time, please log out immediately 

6.8.3 Restricting Login Functions

In addition to specifying hourly login restrictions, you can assign function restrictions to an account by using appropriate keywords with the /FLAGS qualifier in the Authorize utility. By default, there are no restrictions. Options are shown in the following table:
Keyword Meaning
[NO]AUDIT [Do not] audit all security-relevant actions.
[NO]AUTOLOGIN [Do not] prevent access except by automatic login when automatic logins are enabled.
[NO]CAPTIVE [Do not] prevent user from changing any defaults at login (implies DISCTLY).
[Do not] deny user access to the DCL command level.
[NO]DEFCLI [Do not] prevent user from changing default CLI or CLI tables.
[NO]DISCTLY [Do not] disable Ctrl/Y interrupts.
[NO]DISFORCE_PWD_CHANGE [Do not] remove requirement that user must change an expired password at login.
[NO]DISIMAGE [Do not] prevent user from using the RUN or MCR commands or from executing "foreign" commands.
[NO]DISMAIL [Do not] prevent mail delivery to the user.
[NO]DISNEWMAIL [Do not] suppress "New Mail..." announcements.
[NO]DISPWDDIC [Do not] disable automatic screening of new passwords against a system dictionary.
[NO]DISPWDHIS [Do not] disable automatic checking of new passwords against list of user's old passwords.
[NO]DISRECONNECT [Do not] disable automatic reconnection to an existing process when a terminal connection has been interrupted.
[NO]DISREPORT [Do not] disable reporting of login information (last login date, login failures, and so on).
[NO]DISUSER [Do not] disable account completely.
[NO]DISWELCOME [Do not] suppress "Welcome to..." login message.
[NO]GENPWD [Do not] require user to use generated passwords.
[NO]LOCKPWD [Do not] prevent user from changing password.
[NO]PWD_EXPIRED [Do not] mark password as expired.
[NO]PWD2_EXPIRED [Do not] mark second password as expired.
[NO]RESTRICTED [Do not] prevent user from changing any defaults at login.

6.8.4 Using Login Command Procedures for Restricted or Captive Accounts

Using the /LGICMD qualifier with the AUTHORIZE commands ADD, MODIFY, or COPY defines the login procedure for a restricted or captive account. A person logging in to such an account cannot modify the procedure with any of the login qualifiers: /CLI, /DISK, /COMMAND, /NOCOMMAND, /TABLES.

The CAPTIVE and RESTRICTED flags do the following:

Once logged in, a person using a restricted account operates from the DCL level and can access any available software.

A person using a captive account is locked into the application software where access to the DCL level is denied, provided the system manager observes the following practices:


A simple login command procedure for a captive account used for an inventory system might consist of the following commands:


The application program INVENTORY assumes control when the user logs in to the account. Assign the CAPTIVE flag to the login flags field of the captive account UAF record by specifying the AUTHORIZE qualifier /FLAGS=CAPTIVE. Section 6.7.4 shows how to use AUTHORIZE to create a UAF record for a captive account.

Example 6-4 is a command procedure for a highly secure captive account, which restricts the user to a very limited set of commands. System managers must be sure to deny the account owner any write access to the login command procedure and its directory. Note also that the security manager would use the AUTHORIZE qualifier /NOINTERACTIVE when establishing this account.

For more information about captive and restricted accounts, see the OpenVMS Guide to System Security.

Example 6-4 Sample Captive Command Procedure

$ deassign sys$input 
$ previous_sysinput == f$logical("SYS$INPUT") 
$ on error then goto next_command 
$ on control_y then goto next_command 
$ set control=(y,t) 
$ on error then goto next_command 
$ on control_y then goto next_command 
$ if previous_sysinput .nes. f$logical("SYS$INPUT") then deassign sys$input 
$ read/end=next_command/prompt="$ " sys$command command 
$ command == f$edit(command,"UPCASE,TRIM,COMPRESS") 
$ if f$length(command) .eq. 0 then goto next_command 
$ delete = "delete" 
$ delete/symbol/local/all 
$ if f$locate("@",command) .ne. f$length(command) then goto illegal_command 
$ if f$locate("=",command) .ne. f$length(command) then goto illegal_command 
$ if f$locate("F$",command) .ne. f$length(command) then goto illegal_command 
$ verb = f$element(0," ",command) 
$ if verb .EQS. "LOGOUT" then goto do_logout 
$ if verb .EQS. "HELP" then goto do_help 
$ write sys$output "%CAPTIVE-W-IVVERB, unrecognized command \",verb,"\" 
$ goto next_command 
$ write sys$output "%CAPTIVE-W-ILLEGAL, bad characters in command line" 
$ goto next_command 
$ logout 
$ goto next_command 
$ define sys$input sys$command 
$ help 
$ goto next_command 

6.8.5 Setting Priorities for User Processes

A user's priority is the base priority used in scheduling the process that the system creates for the user.

On VAX systems, priorities range in value from a low of 0 to a high of 31; 0 through 15 are timesharing priorities; 16 through 31 are real-time priorities.

On Alpha systems, priorities range in value from a low of 0 to a high of 63; 0 through 15 are timesharing priorities; 16 through 63 are real-time priorities.

Processes with real-time priorities are scheduled strictly according to base priority; in other words, the executable real-time process with the highest base priority is executed first. Processes with timesharing priorities are scheduled according to a slightly different principle to promote overlapping of computation and I/O activities.

In the user's account record of the UAF, the default value of a user's priority is 4; for practical purposes, the minimum value is 0. Ensure that the priority for timesharing users remains at the default. Note that if you give some users an advantage over other users by raising their priorities, ragged performance results, because the system reacts sharply to even small base priority differences.

6.9 Setting Up Special Accounts

As system manager, you might need to set up a variety of special accounts, such as automatic login accounts, project accounts, and proxy accounts. The following sections explain how to perform these tasks:
Task Section
Setting up an automatic login account with SYSMAN Section 6.9.1
Setting up a project account with ACL identifiers Section 6.9.2
Creating network proxy authorization files Section 6.9.4
Adding proxy accounts Section 6.9.5
Removing proxy accounts Section 6.9.6
Displaying proxy accounts Section 6.9.7
Controlling proxy logins Section 6.9.8

Section 6.9.3 explains what network proxy accounts are.

6.9.1 Setting Up an Automatic Login Account with SYSMAN

The System Management utility (SYSMAN) includes the functions of the automatic login facility (ALF). Using SYSMAN ALF commands, you can set up a terminal that automatically logs in a user to a certain user name. For example, a terminal might be set up for the account INVENTORY, which automatically logs in a user to a captive account when the user presses the Return key.

Previous | Next | Contents | [Home] | [Comments] | [Ordering info] | [Help]


  OSSG Documentation
  22-NOV-1996 14:21:39.40

Copyright © Digital Equipment Corporation 1996. All Rights Reserved.