Document revision date: 19 July 1999 | |
Previous | Contents | Index |
The following sections explain how to use two different methods for adding user accounts:
Once you analyze the purpose of a user account and decide which attributes and resources it requires, you can use the Authorize utility (AUTHORIZE) to create the account.
$ SET PROCESS/PRIVILEGE=SYSPRV |
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE UAF> |
UAF> ADD JONES/PASSWORD=LPB57WM/UIC=[014,1] - _UAF> /DEVICE=DISK$USER/DIRECTORY=[JONES] - _UAF> /LGICMD=DISK$USER:[NEWPROD]GRPLOGIN - _UAF> /OWNER="ROBERT JONES"/ACCOUNT=DOC |
This section lists the qualifiers that you can use when setting up an account with AUTHORIZE. Table 6-6 lists the qualifiers under the account attribute that they affect. See Section 6.11.2 for a detailed description of each qualifier. For a complete list of AUTHORIZE qualifiers, see the OpenVMS System Management Utilities Reference Manual.
Limits and Quotas1 | ||
---|---|---|
/ASTLM | /FILLM | /PRCLM |
/BIOLM | /JTQUOTA | /TQELM |
/BYTLM | /MAXACCTJOBS | /WSDEFAULT |
/CPUTIME | /MAXDETACH | /WSEXTENT |
/DIOLM | /MAXJOBS | /WSQUOTA |
/ENQLM | /PGFLQUOTA | |
Priority2 | ||
/PRIORITY | ||
Privileges | ||
/DEFPRIVILEGES | /PRIVILEGES | |
Login Access Controls 3 | ||
/ACCESS | /FLAGS 4 | /PRIMEDAYS |
/DIALUP | /INTERACTIVE | /REMOTE |
/EXPIRATION | /LOCAL |
As an alternative to using the Authorize utility, you can use a command procedure to create user accounts. The ADDUSER.COM procedure, which is located in the SYS$EXAMPLES directory, is an example of such a procedure; it supplies prompts and several default values for creating the new account.
You can modify ADDUSER.COM as appropriate for the needs of your system. To run ADDUSER.COM, log in to the SYSTEM account and enter the following command:
$ @SYS$EXAMPLES:ADDUSER.COM |
ADDUSER.COM prompts you to enter values in a number of UAF record fields. If you press Return without specifying a value for a field, ADDUSER supplies the following default values:
UAF Field | Default Value |
---|---|
User name | No default; must supply |
Owner | No default; must supply |
Password | User name specified |
UIC group number | 200 |
UIC member number | No default; must supply number |
Account name | Optional |
Privileges | TMPMBX,NETMBX |
Login directory | User name specified |
Login device | $DISK1 |
Disk quota | 1000 |
Overdraft quota | 100 |
The UIC must be unique for the system. For example, each account in the UIC group 200 must have a unique member number. You can list the UICs currently assigned to users by entering a question mark ( ? ) after the UIC member number prompt. The account is not created until you have answered all of the questions in the procedure. The procedure has the following final prompt:
Is everything satisfactory with the account [YES]? |
If you press Return, the account is created and remains in SYSUAF.DAT as specified. If you enter NO, the account is removed.
If you press Ctrl/Y before, during, or directly after the system displays the characteristics of the account (that is, before you respond to the "satisfactory?" prompt), the account, or portions of it, will still be added. |
Make sure users log in to their accounts promptly to change the
password.
6.7 Maintaining User Accounts
As system manager, you perform a certain number of user account maintenance tasks, such as modifying and deleting accounts. The following sections explain how to perform these tasks:
Task | Section |
---|---|
Using command procedures for interactive accounts | Section 6.7.1 |
Modifying a user account | Section 6.7.2 |
Listing user accounts | Section 6.7.3 |
Maintaining the user environment | Section 6.7.4 |
Deleting a user account | Section 6.7.5 |
Using BACKUP to remove user files | Section 6.7.6 |
Disabling a user account | Section 6.7.7 |
For all accounts, login command procedures contain commands commonly executed at the beginning of every user session. These commands do such tasks as the following ones:
Login command procedures are useful for saving keystrokes and standardizing operations.
In establishing login command procedures for interactive accounts, you have the following choices:
Login Command Procedure | Description |
---|---|
System | As system manager, you normally create and maintain a standard login command procedure in the system directory (the file is usually named SYS$MANAGER:SYLOGIN.COM). You then assign the logical name SYS$SYLOGIN to the name of the file so that whenever a user logs in, the procedure is executed. |
Individual | For any or all accounts, you can specify an additional login command procedure with the /LGICMD qualifier of the AUTHORIZE commands ADD, MODIFY, or COPY. You can give the login command procedure any valid file specification. Whenever the user logs in, the additional procedure is executed after SYS$SYLOGIN. |
User-specified command file |
If system (and, optionally, individual) login command procedures are
not implemented, the system looks for a command file called LOGIN.COM
in the user's login directory as defined by the UAF (user authorization
file) record device and directory fields. If the file is found, the
system executes it. The user develops and maintains this command file,
which should follow these conventions:
You can provide an aid to new users by copying a login command procedure template into newly created top-level directories. However, to ensure proper ownership of the file, change the owner UIC (user identification code) of the file to that of the user. Make this change with the DCL command SET FILE/OWNER. |
Example 6-1 illustrates typical systemwide login command procedures.
Example 6-1 Sample Systemwide SYS$MANAGER:SYLOGIN.COM Login Command Procedure |
---|
$ V = F$VERIFY(0) $START: $ ! $ SET NOCONTROL=Y ! Do not allow Ctrl/Y to exit procedure $ SET NOON $ ! $ ! Allow network jobs to start faster $ ! $ IF F$MODE() .EQS. "NETWORK" THEN GOTO EXIT $ ! $ ! Enable Ctrl/T handling by DCL $ ! $ SET CONTROL=T $ ! $ ! Define Foreign Commands For Installed Utilities $ ! $ USERS == "SHOW USERS" $ DISPLAY == "MONITOR PROCESSES/TOPCPU" $ INFO == "SHOW PROCESS/CONTINUOUS" $ SUSPEND == "SET PROCESS/SUSPEND" $ RESUME == "SET PROCESS/RESUME" $ SETNAME == "SET PROCESS/NAME" $ ! $ ! Define a symbol indicating whether the terminal $ ! is on a dialup port $ ! $ TT == F$GETDVI("TT","DEVNAM")-"_" $ DIALUP == ((TT .GES. "TTG0:" .AND. TT .LES. "TTG4:") - .OR. (TT .GES. "TTH1:" .AND. TT .LES. "TTH4:") - .OR. (TT .EQS. "TTI5:")) $ IF DIALUP THEN SET TERMINAL/INQUIRE $ ! $EXIT: $ IF V THEN SET VERIFY . . . $ SET CONTROL=Y $ EXIT |
As the example shows, you can disable the Ctrl/Y function (which suspends execution of the current image and invokes the command interpreter) to force execution of the complete login command procedure whenever the user logs in. Do this with the DCL command SET NOCONTROL=Y. Before the login command procedure exits, add the DCL command that resets the Ctrl/Y function (SET CONTROL=Y).
Example 6-2 shows typical abbreviations and symbols that a user might define in a login file.
Example 6-2 Sample Login Command Procedure (LOGIN.COM) for a User Account |
---|
$ SET NOON $ SET PROTECTION=(S=RD,O=RWED,G=R,W=R)/DEFAULT $ ! $ ! Define abbreviations for often used commands $ ! $ DIR*ECTORY == DIRECTORY/DATE/SIZE $ PU*RGE == PURGE/LOG $ DE*LETE == DELETE/LOG/CONFIRM $ ! $ ! $ ! Other useful abbreviations $ ! $ SHP == "SHOW PROCESS/PRIVILEGES" $ PRI*NT == "PRINT/NOTIFY" $ SHD == "SHOW DEFAULT" $ UP == "SET DEFAULT [-]" $ SP == "SET PROCESS/PRIVILEGES=" $ SQ == "SHOW QUEUE/BATCH/ALL/DEVICE" $ H*OME == "SET DEFAULT SYS$LOGIN" $ SUB*MIT == "SUBMIT/NOTIFY" $ SYS == "SHOW SYSTEM" $ DAY == "SHOW TIME" $ ! $ ! Set /LOG for all commands $ ! $ BACK*UP == "BACKUP/LOG" $ DEL*ETE == "DELETE/LOG" $ LIB*RARY == "LIBRARY/LOG" $ PUR*GE == "PURGE/LOG" $ REN*AME == "RENAME/LOG" $ ! $ ! End of LOGIN.COM processing $ ! $ GOTO 'F$MODE() $NETWORK: $ EXIT $INTERACTIVE: $ VN == "SET TERMINAL/WIDTH=80" $ VW == "SET TERMINAL/WIDTH=132" $ EXPERT == "SET MESSAGE/NOFACIL/NOSEVER/NOIDENT" $ NOVICE == "SET MESSAGE/FACILITY/SEVERITY/IDENTIF" $ NOVICE $ ! $ ! Symbols for network users $ ! $ SYSA == "SET HOST SYSA" $ SYSB == "SET HOST SYSB" $ SYSC == "SET HOST SYSC" $ EXIT ! End of interactive login $BATCH: $ SET VERIFY ! End of batch login $ EXIT |
Using Logout Command Procedures
The system does not provide for automatic execution of a command procedure at logout time. However, you can supply one as follows.
$ LO*GOUT:==@SYS$MANAGER:SYLOGOUT |
The last line of the logout command procedure then uses an alternate form of the LOGOUT command, such as a LOGOUTNOW command. (You can create any command name you like beginning with LO.) You cannot use the same abbreviation as used for the symbol (in this case LO) because it will start the procedure again. As an alternative, you could add the following command, just above the last line:
$ DELETE/SYMBOL/GLOBAL LOGOUT |
Note that this technique works in some situations but it is not
foolproof; there are many alternative ways to terminate a process.
6.7.2 Modifying a User Account
To change a user account's quotas, default directory, password, authorized privileges, or any other characteristics assigned by AUTHORIZE, use the MODIFY command. You can use the MODIFY command to change any field in an existing user account. However, a user must log out and log in again for the modifications to take effect.
UAF> MODIFY WELCH/GENERATE_PASSWORD |
UAF> MODIFY JONES/FILLM=40 |
Use the AUTHORIZE command LIST to create the file SYSUAF.LIS, containing a summary of all user records in the UAF. By default, the LIST command produces a brief report containing the following information from the UAF:
Use the /FULL qualifier to create a full report of all the information (except user passwords) contained within the UAF.
The following example writes a brief report of the UAF to the output file SYSUAF.LIS:
UAF> LIST %UAF-I-LSTMSG1, writing listing file %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete |
The system displays the same messages when you use the /FULL qualifier.
However, a full report is written to the output file.
6.7.4 Maintaining the User Environment
As the work requirements of your system change, you might have to perform the following tasks:
With the Authorize utility, you can perform these maintenance operations by modifying or deleting records in the UAF.
Creating Additional Default Record Templates
On systems where all users perform the same type of work, you typically use the system-supplied default record, DEFAULT, as the template for adding new user records. You might find, however, that your system supports several different user categories, each category performing a specific type of work and requiring unique record attributes. Instead of always using the system-supplied default record as a template and making numerous changes each time you add a user record, you can create additional default UAF records to serve as templates for each user category.
Before you create additional default records, you must make the following decisions:
Once you define a user category and establish which record attributes are needed, you can create the default record.
UAF> ADD DEFAULT2/LGICMD=ALT_COM_PROC/FLAGS=CAPTIVE - _UAF> /DEVICE=USER3:/DIRECTORY=[PRODUCT] |
UAF> COPY DEFAULT2 PALOOKA/PASSWORD=W7YA84MI/UIC=[360,114] |
The main problem in deleting an account, especially an interactive or restricted account, is deleting the files used by the account.
The following steps are suggested:
The command procedure template in Example 6-3 deletes an account's files.
Do not execute this command procedure from a privileged account. |
Example 6-3 Command Procedure Template for Deleting an Account's Files |
---|
$ ! DELTREE.COM - deletes a complete directory tree $ ! $ ! P1 = pathname of root of tree to delete $ ! $ ! All files and directories in the tree, including $ ! the named root, are deleted. $ ! $ IF "''DELTREE'" .EQS. "" THEN DELTREE = "@SYS$LIBRARY:DELTREE" $ ON CONTROL_Y THEN GOTO DONE $ ON WARNING THEN GOTO DONE $ DEFAULT = F$LOGICAL("SYS$DISK") + F$DIRECTORY() $10: $ IF P1 .NES. "" THEN GOTO 20 $ INQUIRE P1 "Root" $ GOTO 10 $20: $ IF F$PARSE(P1) .EQS. "" THEN OPEN FILE 'P1' $ SET DEFAULT 'P1' $LOOP: $ FILESPEC = F$SEARCH("*.DIR;1") $ IF FILESPEC .EQS. "" THEN GOTO LOOPEND $ DELTREE [.'F$PARSE(FILESPEC,,,"NAME")'] $ GOTO LOOP $LOOPEND: $ IF F$SEARCH("*.*;*") .NES. "" THEN DELETE *.*;* $ DIR = (F$DIRECTORY()-"]"-">")-F$PARSE("[-]",,,- "DIRECTORY")-"]"-">")-"."-"["-"<" $ SET PROTECTION=WORLD:RWED [-]'DIR'.DIR;1 $ DELETE [-]'DIR'.DIR;1 $DONE: $ SET DEFAULT 'DEFAULT' |
Previous | Next | Contents | Index |
privacy and legal statement | ||
6017PRO_021.HTML |