HP OpenVMS Systems Documentation

Modifies an entry in the network proxy authorization file to specify a different local account as the default proxy account for the remote user or to specify no default proxy account for the remote user.

The command modifies an entry in the network proxy authorization file NET$PROXY.DAT and, to maintain compatibility with other systems, modifies an entry in NETPROXY.DAT.

Note You must modify the proxy database from a system running the current OpenVMS system.

Format

MODIFY/PROXY node::remote-user

Parameters

node

Specifies a node name. If you specify an asterisk wildcard character (*), the specified remote user on all nodes is served by the local user.

remote-user

Specifies the user name of a user at a remote node. If you specify an asterisk wildcard character, all users at the specified node are served by the local user.

For systems that are not OpenVMS systems that implement DECnet, specifies the UIC of a user at a remote node. You can specify an asterisk wildcard in the group and member fields of the UIC.

Qualifier

/DEFAULT[=local-user]
/NODEFAULT

Designates the default user name on the local node through which proxy access from the remote user is directed. If /NODEFAULT is specified, removes the default designation.

Description

Use the MODIFY/PROXY command to specify a different local account as the default proxy account for the remote user or to specify that there is no default proxy account for the remote user. Whenever you modify user entries, AUTHORIZE signals DECnet to update its volatile database. Proxy modifications take effect immediately on all nodes in a cluster that share the proxy database.

The first command in the following example grants remote user STIR::YETTA proxy access to the PROXY1 and PROXY2 local accounts. The default proxy account is PROXY1. The second command changes the default proxy account to PROXY2.

UAF> ADD/PROXY STIR::YETTA PROXY1/DEFAULT, PROXY2 . . . UAF> MODIFY/PROXY STIR::YETTA /DEFAULT=PROXY2

The next example shows the command used to remove the default proxy designation.

UAF> MODIFY/PROXY STIR::YETTA /NODEFAULT

If you remove the default proxy designation as shown in the last command, remote user STIR::YETTA must include the name of the proxy account (PROXY1 or PROXY2) in the access control string of each network operation to gain proxy access to the local system.

If no default proxy account is specified either in the network proxy database or in the access control string of the DCL command, the system attempts to perform the network operation using the default DECnet account.

Example

UAF> MODIFY/PROXY MISHA::MARCO /DEFAULT=JOHNSON
%UAF-I-NAFADDMSG, record successfully modified in NETPROXY.DAT
      

The command in this example changes the default proxy account for user MARCO on the remote node MISHA to the JOHNSON account.

Changes the systemwide password (which is different from the password for the SYSTEM user name). This command operates similarly to the DCL command SET PASSWORD/SYSTEM.

Format

MODIFY/SYSTEM_PASSWORD= system-password

Parameter

system-password

Specifies the new systemwide password.

Qualifiers

None.

Description

For a detailed description of the effects of this command, refer to the discussion of the SET PASSWORD/SYSTEM command in the OpenVMS Guide to System Security.

Example

UAF> MODIFY/SYSTEM_PASSWORD=ABRACADABRA
UAF>
      

This command changes the systemwide password to ABRACADABRA.

Deletes a SYSUAF user record and corresponding identifiers in the rights database. The DEFAULT and SYSTEM records cannot be deleted.

Format

REMOVE username

Parameter

username

Specifies the name of a user in the SYSUAF.

Qualifier

/REMOVE_IDENTIFIER (default)

/NOREMOVE_IDENTIFIER

Specifies whether the user name and account name identifiers should be removed from the rights database when a record is removed from the UAF. If two UAF records have the same UIC, the user name identifier is removed only when the second record is deleted. Similarly, the account name identifier is removed only if there are no remaining UAF records with the same group as the deleted record.

Description

If you remove a SYSUAF record for a user who also appears as a local user in the network user authorization file, every network authorization record for that user is also removed.

Example

UAF> REMOVE ROBIN
%UAF-I-REMMSG, record removed from SYSUAF.DAT
%UAF-I-RDBREMMSGU, identifier ROBIN value: [000014,000006] removed from
  RIGHTSLIST.DAT
      

The command in this example deletes the record for user ROBIN from the SYSUAF and ROBIN's UIC identifier from RIGHTSLIST.DAT.

Removes an identifier from the rights database.

Format

REMOVE/IDENTIFIER id-name

Parameter

id-name

Specifies the name of an identifier in the rights database.

Qualifiers

None.

Example

UAF> REMOVE/IDENTIFIER Q1SALES
%UAF-I-RDBREMMSGU, identifier Q1SALES value %X80010024 removed from
  RIGHTSLIST.DAT
      

The command in this example removes the identifier Q1SALES from the rights database. All of its holder records are removed with it.

Deletes network proxy access for the specified remote user.

Format

REMOVE/PROXY node::remote-user [local-user,...]

Parameters

node

Specifies the name of a network node in the network proxy authorization file.

remote-user

Specifies the user name or UIC of a user on a remote node. The asterisk wildcard character (*) is permitted in the remote-user specification.

local-user

Specifies the user name of from 1 to 16 users on the local node. If no local user is specified, proxy access to all local accounts is removed.

Qualifiers

None.

Example

UAF> REMOVE/PROXY MISHA::MARCO
%UAF-I-NAFREMMSG, proxy from MISHA::MARCO to * removed

      

The command in this example deletes the record for MISHA::MARCO from the network proxy authorization file, removing all proxy access to the local node for user MARCO on node MISHA.

Changes the user name of the SYSUAF record (and, if specified, the corresponding identifier) while retaining the characteristics of the old record.

Format

RENAME oldusername newusername

Parameters

oldusername

Specifies the current user name in the SYSUAF.

newusername

Specifies the new name for the user. It can contain 1 to 12 alphanumeric characters and underscores. Although dollar signs are permitted, they are usually reserved for system names.

Qualifiers

/GENERATE_PASSWORD[=keyword]

/NOGENERATE_PASSWORD (default)

Invokes the password generator to create user passwords. Generated passwords can consist of 1 to 10 characters. Specify one of the following keywords:

BOTH	Generate primary and secondary passwords.
CURRENT	Do whatever the DEFAULT account does (for example, generate primary, secondary, both, or no passwords). This is the default keyword.
PRIMARY	Generate primary password only.
SECONDARY	Generate secondary password only.

When you modify a password, the new password expires automatically; it is valid only once (unless you specify /NOPWDEXPIRED). On login, users are forced to change their passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).

Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.

/MODIFY_IDENTIFIER (default)

/NOMODIFY_IDENTIFIER

Specifies whether the identifier associated with the user is to be modified in the rights database. This qualifier applies only when you modify the UIC or user name in the UAF record. By default, the associated identifiers are modified.

/PASSWORD=(password1[,password2])

/NOPASSWORD

Specifies up to two passwords for login. Passwords can be from 0 to 32 characters in length and can include alphanumeric characters, dollar signs, and underscores. Avoid using the word password as the actual password. Use the /PASSWORD qualifier as follows:

• To set only the first password and clear the second, specify /PASSWORD=password.
• To set both the first and second password, specify /PASSWORD=(password1, password2).
• To change the first password without affecting the second, specify /PASSWORD=(password, "").
• To change the second password without affecting the first, specify /PASSWORD=("", password).
• To set both passwords to null, specify /NOPASSWORD.

When you modify a password, the new password expires automatically; it is valid only once (unless you specify /NOPWDEXPIRED). On login, the user is forced to change the password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).

Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.

When you create a new UAF record with the RENAME command, you must specify a password.

Description

The RENAME command renames a SYSUAF record. It changes the user name of the SYSUAF record (and, if specified, the corresponding identifier) while retaining the characteristics of the old record. Retention of these characteristics can be particularly helpful when a user's name changes.

Note that because password verification includes the user name as well as the password, an attempted login will fail when the user whose name has been changed attempts to log in with an old password. (Only null passwords can be effectively transferred from one user record to another by the RENAME command.) Make it a practice to include a new password when you use the RENAME command, and notify the user of the change. If you omit the /PASSWORD qualifier, you receive a warning message reminding you that the old password must be changed.

The user's network authorization records are automatically changed to the new name.

Examples

UAF> RENAME HAWKES KRAMERDOVE/PASSWORD=MARANNKRA
%UAF-I-PRACREN, proxies to HAWKES renamed
%UAF-I-RENMSG, user record renamed
%UAF-I-RDBMDFYMSG, identifier HAWKES modified
      

The command in this example changes the name of the account Hawkes to Kramerdove, modifies the user name identifier for the account, and renames all proxies to the account.

UAF> RENAME HAWKES KRAMERDOVE
%UAF-I-PRACREN, proxies to HAWKES renamed
%UAF-I-RENMSG, user record renamed
%UAF-W-DEFPWD, Warning: copied or renamed records must receive
  new password
%UAF-I-RDBMDFYMSG, identifier HAWKES modified
      

This example shows the warning message that the system displays if you fail to specify a new password with the RENAME command.

Renames an identifier in the rights database.

Format

RENAME/IDENTIFIER current-id-name new-id-name

Parameters

current-id-name

Specifies the name of an identifier to be renamed.

new-id-name

Specifies the new name for the identifier.

Qualifiers

None.

Description

The RENAME/IDENTIFIER command is functionally equivalent to the following AUTHORIZE command:

MODIFY/IDENTIFIER/NAME=new-id-name id-name

Example

UAF> RENAME/IDENTIFIER Q1SALES Q2SALES
%UAF-I-RDBMDFYMSG, identifier Q1SALES modified
      

The command in this example renames the identifier Q1SALES to Q2SALES.

REVOKE/IDENTIFIER

Takes an identifier away from a user.

Format

REVOKE/IDENTIFIER id-name user-spec

Parameters

id-name

Specifies the identifier name. The identifier name is a string of 1 to 31 alphanumeric characters. The name can contain underscores and dollar signs. It must contain at least one nonnumeric character.

user-spec

Specifies the UIC identifier that uniquely identifies the user on the system. This type of identifier appears in alphanumeric format, not numeric format; for example, [GROUP1,JONES].

Description

The REVOKE/IDENTIFIER command edits RIGHTSLIST.DAT, removing the user's name from the list of those who hold a given identifier. The change does not affect the process rights list of any current processes.

Example

UAF> REVOKE/IDENTIFIER INVENTORY CRAMER
%UAF-I-REVOKEMSG, identifier INVENTORY revoked from CRAMER
      

The command in this example revokes the identifier INVENTORY from the user Cramer. Cramer loses the identifier and any resources associated with it.

Note that because rights identifiers are stored in numeric format, it is not necessary to change records for users holding a renamed identifier.

Displays reports for selected UAF records on the current SYS$OUTPUT device.

Format

SHOW user-spec

Parameter

user-spec

Specifies the user name or UIC of the requested UAF record. If you omit the user-spec parameter, the UAF records of all users are listed. The asterisk (*) and percent sign (%) wildcard characters are permitted in the user name.

Qualifiers

/BRIEF

Specifies that a brief report be displayed. In the report, the Directory field displays one of the following items:

• Disuser---The account has been disabled.
• Expired---The account has expired.
• A device and directory name---The login device and directory for the account (for example, DOCD$:[SMITH]).

If you omit the /BRIEF qualifier, AUTHORIZE displays a full report.

/FULL

Specifies that a full report be displayed, including identifiers held by the user. Full reports include the details of the limits, privileges, login flags, and the command interpreter as well as the identifiers held by the user. The password is not listed.

/EXACT

Controls whether the SHOW command matches the search string exactly or treats uppercase and lowercase letters as equivalents. Enclose the specified string within quotation marks (" "). Use /EXACT with the /PAGE=SAVE and /SEARCH qualifiers.

/HIGHLIGHT[=keyword]

/NOHIGHLIGHT (default)

Identifies how to display the line that contains a string once it is found. The following keywords are valid:

BLINK
BOLD (default)
REVERSE
UNDERLINE

Use the /HIGHLIGHT qualifier with the /PAGE=SAVE and /SEARCH qualifiers.

/PAGE[=keyword]

/NOPAGE (default)

Controls the information display on a screen. The following keywords are valid:

CLEAR_SCREEN	Clear the screen before displaying the next page.
SCROLL	Display a continuous stream of information.
SAVE[= n]	Store information and enable the navigational keys listed in Table 5-1. By default, the command saves 5 pages. The maximum page width is 255 columns.

Table 5-1 Screen Control Keys

Key or Key Sequence	Action Taken When Key or Key Sequence Is Pressed
DOWN ARROW KEY	Scroll the display down one line
LEFT ARROW KEY	Scroll the display one column to the left
RIGHT ARROW KEY	Scroll the display one column to the right
UP ARROW KEY	Scroll the display up one line
Find (E1)	Search for a new string in the information being displayed
Insert Here (E2)	Move the display to the right by half a screen
Remove (E3)	Move the display to the left by half a screen
Select (E4)	Switch from 80-column displays to 132-column displays
Prev Screen (E5)	Return to the previous page
Next Screen (E6)	Display the next page
CTRL/Z	Return to the UAF> prompt
Help	Display AUTHORIZE help text
F16 (Do)	Switch from the oldest to the newest page
Ctrl/W	Refresh the display

/SEARCH=string

Used with the /PAGE=SAVE qualifier to specify a string to find in the information being displayed. You can dynamically change the search string by pressing the Find key (E1) while the information is being displayed.

/WRAP

/NOWRAP (default)

Used with the /PAGE=SAVE qualifier to limit the number of columns to the width of the screen and wrap lines that extend beyond the width of the screen to the next line.

The /NOWRAP qualifier extends lines beyond the width of the screen. Use the /PAGE=SAVE qualifier and the screen control keys listed in Table 5-1 to view the entire screen.

Description

The SHOW command produces reports on user authorization records. You can select the reports to be displayed, as follows:

• To display a single-user report, specify a user name.
• To display reports for all users in ascending sequence by user name, specify an asterisk wildcard character (*).
• To display reports for all users with a common UIC, specify the UIC. Users with the same UIC are listed in the order in which they were added to the SYSUAF.
  You can also use the asterisk wildcard character to specify all or part of the UIC, as shown in the following examples:

  Command	Description
  SHOW [14,*] /BRIEF	Displays a brief report for all users in group 14, in ascending sequence by member number.
  SHOW [*,6] /BRIEF	Displays a brief report for all users with a member number of 6.
  SHOW [*,*] /BRIEF	Displays a brief report for all users, in ascending sequence by UIC.

Examples

UAF> SHOW ROBIN
      

The command in this VAX example displays a full report for the user ROBIN. The display corresponds to the first example in the description of the ADD command. Most defaults are in effect.

Username: ROBIN Owner: JOSEPH ROBIN Account: VMS UIC: [14,6] ([INV,ROBIN]) CLI: DCL Tables: DCLTABLES Default: SYS$USER:[ROBIN] LGICMD: Login Flags: Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun No access restrictions Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: (none) Pwdchange: 15-JAN-2000 14:08 Last Login: (none) (interactive), (none) (non-interactive) Maxjobs: 0 Fillm: 300 Bytlm: 32768 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 40 JTquota: 4096 Prclm: 2 DIOlm: 40 WSdef: 256 Prio: 4 ASTlm: 40 WSquo: 512 Queprio: 0 TQElm: 10 WSextent: 1024 CPU: (none) Enqlm: 200 Pgflquo: 32768 Authorized Privileges: TMPMBX NETMBX Default Privileges: TMPMBX NETMBX Identifier Value Attributes CLASS_CA101 %X80010032 NORESOURCE NODYNAMIC CLASS_PY102 %X80010049 NORESOURCE NODYNAMIC

Note The quotas Pbytlm and Queprio are placeholders only.

UAF> SHOW [360,*] /BRIEF
      

The command in this example displays a brief report for every user with a group UIC of 360.

Owner Username UIC Account Privs Pri Default Directory JOHN JAMES JAMES [360,201] USER Normal 4 DOCD$:[JAMES] SUSY JONES JONES [360,203] DOC Devour 4 DOCD$:[JONES] CLIFF BROWN BROWN [360,021] DOC All 4 disuser JOY CARTER CARTER [360,005] DOCSEC Group 4 expired

UAF> SHOW WELCH
      

This command displays a full report for the restricted user WELCH. This display corresponds to the second example in the description of the ADD command.

Username: WELCH Owner: ROB WELCH Account: INV UIC: [14,51] ([14,51]) CLI: DCL Tables: DCLTABLES Default: SYS$USER:[WELCH] LGICMD: SECUREIN Login Flags: Restricted Diswelcome Disnewmail ExtAuth Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ----- No access ------ ##### Full access ###### Batch: #########--------####### ---------#########------ Local: #########--------####### ---------#########------ Dialup: ##### Full access ###### ----- No access ------ Remote: #########--------####### ---------#########------ Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: (none) Pwdchange: (pre-expired) Last Login: (none) (interactive), (none) (non-interactive) Maxjobs: 0 Fillm: 300 Bytlm: 32768 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 40 JTquota: 4096 Prclm: 2 DIOlm: 40 WSdef: 256 Prio: 4 ASTlm: 40 WSquo: 512 Queprio: 4 TQElm: 10 WSextent: 1024 CPU: (none) Enqlm: 200 Pgflquo: 32768 Authorized Privileges: TMPMBX NETMBX Default Privileges: TMPMBX NETMBX

Note that WELCH is a captive user who does not receive announcements of new mail or the welcome message when logging in. His login command file, SECUREIN.COM, is presumably a captive command file that controls all of his operations. (Such a command file never exits, but performs operations for its user and logs him out when appropriate.) The CAPTIVE flag prevents WELCH from escaping control of the command file by using Ctrl/Y or other means. Furthermore, he is restricted to logging in between the hours of 5:00 P.M. and 8:59 A.M. on weekdays and 9:00 A.M. and 5:59 P.M. on weekends. Although he is allowed to use dial-up lines at all times during the week, he is not allowed to log in over the network. On weekends, he is further restricted so that he cannot dial in at any time or use the DCL command SET HOST between the hours of 6:00 P.M. and 8:59 A.M.