Previous | Contents | Index |
By default, the PATHWORKS Advanced Server can support up to 10
simultaneous external authentication logon requests (signons). You can
modify this maximum to suit the server requirements, using the
Configuration Manager. For more details, see Section 7.3.4, Specifying the Maximum Number of Concurrent Signons.
3.3.13.3 Password Synchronization
The password of an externally authenticated OpenVMS user is automatically synchronized with the host mapped PATHWORKS Advanced Server domain user, regardless of the role of the PATHWORKS Advanced Server in the domain.
When a user changes the OpenVMS password using the OpenVMS command SET PASSWORD, and external authentication is set for the user, OpenVMS forwards the password change request to the PATHWORKS Advanced Server. When the password change request is successfully processed, OpenVMS updates the OpenVMS user password. If PATHWORKS Advanced Server is not running when the OpenVMS command SET PASSWORD is executed, the domain password is not changed.
When users change their passwords from their client workstations, or the server administrator changes a password with the PATHWORKS Advanced Server command SET PASSWORD, the PATHWORKS Advanced Server processes the password change as usual. The OpenVMS password is synchronized when the user next logs in to OpenVMS. All password changes are synchronized. When an OpenVMS user no longer has the external authentication flag set, the password for the OpenVMS user account is the same as the one that was last set by PATHWORKS Advanced Server.
Password synchronization may fail due to the different sets of valid characters allowed by OpenVMS and PATHWORKS Advanced Server. Keep this in mind when changing the password of an externally authenticated user. |
Groups are collections of user accounts and other groups. When you add a user to a group, the user has all the rights and permissions granted to the group. This provides an easy way to grant common capabilities to sets of users. (For additional information about planning PATHWORKS Advanced Server groups, see the Advanced Server for OpenVMS Concepts and Planning Guide.)
OpenVMS system groups are unrelated to PATHWORKS Advanced Server domain groups. |
You use groups to manage access to resources like directories, files, and printers. To do this, assign permissions to the resource, specifying the group names, and add the user accounts to the groups. To change the permissions for a group, add or remove the permissions on the resource for the group, rather than for each user. Or, if you need to give a user access to specific resources (for example, certain directories and files), add the user's account to the appropriate group rather than changing permissions on each individual resource. Maintaining permissions for a group is simpler than maintaining permissions for individual user accounts.
Every group is either a global group or a local group.
PATHWORKS Advanced Server creates several built-in groups automatically during installation. Built-in groups have certain access rights. To give the access rights to a user account, add the user to the appropriate group. By default, all users belong to the built-in group Domain Users.
The following table lists the built-in groups, with their group type (global or local), and their default members. These groups are described in more detail in the following sections.
Group Name | Group Type | Description | Default Members |
---|---|---|---|
Account Operators | Local | Members can administer domain user and group accounts. | None |
Administrators | Local | Members can fully administer the domain and other domains. | Administrator, Domain Admins |
Backup Operators | Local | Members can bypass file security to back up files. | None |
Domain Admins | Global | Designated administrators of the domain. | Administrator |
Domain Guests | Global | All domain guests. | Guests |
Domain Users | Global | All domain users. | Administrator, user accounts |
Guests | Local | Users granted guest access to the domain. | Domain Guests |
Print Operators | Local | Members can administer domain printers. | None |
Server Operators | Local | Members can administer domain servers. | None |
Users | Local | Ordinary users. | Domain Users |
3.4.1.1 Operators Groups
By assigning a user account to a group with operator privileges, you
give the user access to server administration functions. Being a member
of an operators group allows a user to perform the administrative tasks
shown in the following table.
A member of this group... | Can perform these tasks... |
---|---|
Account Operators |
- Create, remove, and modify user accounts in the Users or Guests group.
- Create, remove, and modify groups. - Modify logon restrictions. - An Account operator cannot change the Administrators group except to change group memberships; an Account Operator cannot add members to the Administrators group. |
Backup Operators | - Access network files for backup. |
Print Operators |
- Share and stop sharing print queues.
- Create, remove, and modify print queues. - Control print jobs. - Display a list of resources shared on the server. |
Server Operators |
- Share and stop sharing resources.
- Read and clear the error log. - Close user sessions and files that users have opened. - Display a list of resources shared on the server. |
As a member of the Administrators group, you can perform administrative tasks on the server to:
As a member of the Administrators group, you can manage all shared resources on the server. A file or directory resource must have explicit access permission set for the Administrators group for you to access it. However, you can take ownership of the resource and then alter permissions on the file or directory to allow Administrators access.
When you delete an account that is a member of the Administrators
group, the PATHWORKS Advanced Server checks for at least one other
active account in the Administrators group on the server. This ensures
that you never delete the last Administrators account and thus lock
yourself out from being able to administer the server.
3.4.1.3 Domain Admins Group
As a member of the Domain Admins group, you are designated as an
administrator who can manage resources and services throughout the
domain. Your rights are not restricted to a single server or OpenVMS
cluster. This is a built-in global group.
3.4.1.4 Guests Group
Members of the Guests group have the same capabilities as members of the Users group. They can use network resources (subject to the access permissions for the resources), display information about resources that servers share, and display the status of print queues. There are two reasons to place a user in the Guests group:
A user in the Guests group cannot also be a member of an Operators group. The Guests group is a local group.
3.4.1.5 Users Group
The Users group provides the default access level to all users. This
enables the user to:
To assign permissions for a resource to all user accounts on a server,
assign those permissions to the Users group. The Users group is a local
group.
3.4.2 Special Groups
In addition to built-in global and local groups, the PATHWORKS Advanced Server creates groups for special purposes. Special groups are visible with commands that display permissions on resources, such as the SHOW SHARES/FULL command, if the resources have share permissions granted to the special group.
Special groups are not included in the SHOW GROUPS display. Do not modify the properties of these special groups. You cannot delete special groups.
The special groups provided with the PATHWORKS Advanced Server include:
In the PATHWORKS (Advanced Server) environment, you add users to groups to establish the capabilities and permissions for those users. You create groups with the ADD GROUP or COPY GROUP command, change their membership or capabilities with the MODIFY GROUP command, and display groups and their capabilities and permissions with the SHOW GROUPS command. For more information on these commands, refer to the Advanced Server for OpenVMS Commands Reference Manual.
The following table summarizes how local and global groups are used.
If... | Need to access a resource on... | You put them in ... |
---|---|---|
User accounts from this domain | The servers and workstations of this domain or of other domains | A global group |
User accounts from other domains | The servers of this domain | A local group |
Global groups from this domain | The servers of this domain | A local group |
Global groups from other domains | The servers of this domain | A local group |
To set up a new user group, use the ADD GROUP command. If you do not specify the group type, the default is to add the group as a global group. To create a local group, include the /LOCAL qualifier on the command line. For example:
LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/DESCRIPTION="Oz local group"/LOCAL %PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW GROUPS Groups in domain "LANDOFOZ": Group Name Type Description --------------------- ----------- ------------------------------------- Account Operators Local Members can administer domain user and group accounts Administrators Local Members can fully administer the domain Backup Operators Local Members can bypass file security to back up files DEVAS Global DEVIS Global Domain Admins Global Designated administrators of the domain Domain Guests Global All domain guests Domain Users Global All domain users Guests Local Users granted guest access to the domain MONKEYS Global Users in the Land of Oz MUNCHKINS Local Oz local group Print Operators Local Members can administer domain printers Replicator Local Supports file replication in a domain Server Operators Local Members can administer domain servers Users Local Ordinary users Total of 15 groups LANDOFOZ\\TINMAN> |
To simplify creating a new group, you can use the COPY GROUP command to copy an existing group to the new group, with a new name, keeping the members and description from the previous group. For example, to form a new group called QUADLINGS from an existing group called MUNCHKINS, use the following command:
LANDOFOZ\\TINMAN> COPY GROUP MUNCHKINS QUADLINGS %PWRK-S-GROUPCOPY, group "MUNCHKINS" copied to "QUADLINGS" in domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
This command copies the description and group members from MUNCHKINS to the new group, QUADLINGS. You can display information about the new group using the SHOW GROUPS/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW GROUPS QUADLINGS/FULL Groups in domain "LANDOFOZ": Group Name Type Description ---------- ------ ----------------------------- QUADLINGS Local Oz local group Members: [US]LION,[US]SCARECROW Total of 1 group LANDOFOZ\\TINMAN> |
To change the group description, use the MODIFY GROUP/DESCRIPTION
command.
3.5.3 Modifying a Group
You can change the membership or description of an existing group.
To modify a group:
Use the MODIFY GROUP command. For example:
LANDOFOZ\\TINMAN> MODIFY GROUP MONKEYS/ADD_MEMBERS=LION %PWRK-S-GROUPMOD, group "MONKEYS" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW GROUP MONKEYS Groups in domain "LANDOFOZ": Group Name Full Name Type Description ---------- --------- ------- ------------------------ MONKEYS Global Winged monkeys Members: [US]LION Total of 1 group LANDOFOZ\\TINMAN> |
Deleting a group removes only that group; it does not delete user accounts or global groups that are members of the deleted group. You cannot recover a deleted group.
Internally, the PATHWORKS Advanced Server recognizes every group by its security identifier (SID), which is used when assigning permissions to a resource. If you delete a group and then create another group with the same group name, the new group does not inherit access to any resources available to the old group because the groups have different SIDs.
To delete a group:
Use the REMOVE GROUP command. For example:
LANDOFOZ\\TINMAN> REMOVE GROUP QUADLINGS Each group is represented by a unique identifier which is independent of the group name. Once this group is deleted, even creating an identically named group in the future will not restore access to resources which currently name this group in the access control list. Remove group "QUADLINGS" [YES or NO] (YES) : YES %PWRK-S-GROUPREM, group "QUADLINGS" removed from domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
The command deletes the group QUADLINGS from the LANDOFOZ domain.
Previous | Next | Contents | Index |