HP OpenVMS Systems Documentation

When you add a new account, specify values for fields that you want to be different. Typically, changing the default values for limits¹, priority, privileges, or the command interpreter is not necessary. As a result, you enter only the password, UIC, directory, owner, account, and device.

When you add a record to the UAF, create a directory for the new user. Specify the device name, directory name, and UIC in the UAF record. The following DCL command creates a directory for user ROBIN:

$ CREATE/DIRECTORY SYS$USER:[ROBIN] /OWNER_UIC=[ROBIN]

Examples

UAF> ADD ROBIN /PASSWORD=SP0152/UIC=[014,006] -
_/DEVICE=SYS$USER/DIRECTORY=[ROBIN]/OWNER="JOSEPH ROBIN" /ACCOUNT=INV
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier ROBIN value: [000014,000006] added to
  RIGHTSLIST.DAT
%UAF-I-RDBADDMSGU, identifier INV value: [000014,177777] added to
  RIGHTSLIST.DAT
      

This example illustrates the typical ADD command and qualifiers. The resulting record from this command appears in the description of the SHOW command.

UAF> ADD WELCH /PASSWORD=SP0158/UIC=[014,051] -
_/DEVICE=SYS$USER/DIRECTORY=[WELCH]/OWNER="ROB WELCH"/FLAGS=DISUSER -
_/ACCOUNT=INV/LGICMD=SECUREIN
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier WELCH value: [000014,000051] added to
      RIGHTSLIST.DAT
UAF> MODIFY WELCH/FLAGS=(RESTRICTED,DISNEWMAIL,DISWELCOME,NODISUSER,EXTAUTH)-
_/NODIALUP=SECONDARY/NONETWORK=PRIMARY/CLITABLES=DCLTABLES -
_/NOACCESS=(PRIMARY, 9-16, SECONDARY, 18-8)
%UAF-I-MDFYMSG, user records updated
      

The commands in this example add a record for a restricted account. Because of the number of qualifiers required, a MODIFY command is used in conjunction with the ADD command. This helps to minimize the possibility of typing errors.

In the ADD command line, setting the DISUSER flag prevents the user from logging in until all the account parameters are set up. In the MODIFY command line, the DISUSER flag is disabled (by specifying NODISUSER) to allow access to the account. The EXTAUTH flag causes the system to consider the user as authenticated by an external user name and password, not by the SYSUAF user name and password.

The record that results from these commands and an explanation of the restrictions the record imposes appear in the description of the SHOW command.

ADD/IDENTIFIER

Adds only an identifier to the rights database. It does not add a user account.

Format

ADD/IDENTIFIER [id-name]

Parameter

id-name

Specifies the name of the identifier to be added to the rights database. If you omit the name, you must specify the /USER qualifier. The identifier name is a string of 1 to 31 alphanumeric characters. The name can contain underscores and dollar signs. It must contain at least one nonnumeric character.

Qualifiers

/ATTRIBUTES=(keyword[,...])

Specifies attributes to be associated with the new identifier. The following keywords are valid:

DYNAMIC	Allows unprivileged holders of the identifier to remove and to restore the identifier from the process rights list by using the DCL command SET RIGHTS_LIST.
HOLDER_HIDDEN	Prevents people from getting a list of users who hold an identifier, unless they own the identifier themselves.
NAME_HIDDEN	Allows holders of an identifier to have it translated, either from binary to ASCII or from ASCII to binary, but prevents unauthorized users from translating the identifier.
NOACCESS	Makes any access rights of the identifier null and void. If a user is granted an identifier with the No Access attribute, that identifier has no effect on the user's access rights to objects. This attribute is a modifier for an identifier with the Resource or Subsystem attribute.
RESOURCE	Allows holders of an identifier to charge disk space to the identifier. Used only for file objects.
SUBSYSTEM	Allows holders of the identifier to create and maintain protected subsystems by assigning the Subsystem ACE to the application images in the subsystem. Used only for file objects.

By default, none of these attributes is associated with the new identifier.

/USER=user-spec

Scans the UAF record for the specified user and creates the corresponding identifier. Specify user-spec by user name or UIC. You can use the asterisk wildcard to specify multiple user names or UICs. Full use of the asterisk and percent wildcards is permitted for user names; UICs must be in the form [*,*], [n,*], [*,n], or [n,n]. A wildcard user name specification (*) creates identifiers alphabetically by user name; a wildcard UIC specification ([*,*]) creates them in numerical order by UIC.

/VALUE=value-specifier

Specifies the value to be attached to the identifier. The following formats are valid for the value-specifier:

IDENTIFIER:n

An integer value in the range of 65,536 to 268,435,455. You can also specify the value in hexadecimal (precede the value with %X) or octal (precede the value with %O). The system displays this type of identifier in hexadecimal. To differentiate general identifiers from UIC identifiers, the system adds %X80000000 to the value you specify.

UIC:uic

A UIC value in standard UIC format consists of a member name and, optionally, a group name enclosed in brackets. For example, [360,031]. In numeric UICs, the group number is an octal number in the range of 1 to 37776; the member number is an octal number in the range of 0 to 177776. You can omit leading zeros when you are specifying group and member numbers. Regardless of the UIC format you use, the system translates a UIC to a 32-bit numeric value. Alphanumeric UICs are not allowed.

Typically, system managers add identifiers as UIC values to represent system users; the system applies identifiers in integer format to system resources.

Examples

UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORY
%UAF-I-RDBADDMSGU, identifier INVENTORY value: [000300,000011] added to
RIGHTSLIST.DAT
      

The command in this example adds an identifier named INVENTORY to the rights database. By default, the identifier is not marked as a resource.

UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) -
_/VALUE=IDENTIFIER:%X80011 PAYROLL
%UAF-I-RDBADDMSGU, identifier PAYROLL value: %X80080011 added to
RIGHTSLIST.DAT
      

This command adds the identifier PAYROLL and marks it as a resource. To differentiate identifiers with integer values from identifiers with UIC values, %X80000000 is added to the specified code.

Adds an entry to the network proxy authorization files, NETPROXY.DAT and NET$PROXY.DAT, and signals DECnet to update its volatile database. Proxy additions take effect immediately on all nodes in a cluster that share the proxy database.

Format

ADD/PROXY node::remote-user local-user[,...]

Parameters

node

Specifies a DECnet node name. If you provide a wildcard character (*), the specified remote user on all nodes is served by the account defined as local-user.

remote-user

Specifies the user name of a user at a remote node. If you specify an asterisk, all users at the specified node are served by the local user.

For systems that are not OpenVMS and that implement DECnet, specifies the UIC of a user at a remote node. You can specify a wildcard character (*) in the group and member fields of the UIC.

local-user

Specifies the user names of 1 to 16 users on the local node. If you specify an asterisk, a local-user name equal to remote-user name will be used.

Positional Qualifier

/DEFAULT

Establishes the specified user name as the default proxy account. The remote user can request proxy access to an authorized account other than the default proxy account by specifying the name of the proxy account in the access control string of the network operation.

Description

The ADD/PROXY command adds an entry to the network proxy authorization files, NETPROXY.DAT and NET$PROXY.DAT, and signals DECnet to update its volatile database. Proxy additions take effect immediately on all nodes in a cluster that share the proxy database.

You can grant a remote user access to one default proxy account and up to 15 other local accounts. To access proxy accounts other than the default proxy account, remote users specify the requested account name in an access control string. To change the default proxy account, use the AUTHORIZE command MODIFY/PROXY.

Proxy login is an effective way to avoid specifying (and, possibly, revealing) passwords in command lines. However, you must use caution in granting access to remote users. While logged in to the local system, remote users can apply the full DCL command set (with the exception of SET HOST). A remote user receives the default privileges of the local user and, therefore, becomes the owner of the local user's files when executing any DCL commands.

To avoid potential security compromises, Compaq recommends that you create proxy accounts on the local node that are less privileged than a user's normal account on the remote node. By adding an extension such as _N, you can identify the account as belonging to a remote user, while distinguishing it from a native account with the same name on the local node. For example, the following command creates a JONES_N proxy account on the local node that allows the user JONES to access the account from the remote node SAMPLE:

UAF> ADD/PROXY SAMPLE::JONES JONES_N/DEFAULT %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT

For more information about creating proxy accounts, refer to the OpenVMS Guide to System Security.

Examples

UAF> ADD/PROXY  SAMPLE::WALTER   ROBIN/DEFAULT
%UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
      

Specifies that user WALTER on remote node SAMPLE has proxy access to user ROBIN's account on local node AXEL. Through proxy login, WALTER receives the default privileges of user ROBIN when he accesses node AXEL remotely.

UAF> ADD/PROXY MISHA::* MARCO/DEFAULT, OSCAR
%UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
      

Specifies that any user on the remote node MISHA can, by default, use the MARCO account on the local node for DECnet tasks such as remote file access. Remote users can also access the OSCAR proxy account by specifying the user name OSCAR in the access control string.

UAF> ADD/PROXY MISHA::MARCO */DEFAULT
%UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
      

Specifies that user MARCO on the remote node MISHA can use only the MARCO account on the local node for remote file access.

UAF> ADD/PROXY TAO::MARTIN  MARTIN/D,SALES_READER
%UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to MARTIN added
%UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to SALES_READER added
      

Adds a proxy from TAO::MARTIN to the local accounts MARTIN (the default) and SALES_READER on a system running DECnet-Plus.

COPY

Creates a new SYSUAF record that duplicates an existing UAF record.

Format

COPY oldusername newusername

Parameters

oldusername

Name of an existing user record to serve as a template for the new record.

newusername

Name for the new user record. The user name is a string of 1 to 12 alphanumeric characters.

Qualifiers

All the qualifiers listed under the ADD command apply to the COPY command.

Description

The COPY command creates a new SYSUAF record that duplicates an existing SYSUAF record. The command requires the /PASSWORD qualifier. If you do not specify additional qualifiers to the COPY command, the fields in the record you create are the same as those in the record being copied.

For example, you could add a record for a new user named Thomas Sparrow that is identical to that of Joseph Robin (but presumably different from the default record), as follows:

UAF> COPY ROBIN SPARROW /PASSWORD=SP0152

However, to add a record for Thomas Sparrow that differs from Joseph Robin's in the UIC, directory name, password, and owner, specify the following command:

UAF> COPY ROBIN SPARROW /UIC=[200,13]/DIRECTORY=[SPARROW] - _/PASSWORD=THOMAS/OWNER="THOMAS SPARROW"

You can also use the COPY command to create a set of template records to meet the specific needs of various user groups. For example, if you have programmers, administrators, and data entry personnel working on the same system, you can create records such as PROGRAMMER, ADMINISTRATOR, and DATA_ENTRY, each tailored to the needs of a particular group. To add an account for a new user in one of these groups, copy the appropriate template record and specify a new user name, password, UIC, directory, and owner.

If you omit the /PASSWORD qualifier when you create an account, AUTHORIZE displays the following error message:

%UAF-W-DEFPWD, copied or renamed records must receive new password

To specify a password for the account, use the MODIFY command with the /PASSWORD qualifier.

Examples

UAF> COPY ROBIN SPARROW /PASSWORD=SP0152
%UAF-I-COPMSG, user record copied
%UAF-E-RDBADDERRU, unable to add SPARROW value: [000014,00006] to
      RIGHTSLIST.DAT   -SYSTEM-F-DUPIDENT, duplicate identifier
      

The command in this example adds a record for Thomas Sparrow that is identical, except for the password, to that of Joseph Robin. Note that because the UIC value has no change, no identifier is added to RIGHTSLIST.DAT. AUTHORIZE issues a "duplicate identifier" error message.

UAF> COPY ROBIN SPARROW /UIC=[200,13]/DIRECTORY=[SPARROW] -
_/PASSWORD=THOMAS/OWNER="THOMAS SPARROW"
%UAF-I-COPMSG, user record copied
%UAF-I-RDBADDMSGU, identifier SPARROW value: [000200,000013] added to
      RIGHTSLIST.DAT
      

The command in this example adds a record for Thomas Sparrow that is the same as Joseph Robin's except for the UIC, directory name, password, and owner. Note that you could use a similar command to copy a template record when adding a record for a new user in a particular user group.

Creates and initializes the network proxy authorization files. The primary network proxy authorization file is NET$PROXY.DAT. The file NETPROXY.DAT is maintained for compatibility.

Note Do not delete NETPROXY.DAT because DECnet Phase IV and many layered products still use it.

Format

CREATE/PROXY

Parameters

None.

Qualifiers

None.

Description

NETPROXY.DAT is created with no records and is assigned the following protection:

(S:RWED,O:RWED,G,W)

NET$PROXY.DAT is created with no records and is assigned the following protection:

(S:RWED,O,G,W)

If NETPROXY.DAT or NET$PROXY.DAT already exist, AUTHORIZE reports the following error message:

%UAF-W-NAFAEX, NETPROXY.DAT already exists

To create a new file, you must either delete or rename the old one.

Example

UAF> CREATE/PROXY
UAF>
      

The command in this example creates and initializes the network proxy authorization file.

Creates and initializes the rights database, RIGHTSLIST.DAT.

Format

CREATE/RIGHTS

Parameters

None.

Qualifiers

None.

Description

RIGHTSLIST.DAT is created with no records and is assigned the following protection:

(S:RWED,O:RWED,G:R,W:)

Note that the file is created only if the file does not already exist.

Example

UAF> CREATE/RIGHTS
%UAF-E-RDBCREERR, unable to create RIGHTSLIST.DAT
-RMS-E-FEX, file already exists, not superseded
      

You can use the command in this example to create and initialize a new rights database. Note, however, that RIGHTSLIST.DAT is created automatically during the installation process. Thus, you must delete or rename the existing file before creating a new one. For more information about rights database management, refer to the OpenVMS Guide to System Security.

DEFAULT

Modifies the SYSUAF's DEFAULT record.

Format

DEFAULT

Parameters

None.

Qualifiers

See the qualifiers listed under the ADD command.

Description

Modify the DEFAULT record when qualifiers normally assigned to a new user differ from the Compaq-supplied values. The following qualifiers correspond to fields in the default record that are commonly modified:

Qualifier	Reason for Modification
/CLI	If the command interpreter is MCR.
/DEVICE	If most users have the same default device.
/LGICMD	When automation of initial housekeeping chores at login time is desired through a specific login command file. The system automates the execution of login command file in the following way: First the system checks whether the logical name SYS$SYLOGIN has been defined. If it has, the name is translated (in most cases to SYLOGIN.COM), and the named command file is executed. (This command file can call other login command files.) When it completes, the system makes another check: If the user's LGICMD field in the UAF specifies a command file, that file is executed. If LGICMD is blank, the user's file LOGIN.COM is executed automatically if the command interpreter is DCL. (In this case, all users must name their login command files LOGIN.COM.) If the command interpreter is MCR, the user's file LOGIN.CMD is executed automatically. Thus, the login protocol generally consists of a systemwide login command file followed by a user-specific login command file.
/PRIVILEGES	When users are given different privileges than those supplied by Compaq.
Quota qualifiers	When the default quotas are insufficient or inappropriate for mainstream work.

Example

UAF> DEFAULT /DEVICE=SYS$USER/LGICMD=SYS$MANAGER:SECURELGN -
_UAF> /PRIVILEGES=(TMPMBX,GRPNAM,GROUP)
%UAF-I-MDFYMSG, user record(s) updated
      

The command in this example modifies the DEFAULT record, changing the default device, default login command file, and default privileges.