HP OpenVMS System Management Utilities Reference Manual


Previous Contents Index

EXIT

Terminates the session.

Format

EXIT


Parameters

None.

Qualifiers

None.

HELP

Provides online help information for using ANALYZE/AUDIT commands.

Format

HELP [topic]


Parameter

topic

Specifies the command for which help information is to be displayed. If you omit the keyword, HELP displays a list of available help topics and prompts you for a particular keyword.

Qualifiers

None.

Example


COMMAND> HELP DISPLAY
      

The command in this example displays help information about the DISPLAY command.

LIST

Changes the criteria used to select event records. The LIST command is synonymous with the DISPLAY command.

Format

LIST


Parameters

None.

Qualifiers

See the description of the DISPLAY command.

Example


COMMAND> LIST/EVENT_TYPE=SYSUAF
COMMAND> CONTINUE
      

The first command in this example selects records that were generated as a result of a modification to the system user authorization file (SYSUAF). The second command displays the selected records.

NEXT FILE

Controls whether the current security audit log file is closed and the next log file opened. The command is useful when you supply a wildcard file specification to the ANALYZE/AUDIT command; for example *.AUDIT$JOURNAL. If there are no other audit log files to open, the audit analysis session terminates and control returns to DCL.

Format

NEXT FILE


Parameters

None.

Qualifiers

None.

NEXT RECORD

Controls whether the next audit record is displayed. The NEXT RECORD command is the default for interactive mode.

This command is synonymous with the POSITION command.


Format

NEXT RECORD


Parameters

None.

Qualifiers

None.

POSITION

Moves the full-format display forward or backward the specified number of event records.

Format

POSITION number


Parameter

number

For positive numbers, displays the record that is the specified number of records after the current record. For negative numbers, displays the record that is the specified number of records before the current record.

Qualifiers

None.

Examples

#1

COMMAND> POSITION 100
      

The command in this example moves the display forward 100 event records.

#2

COMMAND> POSITION -100
      

The command in this example moves the display back 100 event records.

SHOW

Displays information about the selection or exclusion criteria currently being used to select event records.

Format

SHOW option[,...]


Parameter

option[,...]

Displays information about selection or exclusion criteria currently being used to select records. Specify one or more of the following options:
ALL Displays all criteria being used to select event records.
EXCLUSION_CRITERIA Displays the criteria being used to exclude event records.
SELECTION_CRITERIA Displays the criteria being used to select event records.

Qualifiers

None.

Example


COMMAND> SHOW SELECTION_CRITERIA
      

The command in this example displays the selection criteria currently in use to select records.


Chapter 5
Authorize Utility

5.1 AUTHORIZE Description

The Authorize utility (AUTHORIZE) is a system management tool used to control access to the system and to allocate resources to users.

AUTHORIZE creates new records or modifies existing records in the following files:

These files store system authorization information. By default, they are owned by the system (UIC of [SYSTEM]) and are created with the following protection:


SYSUAF.DAT      S:RWED, O:RWED, G, W 
NETPROXY.DAT    S:RWED, O:RWED, G, W    
NET$PROXY.DAT   S, O, G, W            
RIGHTSLIST.DAT  S:RWED, O:RWED, G, W:         

To use AUTHORIZE, you must have write access to all three of these files (you must have an account with the user identification code (UIC) of [SYSTEM] or the SYSPRV privilege).

Note that you must have read access to the RIGHTSLIST.DAT file (or sufficient privileges) to display the rights identifiers held by other users.

Because certain images (such as MAIL and SET) require access to the system user authorization file (UAF) and are normally installed with the SYSPRV privilege, ensure that you always grant system access to SYSUAF.DAT.

When you install a new system, the software distribution kit provides the following records in the system user authorization file in SYS$SYSTEM:

On Alpha and Integrity server systems:

DEFAULT
SYSTEM

If the SYSUAF.DAT becomes corrupted or is accidentally deleted, you can use the template file SYSUAF.TEMPLATE in the SYS$SYSTEM directory to recreate the file, as follows:


$ SET DEFAULT SYS$SYSTEM
$ COPY SYSUAF.TEMPLATE SYSUAF.DAT

The file SYSUAF.TEMPLATE contains records that are identical to those defined when the system was installed.

To make an emergency backup for the system SYSUAF file, you can create a private copy of SYSUAF.DAT. To affect future logins, copy a private version of SYSUAF.DAT to the appropriate directory, as shown in the following example:


$ COPY MYSYSUAF.DAT SYS$COMMON:[SYSEXE]:SYSUAF.DAT-
_$ /PROTECTION=(S:RWED,O:RWED,G,W)

Updated Quotas for the DEFAULT and SYSTEM Accounts

In OpenVMS Version 8.2 the quotas associated with the DEFAULT and SYSTEM accounts were updated. These updated quotas are seen only on fresh installations of OpenVMS or on the creation of a new SYSUAF data file. Existing SYSUAF data files are not updated.

The updates to the DEFAULT account are as follows:
Quota Old Value New Value
ASTLM 250 300
BYTLM 64,000 128,000
ENQLM 2,000 4,000
FILLM 100 128
PGFLQUOTA 50,000 256,000
TQELM 10 100
WSDEFAULT 2000 4,096
WSQUOTA 4000 8,192

The updates to the SYSTEM account are the same as the DEFAULT account with the exception of the following two quotas:
Quota Old Value New Value
BYTLM 64,000 256,000
PGFLQUOTA 50,000 700,000

For upgraded systems with existing SYSUAF files, you might want to update the DEFAULT and SYSTEM account quotas to these new values.

5.2 AUTHORIZE Usage Summary

The Authorize utility (AUTHORIZE) is a system management tool that enables you to control access to the system and to allocate resources to users.


Format

RUN SYS$SYSTEM:AUTHORIZE


Parameters

None.

Description

To invoke AUTHORIZE, set your default device and directory to SYS$SYSTEM and enter RUN AUTHORIZE at the DCL command prompt.

At the UAF> prompt, you can enter any AUTHORIZE command described in the following section.

To exit from AUTHORIZE, enter the EXIT command at the UAF> prompt or press Ctrl/Z.

5.3 AUTHORIZE Commands

This section describes the AUTHORIZE commands and provides examples of their use. You can abbreviate any command, keyword, or qualifier as long as the abbreviation is not ambiguous. The asterisk (*) and the percent sign (%) can be used as wildcard characters to specify user names, node names, and UICs.

AUTHORIZE commands fall into the following four categories:

The following table summarizes the AUTHORIZE commands according to these categories:
Command Description
Managing System Resources and User Accounts with SYSUAF
ADD Adds a user record to the SYSUAF and corresponding identifiers to the rights database.
COPY Creates a new SYSUAF record that duplicates an existing record.
DEFAULT Modifies the default SYSUAF record.
LIST Writes reports for selected UAF records to a listing file, SYSUAF.LIS.
MODIFY Changes values in a SYSUAF user record. Qualifiers not specified in the command remain unchanged.
REMOVE Deletes a SYSUAF user record and corresponding identifiers in the rights database. The DEFAULT and SYSTEM records cannot be deleted.
RENAME Changes the user name of the SYSUAF record (and, if specified, the corresponding identifier) while retaining the characteristics of the old record.
SHOW Displays reports for selected SYSUAF records.
Managing Network Proxies with NETPROXY.DAT or NET$PROXY.DAT
ADD/PROXY Adds proxy access for the specified user.
CREATE/PROXY Creates a network proxy authorization file.
LIST/PROXY Creates a listing file of all proxy accounts and all remote users with proxy access to the accounts.
MODIFY/PROXY Modifies proxy access for the specified user.
REMOVE/PROXY Deletes proxy access for the specified user.
SHOW/PROXY Displays proxy access allowed for the specified user.
Managing Identifiers with RIGHTSLIST.DAT
ADD/IDENTIFIER Adds an identifier name to the rights database, rightslist.dat.
CREATE/RIGHTS Creates a new rights database file.
GRANT/IDENTIFIER Grants an identifier name to a UIC identifier.
LIST/IDENTIFIER Creates a listing file of identifier names and values.
LIST/RIGHTS Creates a listing file of all identifiers held by the specified user.
MODIFY/IDENTIFIER Modifies the named identifier in the rights database.
REMOVE/IDENTIFIER Removes an identifier from the rights database.
RENAME/IDENTIFIER Renames an identifier in the rights database.
REVOKE/IDENTIFIER Revokes an identifier name from a UIC identifier.
SHOW/IDENTIFIER Displays identifier names and values on the current output device.
SHOW/RIGHTS Displays on the current output device the names of all identifiers held by the specified user.
General Commands
EXIT Returns the user to DCL command level.
HELP Displays HELP text for AUTHORIZE commands.
MODIFY/SYSTEM_PASSWORD Sets the system password (equivalent to the DCL command SET PASSWORD/SYSTEM).

ADD

Adds a user record to the SYSUAF and corresponding identifiers to the rights database.

Note

ADD/IDENTIFIER and ADD/PROXY are documented as separate commands.

Format

ADD newusername


Parameter

newusername

Specifies the name of the user record to be included in the SYSUAF. The newusername parameter is a string of 1 to 12 alphanumeric characters and can contain underscores. Although dollar signs are permitted, they are usually reserved for system names.

Avoid using fully numeric user names (for example, 89560312). A fully numeric user name cannot receive a corresponding identifier because fully numeric identifiers are not permitted.


Qualifiers

/ACCESS[=(range[,...])]

/NOACCESS[=(range[,...])]

Specifies hours of access for all modes of access. The syntax for specifying the range is:

/[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])

Specify hours as integers from 0 to 23, inclusive. You can specify single hours (n) or ranges of hours (n-m). If the ending hour of a range is earlier than the starting hour, the range extends from the starting hour through midnight to the ending hour. The first set of hours after the keyword PRIMARY specifies hours on primary days; the second set of hours after the keyword SECONDARY specifies hours on secondary days. Note that hours are inclusive; that is, if you grant access during a given hour, access extends to the end of that hour.

By default, a user has full access every day. See the DCL command SET DAY in the HP OpenVMS DCL Dictionary for information about overriding the defaults for primary and secondary day types.

All the list elements are optional. Unless you specify hours for a day type, access is permitted for the entire day. By specifying an access time, you prevent access at all other times. Adding NO to the qualifier denies the user access to the system for the specified period of time. See the following examples.
/ACCESS Allows unrestricted access
/NOACCESS=SECONDARY Allows access on primary days only
/ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on all days
/NOACCESS=(PRIMARY, 9-17, SECONDARY, 18-8) Disallows access between 9 A.M. to 5:59 P.M. on primary days but allows access during these hours on secondary days

To specify access hours for specific types of access, see the /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.

For information about the effects of login class restrictions, see the HP OpenVMS Guide to System Security.

/ACCOUNT=account-name

Specifies the default name for the account (for example, a billing name or number). The name can be a string of 1 to 8 alphanumeric characters. By default, AUTHORIZE does not assign an account name.

/ADD_IDENTIFIER (default)

/NOADD_IDENTIFIER

Adds an identifier to the rights database file, RIGHTSLIST.DAT, and also adds a user to the user authorization file, SYSUAF. The /NOADD_IDENTIFIER qualifier does not add an identifier to the RIGHTSLIST.DAT file but does, however, add a user to the SYSUAF user record file. Note that the AUTHORIZE command ADD/IDENTIFIER is quite different: it only adds an entry to the rights database file, RIGHTSLIST.DAT.

/ALGORITHM=keyword=type [=value]

Sets the password encryption algorithm for a user. The keyword VMS refers to the algorithm used in the operating system version that is running on your system, whereas a customer algorithm is one that is added through the $HASH_PASSWORD system service by a customer site, by a layered product, or by a third party. The customer algorithm is identified in $HASH_PASSWORD by an integer in the range of 128 to 255. It must correspond with the number used in the AUTHORIZE command MODIFY/ALGORITHM. By default, passwords are encrypted with the VMS algorithm for the current version of the operating system.
Keyword Function
BOTH Set the algorithm for primary and secondary passwords.
CURRENT Set the algorithm for the primary, secondary, both, or no passwords, depending on account status. CURRENT is the default value.
PRIMARY Set the algorithm for the primary password only.
SECONDARY Set the algorithm for the secondary password only.

The following table lists password encryption algorithms:
Type Definition
VMS The algorithm used in the version of the operating system that is running on your system.
CUSTOMER A numeric value in the range of 128 to 255 that identifies a customer algorithm.

The following example selects the VMS algorithm for Sontag's primary password:


UAF>  MODIFY SONTAG/ALGORITHM=PRIMARY=VMS

If you select a site-specific algorithm, you must give a value to identify the algorithm, as follows:


UAF>  MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128

/ASTLM=value

Specifies the AST queue limit, which is the total number of asynchronous system trap (AST) operations and scheduled wake-up requests that the user can have queued at one time. The default is 300 on Alpha and Integrity server systems.

/BATCH[=(range[,...])]

Specifies the hours of access permitted for batch jobs. For a description of the range specification, see the /ACCESS qualifier. By default, a user can submit batch jobs any time.

/BIOLM=value

Specifies a buffered I/O count limit for the BIOLM field of the UAF record. The buffered I/O count limit is the maximum number of buffered I/O operations, such as terminal I/O, that can be outstanding at one time. The default is 150 on Alpha and Integrity server systems.

/BYTLM=value

Specifies the buffered I/O byte limit for the BYTLM field of the UAF record. The buffered I/O byte limit is the maximum number of bytes of nonpaged system dynamic memory that a user's job can consume at one time. Nonpaged dynamic memory is used for operations such as I/O buffering, mailboxes, and file-access windows. The default is 128,000 on Alpha and Integrity server systems.

/CLI=cli-name

Specifies the name of the default command language interpreter (CLI) for the CLI field of the UAF record. The cli-name is a string of 1 to 31 alphanumeric characters and should be DCL, which is the default. This setting is ignored for network jobs.

/CLITABLES=filespec

Specifies user-defined CLI tables for the account. The filespec can contain 1 to 31 characters. The default is SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for network jobs to guarantee that the system-supplied command procedures used to implement network objects function properly.

/CPUTIME=time

Specifies the maximum process CPU time for the CPU field of the UAF record. The maximum process CPU time is the maximum amount of CPU time a user's process can take per session. You must specify a delta time value. For a discussion of delta time values, see the OpenVMS User's Manual. The default is 0, which means an infinite amount of time.

/DEFPRIVILEGES=([NO]privname[,...])

Specifies default privileges for the user; that is, those enabled at login time. A NO prefix removes a privilege from the user. By specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier, you can disable or enable all user privileges. The default privileges are TMPMBX and NETMBX. Privname is the name of the privilege.

/DEVICE=device-name

Specifies the name of the user's default device at login. The device-name is a string of 1 to 31 alphanumeric characters. If you omit the colon from the device-name value, AUTHORIZE appends a colon. The default device is SYS$SYSDISK.


Previous Next Contents Index