HP OpenVMS System Management Utilities Reference Manual

When you modify a password, the new password expires automatically; it is valid only once (unless you specify /NOPWDEXPIRED). On login, users are forced to change their passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).

Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.

/IDENTIFIER

Adds an identifier to the rights database, RIGHTSLIST.DAT. The ADD/IDENTIFIER command does not add a user account to the authorization file, SYSUAF.

The ADD/ADD_IDENTIFIER command, however, adds a user account to the authorization file, SYSUAF, and also adds an identifier to the rights database, RIGHTSLIST.DAT.)

/INTERACTIVE[ =(range[,...])]

/NOINTERACTIVE

Specifies the hours of access for interactive logins. For a description of the range specification, see the /ACCESS qualifier. By default, there are no access restrictions on interactive logins.

/JTQUOTA=value

Specifies the initial byte quota with which the jobwide logical name table is to be created. By default, the value is 4096 on VAX systems and 4096 on Alpha and I64 systems.

/LGICMD=filespec

Specifies the name of the default login command file. The file name defaults to the device specified for /DEVICE, the directory specified for /DIRECTORY, a file name of LOGIN, and a file type of .COM. If you select the defaults for all these values, the file name is SYS$SYSTEM:[USER]LOGIN.COM.

/LOCAL[=(range[,...])]

Specifies hours of access for interactive logins from local terminals. For a description of the range specification, see the /ACCESS qualifier. By default, there are no access restrictions on local logins.

/MAXACCTJOBS=value

Specifies the maximum number of batch, interactive, and detached processes that can be active at one time for all users of the same account. By default, a user has a maximum of 0, which represents an unlimited number.

/MAXDETACH=value

Specifies the maximum number of detached processes with the cited user name that can be active at one time. To prevent the user from creating detached processes, specify the keyword NONE. By default, a user has a value of 0, which represents an unlimited number.

/MAXJOBS=value

Specifies the maximum number of processes (interactive, batch, detached, and network) with the cited user name that can be active simultaneously. The first four network jobs are not counted. By default, a user has a maximum value of 0, which represents an unlimited number.

/MODIFY_IDENTIFIER (default)

/NOMODIFY_IDENTIFIER

Specifies whether the identifier associated with the user is to be modified in the rights database. This qualifier applies only when you modify the UIC or user name in the UAF record. By default, the associated identifiers are modified.

/NETWORK[=(range[,...])]

Specifies hours of access for network batch jobs. For a description of how to specify the range, see the /ACCESS qualifier. By default, network logins have no access restrictions.

/OWNER=owner-name

Specifies the name of the owner of the account. You can use this name for billing purposes or similar applications. The owner name is 1 to 31 characters. No default owner name exists.

/PASSWORD=(password1[,password2])

/NOPASSWORD

Specifies up to two passwords for login. Passwords can be from 0 to 32 alphanumeric characters in length. The dollar sign ($) and underscore (_) are also permitted.

Uppercase and lowercase characters are equivalent. All lowercase characters are converted to uppercase before the password is encrypted. Avoid using the word password as the actual password.

Use the /PASSWORD qualifier as follows:

To set only the first password and clear the second, specify /PASSWORD=password.
To set both the first and second password, specify /PASSWORD=(password1, password2).
To change the first password without affecting the second, specify /PASSWORD=(password, "").
To change the second password without affecting the first, specify /PASSWORD=("", password).
To set both passwords to null, specify /NOPASSWORD.

When you modify a password, the new password expires automatically; it is valid only once (unless you specify /NOPWDEXPIRED). On login, the user is forced to change the password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).

Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.

/PBYTLM

This flag is reserved for HP.

/PGFLQUOTA=value

Specifies the paging file limit. This is the maximum number of pages that the person's process can use in the system paging file. By default, the value is 32768 pages on VAX systems and 256,000 pagelets on Alpha and I64 systems.

If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library.

/PRCLM=value

Specifies the subprocess creation limit. This is the maximum number of subprocesses that can exist at one time for the specified user's process. By default, the value is 2 on VAX systems and 8 on Alpha and I64 systems.

/PRIMEDAYS=([NO]day[,...])

Defines the primary and secondary days of the week for logging in. Specify the days as a list separated by commas, and enclose the list in parentheses. To specify a secondary day, prefix the day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.

By default, primary days are Monday through Friday and secondary days are Saturday and Sunday. If you omit a day from the list, AUTHORIZE uses the default value. (For example, if you omit Monday from the list, AUTHORIZE defines Monday as a primary day.)

Use the primary and secondary day definitions in conjunction with such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH.

/PRIORITY=value

Specifies the default base priority. The value is an integer in the range of 0 to 31 on VAX systems and 0 to 63 on Alpha and I64 systems. By default, the value is set to 4 for timesharing users.

/PRIVILEGES=([NO]privname[,...])

Specifies which privileges the user is authorized to hold, although these privileges are not necessarily enabled at login. (The /DEFPRIVILEGES qualifier determines which ones are enabled.) A NO prefix removes the privilege from the user. The keyword NOALL disables all user privileges. Many privileges have varying degrees of power and potential system impact (see the HP OpenVMS Guide to System Security for a detailed discussion). By default, a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege.

/PWDEXPIRED (default)

/NOPWDEXPIRED

Specifies the password is valid for only one login. A user must change a password immediately after login or be locked out of the system. The system warns users of password expiration. A user can either specify a new password, with the DCL command SET PASSWORD, or wait until expiration and be forced to change. By default, a user must change a password when first logging in to an account. The default is applied to the account only when the password is being modified.

/PWDLIFETIME=time (default)

/NOPWDLIFETIME

Specifies the length of time a password is valid. Specify a delta time value in the form [dddd-] [hh:mm:ss.cc]. For example, for a lifetime of 120 days, 0 hours, and 0 seconds, specify /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30 minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". If a period longer than the specified time elapses before the user logs in, the system displays a warning message. The password is marked as expired.

To prevent a password from expiring, specify the time as NONE. By default, a password expires in 90 days.

/PWDMINIMUM=value

Specifies the minimum password length in characters. Note that this value is enforced only by the DCL command SET PASSWORD. It does not prevent you from entering a password shorter than the minimum length when you use AUTHORIZE to create or modify an account. By default, a password must have at least 6 characters. The value specified by the /PWDMINIMUM qualifier conflicts with the value used by the /GENERATE_PASSWORD qualifier or the DCL command SET PASSWORD/GENERATE, the operating system chooses the lesser value. The maximum value for generated passwords is 10.

/QUEPRIO=value

Reserved for future use.

/REMOTE[=(range[,...])]

Specifies hours during which access is permitted for interactive logins from network remote terminals (with the DCL command SET HOST). For a description of the range specification, see the /ACCESS qualifier. By default, remote logins have no access restrictions.

/SHRFILLM=value

Specifies the maximum number of shared files that the user can have open at one time. By default, the system assigns a value of 0, which represents an infinite number.

/TQELM

Specifies the total number of entries in the timer queue plus the number of temporary common event flag clusters that the user can have at one time. By default, a user can have 100.

/UIC=value

Specifies the user identification code (UIC). The UIC value is a group number in the range from 1 to 37776 (octal) and a member number in the range from 0 to 177776 (octal), which are separated by a comma and enclosed in brackets. HP reserves group 1 and groups 300--377 for its own use.

Each user must have a unique UIC. By default, the UIC value is [200,200].

/WSDEFAULT=value

Specifies the default working set limit. This represents the initial limit to the number of physical pages the process can use. (The user can alter the default quantity up to WSQUOTA with the DCL command SET WORKING_SET.) By default, a user has 256 pages on VAX systems and 4096 pagelets on Alpha and I64 systems.

The value cannot be greater than WSMAX. This quota value replaces smaller values of PQL_MWSDEFAULT.

/WSEXTENT=value

Specifies the working set maximum. This represents the maximum amount of physical memory allowed to the process. The system provides memory to a process beyond its working set quota only when it has excess free pages. The additional memory is recalled by the system if needed.

The value is an integer equal to or greater than WSQUOTA. By default, the value is 1024 pages on VAX systems and 16384 pagelets on Alpha and I64 systems. The value cannot be greater than WSMAX. This quota value replaces smaller values of PQL_MWSEXTENT.

/WSQUOTA=value

Specifies the working set quota. This is the maximum amount of physical memory a user process can lock into its working set. It also represents the maximum amount of swap space that the system reserves for this process and the maximum amount of physical memory that the system allows the process to consume if the systemwide memory demand is significant.

The value cannot be greater than the value of WSMAX and cannot exceed 8,192 pagelets on Alpha and I64 systems. This quota value replaces smaller values of PQL_MWSQUOTA.

Description

Modify the DEFAULT record when qualifiers normally assigned to a new user differ from the HP-supplied values. The following qualifiers correspond to fields in the default record that are commonly modified:

Qualifier Reason for Modification

/CLI Specifies the default Command Line Interpreter to be used for this user. (Most OpenVMS users use the DCL command interpreter.)

/DEVICE If most users have the same default login device, allows you to specify a default login device for newly-created users.
The use of a logical name is recommended.

/LGICMD Specifies the filename of a command procedure to be invoked during the login of the user.

OpenVMS first looks for a systemwide login command procedure, using the systemwide logical name SYS$SYLOGIN. If this logical name successfully translates to a valid file specification, the command interpreter invokes the resulting command procedure during login.
If the file specification does not include a file extension, the command interpreter applies a default value that is specific to that command interpreter. In the case of the DCL interpreter, the default file extension is .COM.
OpenVMS then looks for a LGICMD specification. If it finds this specification, OpenVMS invokes the command procedure.
If the LGICMD specification does not include a file extension, the current command interpreter applies a default value. In the case of the DCL interpreter, the default file extension is .COM.

You can disable or override the command procedure invocation during login by specifying qualifiers such as /NOCOMMAND or /LGICMD at the login username prompt.
Also see the CAPTIVE and RESTRICTED flags.

/PRIVILEGES When users are given different privileges than those supplied by HP.

Quota qualifiers When the default quotas are insufficient or inappropriate for mainstream work.

Qualifier	Reason for Modification
/CLI	Specifies the default Command Line Interpreter to be used for this user. (Most OpenVMS users use the DCL command interpreter.)
/DEVICE	If most users have the same default login device, allows you to specify a default login device for newly-created users. The use of a logical name is recommended.
/LGICMD	Specifies the filename of a command procedure to be invoked during the login of the user. OpenVMS first looks for a systemwide login command procedure, using the systemwide logical name SYS$SYLOGIN. If this logical name successfully translates to a valid file specification, the command interpreter invokes the resulting command procedure during login. If the file specification does not include a file extension, the command interpreter applies a default value that is specific to that command interpreter. In the case of the DCL interpreter, the default file extension is .COM. OpenVMS then looks for a LGICMD specification. If it finds this specification, OpenVMS invokes the command procedure. If the LGICMD specification does not include a file extension, the current command interpreter applies a default value. In the case of the DCL interpreter, the default file extension is .COM. You can disable or override the command procedure invocation during login by specifying qualifiers such as /NOCOMMAND or /LGICMD at the login username prompt. Also see the CAPTIVE and RESTRICTED flags.
/PRIVILEGES	When users are given different privileges than those supplied by HP.
Quota qualifiers	When the default quotas are insufficient or inappropriate for mainstream work.

Example


UAF> DEFAULT /DEVICE=SYS$USER/LGICMD=SYS$MANAGER:SECURELGN - _UAF> /PRIVILEGES=(TMPMBX,GRPNAM,GROUP) %UAF-I-MDFYMSG, user record(s) updated

The command in this example modifies the DEFAULT record, changing the default device, default login command file, and default privileges.

EXIT

Enables you to exit from AUTHORIZE and return to DCL command level. You can also return to command level by pressing Ctrl/Z.

Format

EXIT

Parameters

None.

Qualifiers

None.

GRANT/IDENTIFIER

Assigns the specified identifier to the user and documents the user as a holder of the identifier in the rights database.

Format

GRANT/IDENTIFIER id-name user-spec

Parameters

id-name
Specifies the identifier name. The identifier name is a string of 1 to 31 alphanumeric characters that can contain underscores and dollar signs. The name must contain at least one nonnumeric character.
user-spec
Specifies the UIC identifier that uniquely identifies the user on the system. This type of identifier appears in alphanumeric format. For example: [GROUP1,JONES].

Qualifier

/ATTRIBUTES=(keyword[,...])
Specifies attributes to be associated with the identifier. The following are valid keywords:

DYNAMIC Allows unprivileged holders of the identifier to remove and to restore the identifier from the process rights list by using the DCL command SET RIGHTS_LIST.

HOLDER_HIDDEN Prevents people from getting a list of users who hold an identifier, unless they own the identifier themselves.

NAME_HIDDEN Allows holders of an identifier to have it translated, either from binary to ASCII or from ASCII to binary, but prevents unauthorized users from translating the identifier.

NOACCESS Makes any access rights of the identifier null and void. If a user is granted an identifier with the No Access attribute, that identifier has no effect on the user's access rights to objects. This attribute is a modifier for an identifier with the Resource or Subsystem attribute.

RESOURCE Allows holders of an identifier to charge disk space to the identifier. Used only for file objects.

SUBSYSTEM Allows holders of the identifier to create and maintain protected subsystems by assigning the Subsystem ACE to the application images in the subsystem. Used only for file objects.

To remove an attribute from the identifier, add a NO prefix to the attribute keyword. For example, to remove the Resource attribute, specify /ATTRIBUTES=NORESOURCE.

Example


UAF> GRANT/IDENTIFIER INVENTORY [300,015] %UAF-I-GRANTMSG, identifier INVENTORY granted to CRAMER

The command in this example grants the identifier INVENTORY to the user named Cramer who has UIC [300,015]. Cramer becomes the holder of the identifier and any resources associated with it. The following command produces the same result:
UAF> GRANT/IDENTIFIER INVENTORY CRAMER

HELP

Displays information concerning the use of AUTHORIZE, including formats and explanations of commands, parameters, and qualifiers.

Format

HELP [keyword[,...]]

Parameter

keyword[,...]
Specifies one or more keywords that refer to the topic, command, qualifier, or parameter on which you want information from the AUTHORIZE HELP command.

Qualifiers

None.

Description

If you do not specify a keyword, HELP displays information about the topics and commands for which help is available. It then prompts you with "Topic?". You can supply a topic or a command name, or press Return. When you specify a command name and qualifiers, you get detailed information about that command. If you respond by pressing Return, you exit from help. You can also exit from help by pressing Ctrl/Z.
If the command you request accepts qualifiers, the display of the help information about the command is followed by the prompt "Subtopic?". Respond to this prompt with a qualifier name, or press Return. If you respond by pressing Return, HELP prompts with "Topic?". If you want to exit from help directly from this level, press Ctrl/Z.

Examples

#1
UAF> HELP ADD

The HELP command in this example displays information about the ADD command:

ADD Adds a user record to the SYSUAF and corresponding identifiers to the rights database. Format ADD newusername Additional information available: Parameter Qualifiers /ACCESS /ACCOUNT /ADD_IDENTIFIER /ALGORITHM /ASTLM /BATCH /BIOLM /BYTLM /CLI /CLITABLES /CPUTIME /DEFPRIVILEGES /DEVICE /DIALUP /DIOLM /DIRECTORY /ENQLM /EXPIRATION /FILLM /FLAGS /GENERATE_PASSWORD /INTERACTIVE /JTQUOTA /LGICMD /LOCAL /MAXACCTJOBS /MAXDETACH /MAXJOBS /NETWORK /OWNER /PASSWORD /PBYTLM /PGFLQUOTA /PRCLM /PRIMEDAYS /PRIORITY /PRIVILEGES /PWDEXPIRED /PWDLIFETIME /PWDMINIMUM /REMOTE /SHRFILLM /TQELM /UIC /WSDEFAULT /WSEXTENT /WSQUOTA Examples /IDENTIFIER /PROXY ADD Subtopic?

#2
UAF> HELP ADD/ACCOUNT

The command in this example displays information about the /ACCOUNT qualifier:

ADD /ACCOUNT=account-name Specifies the default name for the account (for example, a billing name or number). The name can be a string of 1 to 8 alphanumeric characters. By default, AUTHORIZE does not assign an account name.

LIST

Writes reports for selected UAF records to a listing file, SYSUAF.LIS, which is placed in the current default directory.

Note
LIST/IDENTIFIER, LIST/PROXY, and LIST/RIGHTS are documented as separate commands.

Format

LIST [user-spec]

Parameter

user-spec
Specifies the user name or UIC of the requested UAF record. Without the user-spec parameter, AUTHORIZE lists the user records of all users. The asterisk (*) and percent sign (%) wildcards are permitted in the user name.

Qualifiers

/BRIEF
Specifies that a brief report be written to SYSUAF.LIS. The /BRIEF qualifier is the default qualifier. SYSUAF.LIS is placed in the default directory.
/FULL
Specifies that a full report be written to SYSUAF.LIS, including identifiers held by the user. SYSUAF.LIS is placed in the SYS$SYSTEM directory.

Description

The LIST command creates a listing file of reports for selected UAF records. Print the listing file, SYSUAF.LIS, with the DCL command PRINT.
Specification of a user name results in a single-user report. Specification of the asterisk wildcard character following the LIST command results in reports for all users in ascending sequence by user name. Specification of a UIC results in reports for all users with that UIC. (HP recommends that you assign each user a unique UIC, but if users share a UIC, the report will show all users with that UIC.) You can use the asterisk wildcard character to specify the UIC.
The following table shows how to specify a UIC with the LIST command and use the asterisk wildcard character with the UIC specification to produce various types of reports:

Command Description

LIST [14,6] Lists a full report for the user (or users) with member number 6 in group 14.

LIST [14,*] /BRIEF Lists a brief report for all users in group 14, in ascending sequence by member number.

LIST [*,6] /BRIEF Lists a brief report for all users with a member number of 6.

LIST [*,*] /BRIEF Lists a brief report for all users, in ascending sequence by UIC.

Although you must provide separate UICs for each user, the LIST command reports users with the same UIC in the order in which they were added to the SYSUAF. Full reports list the details of the limits, privileges, login flags, and command interpreter. Brief reports do not include the limits, login flags, or command interpreter, nor do they summarize the privileges. AUTHORIZE never displays the password for an account.
See the SHOW command for examples of brief and full reports.

Command	Description
LIST [14,6]	Lists a full report for the user (or users) with member number 6 in group 14.
LIST [14,*] /BRIEF	Lists a brief report for all users in group 14, in ascending sequence by member number.
LIST [*,6] /BRIEF	Lists a brief report for all users with a member number of 6.
LIST [,] /BRIEF	Lists a brief report for all users, in ascending sequence by UIC.

Examples

#1
UAF> LIST ROBIN/FULL %UAF-I-LSTMSG1, writing listing file %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete

This command lists a full report for the user record ROBIN.

#2
UAF> LIST * %UAF-I-LSTMSG1, writing listing file %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete

This command results in brief reports for all users in ascending sequence by user name. Note, however, that this is the same result you would produce had you omitted the asterisk wildcard.

#3
UAF> LIST [300,*] %UAF-I-LSTMSG1, writing listing file %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete

This command lists a brief report for all user records with a group UIC of 300.

Contents

Index

DYNAMIC	Allows unprivileged holders of the identifier to remove and to restore the identifier from the process rights list by using the DCL command SET RIGHTS_LIST.
HOLDER_HIDDEN	Prevents people from getting a list of users who hold an identifier, unless they own the identifier themselves.
NAME_HIDDEN	Allows holders of an identifier to have it translated, either from binary to ASCII or from ASCII to binary, but prevents unauthorized users from translating the identifier.
NOACCESS	Makes any access rights of the identifier null and void. If a user is granted an identifier with the No Access attribute, that identifier has no effect on the user's access rights to objects. This attribute is a modifier for an identifier with the Resource or Subsystem attribute.
RESOURCE	Allows holders of an identifier to charge disk space to the identifier. Used only for file objects.
SUBSYSTEM	Allows holders of the identifier to create and maintain protected subsystems by assigning the Subsystem ACE to the application images in the subsystem. Used only for file objects.