External authentication allows the OpenVMS system manager to set up an OpenVMS user account for which login authentication is verified by the Advanced Server domain security. External authentication allows the Advanced Server to do the user authentication for both Advanced Server and OpenVMS user accounts.

External authentication is an option for users who have both OpenVMS and Advanced Server user accounts. It is not required. User host mapping provides the link between these two accounts, as described in Section 3.1.16, User Account Host Mapping.

With external authentication, users get automatic password synchronization between their OpenVMS account and their corresponding Advanced Server account. Externally authenticated users are considered to have a single password and are not subject to OpenVMS password policies, such as password expiration, password history, and minimum and maximum password length restrictions. Users are, however, subject to the Advanced Server account policy that is defined. All other OpenVMS account restrictions remain in effect, such as disabled accounts, time restrictions, and quotas. For information about setting up the system and enabling OpenVMS user accounts for external authentication, refer to the OpenVMS V7.2 Guide to System Security.

3.1.17.1 Configuring the Server Capacity for External Authentication

By default, the Advanced Server can support up to 10 simultaneous external authentication logon requests (signons). You can modify this maximum to suit the server requirements, using the Configuration Manager. For more details, see Section 7.1.4.4, Specifying the Maximum Number of Concurrent Signons.

3.1.17.2 Synchronizing Passwords

The password of an externally authenticated OpenVMS user is automatically synchronized with the host mapped Advanced Server domain user, regardless of the role of the Advanced Server in the domain.

When a user changes the OpenVMS password using the OpenVMS command SET PASSWORD, and external authentication is set for the user, OpenVMS forwards the password change request to the Advanced Server. When the password change request is successfully processed, OpenVMS updates the OpenVMS user password. If Advanced Server is not running when the OpenVMS command SET PASSWORD is executed, the domain password is not changed.

When users change their passwords from their client workstations, or the server administrator changes a password with the Advanced Server command SET PASSWORD, the Advanced Server processes the password change as usual. The OpenVMS password is synchronized when the user next logs in to OpenVMS. All password changes are synchronized. When an OpenVMS user no longer has the external authentication flag set, the password for the OpenVMS user account is the same as the one that was last set by Advanced Server.

OpenVMS accepts the user name in one of the following formats for user accounts set for external authentication:

• ASusername (network user name)
• Domainname\ASusername
• ASusername@Domainname

The form of the user name string determines the order in which OpenVMS verifies the logon:

• If ASusername is used, this name is first interpreted as an OpenVMS user name. If the user name exists and that user is not set for external authentication, the authentication is done as a standard OpenVMS login. Advanced Server authentication does not take place.
• If the domain name is included in the user name, OpenVMS activates external authentication of the user, using the name of the domain supplied:
  • If the domain name is the same as that of the local server, the local server will proceed to authenticate this request.
  • If the domain name is different from that of the local server, the software checks the data field for the server configuration parameter HostMapDomains in the OpenVMS Registry to verify whether the specified domain is in the list of those that the server's domain trusts. If the domain is listed there, the authentication request is forwarded to the specified domain for authentication.

Because external authentication depends on hostmapping information, it is important to set up user accounts and hostmapping carefully. For example, if the same user name exists in the Advanced Server and OpenVMS, but they are not the same user, external authentication may not work as you expect.

In the following examples, you have Advanced Server running on OpenVMS node VMS1 in the domain SaleOffice, with network users Smith and J_Smith and OpenVMS users Smith and V_Smith.

• You enable external authentication for both of the OpenVMS users and then specify the user host mapping as follows:

  $ ADMINISTER ADD HOSTMAP SMITH V_SMITH $ ADMINISTER ADD HOSTMAP J_SMITH SMITH

  
  When OpenVMS user Smith uses his network user name J_Smith and password to log on to VMS1, this logon will be successful, providing the password is correct.
  However, when OpenVMS user V_Smith uses her network user name Smith and password to log on to VMS1, this logon will fail because of the name space conflict between Advanced Server and OpenVMS.
  To log on, OpenVMS user V_Smith must specify her network user name, specifying the domain name (either Smith@SaleOffice or SaleOffice\Smith).

• You enable external authentication only for OpenVMS user V_Smith, specifying the following command:

  $ ADMINISTER ADD HOSTMAP SMITH V_SMITH

  
  When OpenVMS user V_Smith uses her network user name Smith to log on to VMS1, the logon will fail, because Smith will first be interpreted as an OpenVMS user name. Because the OpenVMS user name exists, and it is not enabled for external authentication, the OpenVMS authentication mechanism is used to verify the password.
  To log on, the OpenVMS user V_Smith must specify the domain name with her network user name (either Smith@SaleOffice or SaleOffice\Smith).

You can set up an OpenVMS account to be externally authenticated by a trusted domain in your network. To enable this feature, you must include the trusted domain name in the data field for the server configuration parameter HostMapDomains in the OpenVMS Registry. Refer to Section 7.2, Managing Server Configuration Parameters.

For example, if your OpenVMS system is in the SaleOffice domain, and this domain trusts the Marketing domain, set up OpenVMS user Jones to be externally authenticated by the Marketing domain as follows:

1. Use the PWRK$REGUTL utility to modify the server configuration parameter HostMapDomains to include the trusted domain name.
2. Ensure that a network user account with user name Jones exists in the Marketing Domain.
3. Enable external authentication for OpenVMS user account Jones.
4. To log on, the user must specify the user name in one of the following forms:

   Jones@Marketing Marketing\Jones

Groups are collections of user accounts and other groups. When you add a user to a group, the user has all the rights and permissions granted to the group. This provides an easy way to grant common capabilities to sets of users. (For additional information about planning Advanced Server groups, see the Advanced Server for OpenVMS Concepts and Planning Guide.)

You use groups to manage access to resources like directories, files, and printers. To do this, assign permissions to the resource, specifying the group names, and add the user accounts to the groups. To change the permissions for a group, add or remove the permissions on the resource for the group, rather than for each user. Or, if you need to give a user access to specific resources (for example, certain directories and files), add the user's account to the appropriate group rather than changing permissions on each individual resource. Maintaining permissions for a group is simpler than maintaining permissions for individual user accounts.

Every group is either a global group or a local group.

• Global groups can be used both in their own domains and in trusting domains. You can use global groups to grant rights and permissions to global users. By default, new groups are global groups. Global groups can be members of a local group.
• Local groups can be granted permissions and rights only for the servers in their domains. However, they can contain user accounts and global groups both from their domains and from trusted domains. Local groups let you create sets of users from both inside and outside the domain, to access resources in the domain where the local group is created.

Table 3-2, summarizes how local and global groups are used.

Table 3-2 Uses of Local and Global Groups

If...	Need to access a resource on...	You put them in a...
User accounts from this domain	The servers and workstations of this domain or of other domains	Global group
User accounts from other domains	The servers of this domain	Local group
Global groups from this domain	The servers of this domain	Local group
Global groups from other domains	The servers of this domain	Local group

3.2.1 Built-In Groups

Advanced Server creates several built-in groups automatically during installation. Built-in groups have certain access rights. To give the access rights to a user account, add the user to the appropriate group. By default, all users belong to the built-in group Domain Users.

Table 3-3 lists the built-in groups, with their group type (global or local), and their default members.

Table 3-3 Built-In Groups

Group Name	Group Type	Description	Default Members
Account Operators	Local	Members can administer domain user and group accounts.	None
Administrators	Local	Members can fully administer the domain and other domains.	Administrator, Domain Admins
Backup Operators	Local	Members can bypass file security to back up files.	None
Domain Admins	Global	Designated administrators of the domain.	Administrator
Domain Guests	Global	All domain guests.	Guests
Domain Users	Global	All domain users.	Administrator, user accounts
Guests	Local	Users granted guest access to the domain.	Domain Guests
Print Operators	Local	Members can administer domain printers.	None
Server Operators	Local	Members can administer domain servers.	None
Users	Local	Ordinary users.	Domain Users

3.2.2 Setting Up User Groups

To set up a new user group, use the ADD GROUP command. If you do not specify the group type, the default is to add the group as a global group. To create a local group, include the /LOCAL qualifier on the command line. For example, to add the local group MUNCHINS, enter the following command. Note that the description of the group is enclosed in quotation marks.

LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/DESCRIPTION="Oz local group"/LOCAL %PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW GROUPS Groups in domain "LANDOFOZ": Group Name Type Description --------------------- ----------- ------------------------------------- Account Operators Local Members can administer domain user and group accounts Administrators Local Members can fully administer the domain Backup Operators Local Members can bypass file security to back up files DEVAS Global DEVIS Global Domain Admins Global Designated administrators of the domain Domain Guests Global All domain guests Domain Users Global All domain users Guests Local Users granted guest access to the domain MONKEYS Global Users in the Land of Oz MUNCHKINS Local Oz local group Print Operators Local Members can administer domain printers Replicator Local Supports file replication in a domain Server Operators Local Members can administer domain servers Users Local Ordinary users Total of 15 groups LANDOFOZ\\TINMAN>

3.2.3 Adding Users to Groups

You can add users to groups in any of the following ways:

• When you use the ADD GROUP command, include the /MEMBERS qualifier.
• When you add a new user, include the /MEMBER_OF_GROUPS qualifier. (See Section 3.1.6, Specifying Group Membership, for more information.)

Local groups can include users from domains other than the one currently being administered. To specify a user account from another domain, a trust relationship must be established that allows the domain being administered to trust the domain where the user account is defined.

To specify a user account or global group in a trusted domain, enter a domain-qualified name (domain-name\member-name), such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain. If you omit a domain name, the user or group is assumed to be defined in the domain being administered.

To add members to a new group

Include the /MEMBERS qualifier on the ADD GROUP command. For example, to add a new group MUNCHKINS and specify the group members SCARECROW and STRAWMAN, enter the following command:

LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/MEMBERS=(SCARECROW,STRAWMAN) %PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN>

3.2.4 Copying Groups

To simplify creating a new group, you can use the COPY GROUP command to copy an existing group to the new group, with a new name, keeping the members and description from the previous group. For example, to form a new group called QUADLINGS from an existing group called MUNCHKINS, use the following command:

LANDOFOZ\\TINMAN> COPY GROUP MUNCHKINS QUADLINGS %PWRK-S-GROUPCOPY, group "MUNCHKINS" copied to "QUADLINGS" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>

This command copies the description and group members from MUNCHKINS to the new group, QUADLINGS. You can display information about the new group using the SHOW GROUPS/FULL command. For example:

LANDOFOZ\\TINMAN> SHOW GROUPS QUADLINGS/FULL Groups in domain "LANDOFOZ": Group Name Type Description ---------- ------ ----------------------------- QUADLINGS Local Oz local group Members: [US]LION,[US]SCARECROW Total of 1 group LANDOFOZ\\TINMAN>

To change the group description, use the MODIFY GROUP/DESCRIPTION command.

3.2.5 Modifying a Group

You can change the membership or description of an existing group.

To add a member to an existing group:

Use the MODIFY GROUP command with the /ADD_MEMBERS qualifier. For example, to add the user LION to the group MONKEYS, enter the following command:

LANDOFOZ\\TINMAN> MODIFY GROUP MONKEYS/ADD_MEMBERS=LION %PWRK-S-GROUPMOD, group "MONKEYS" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW GROUP MONKEYS Groups in domain "LANDOFOZ": Group Name Full Name Type Description ---------- --------- ------- ------------------------ MONKEYS Global Winged monkeys Members: [US]LION Total of 1 group) LANDOFOZ\\TINMAN>

To remove a member from a group:

Use the MODIFY GROUP command with the /REMOVE_MEMBERS qualifier. For example, to remove SCARECROW from the group MUNCHKINS, enter the following command:

LANDOFOZ\\TINMAN> MODIFY GROUP MUNCHKINS/REMOVE_MEMBERS=SCARECROW %PWRK-S-GROUPMOD, group "MUNCHKINS" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN>

3.2.6 Deleting a Group

Deleting a group removes only that group; it does not delete user accounts or global groups that are members of the deleted group. You cannot recover a deleted group.

Internally, the Advanced Server recognizes every group by its security identifier (SID), which is used when assigning permissions to a resource. If you delete a group and then create another group with the same group name, the new group does not inherit access to any resources available to the old group because the groups have different SIDs.

To delete a group:

Use the REMOVE GROUP command. For example:

LANDOFOZ\\TINMAN> REMOVE GROUP QUADLINGS Each group is represented by a unique identifier which is independent of the group name. Once this group is deleted, even creating an identically named group in the future will not restore access to resources which currently name this group in the access control list. Remove "QUADLINGS" [YES or NO] (YES) : YES %PWRK-S-GROUPREM, group "QUADLINGS" removed from domain "LANDOFOZ" LANDOFOZ\\TINMAN>

The command deletes the group QUADLINGS from the LANDOFOZ domain.