Difference between revisions of "User record"
(→Accounting) |
(→Identifiers) |
||
(One intermediate revision by the same user not shown) | |||
Line 107: | Line 107: | ||
==Privileges== | ==Privileges== | ||
− | * /DEFPRIVILEGES specifies the default [[Privileges|privileges]] granted to the user. | + | * /DEFPRIVILEGES specifies the default [[Privileges|privileges]] granted to the user: those that are already enabled when the user is logged in. |
− | * /PRIVILEGES specifies the authorized [[Privileges|privileges]] granted to the user. | + | * /PRIVILEGES specifies the authorized [[Privileges|privileges]] granted to the user: those that are authorized but require to be enabled with [[SET PROCESS]]/PRIVILEGE before they can be used. |
Avoid granting default privileges unless absolutely necessary. | Avoid granting default privileges unless absolutely necessary. | ||
==Identifiers== | ==Identifiers== | ||
− | /ADD_IDENTIFIER controls whether a [[ | + | /ADD_IDENTIFIER controls whether a [[Identifier|rights identifier]] is also added to the rights database when the user record is created. Note that you can also manually create identifiers with the ADD/IDENTIFIER command. |
[[Category:User Management]] | [[Category:User Management]] |
Latest revision as of 14:43, 3 December 2019
A user record is a record in SYSUAF.DAT containing the information required to define the software context for a process and some information on the user's activity such as last login times and the number of login fails. User records can be managed with the AUTHORIZE utility.
Contents
Example
Username: TEST Owner: Account: UIC: [200,200] ([DEFAULT]) CLI: DCL Tables: DCLTABLES Default: [USER] LGICMD: Flags: PwdMix Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ----- No access ------ ----- No access ------ Batch: ---------##########----- ----- No access ------ Local: ---------##########----- ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: ---------##########----- ----- No access ------ Expiration: 31-DEC-2018 00:00 Pwdminimum: 6 Login Fails: 0 Pwdlifetime: 90 00:00 Pwdchange: 18-DEC-2018 11:48 Last Login: 18-DEC-2018 11:48 (interactive), (none) (non-interactive) Maxjobs: 0 Fillm: 128 Bytlm: 128000 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 150 JTquota: 4096 Prclm: 8 DIOlm: 150 WSdef: 4096 Prio: 4 ASTlm: 300 WSquo: 8192 Queprio: 4 TQElm: 100 WSextent: 16384 CPU: (none) Enqlm: 4000 Pgflquo: 256000 Authorized Privileges: NETMBX TMPMBX Default Privileges: NETMBX TMPMBX
Fields
Most user record fields are controlled with the following qualifiers to the ADD, COPY, and MODIFY commands:
Environment
- /OWNER specifies the owner of the user record - usually the user's full name or job title.
- /CLI specifies the name of the default command language interpreter - a string of 1 to 31 alphanumeric characters. Default: DCL (does not usually need to be changed). Ignored for network processes.
- /CLITABLES specifies user-defined CLI tables for the account. The filespec can contain 1 to 31 characters. Default: SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for network jobs to guarantee that the system-supplied command procedures used to implement network objects function properly.
- /DEVICE specifies the device that holds the user's default directory. Default: SYS$SYSDISK.
- /DIRECTORY specifies the user's default directory. Default: [USER]
- /LGICMD specifies the user's personal login command procedure. The file name defaults to the device specified for /DEVICE, the directory specified for /DIRECTORY, a file name of LOGIN, and a file type of .COM (not displayed in the user record).
- /PRIORITY specifies the default base priority. Default: 4.
Access
- /PRIMEDAYS specifies primary days (usually weekdays as opposed to weekends). Access settings can be defined differently for primary and secondary days. Any day that is not primary is secondary.
- /ACCESS specifies when the user record is accessible. Examples:
- /ACCESS Allows unrestricted access (default)
- /NOACCESS=SECONDARY Allows access on primary days only
- /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on all days
- /NOACCESS=(PRIMARY,9-17, SECONDARY, 18-8) Disallows access between 9 A.M. to 5:59 P.M. on primary days but allows access during these hours on secondary days.
You can also use the following qualifiers to specify access times for different modes of access:
- /LOCAL
- /INTERACTIVE
- /BATCH
- /NETWORK
- /DIALUP
- /REMOTE
For example:
- /LOCAL=(primary,9-17) Allows access from 9 AM until 5:59 PM on primary days
- /NOREMOTE Disallows all remote access
- /EXPIRATION defines when the record expires. The value can be specified as absolute time. Default: NONE (the user record never expires).
UIC
/UIC specifies the UIC.
Accounting
/ACCOUNT specifies the account name used by the Accounting utility. If the user record is created in a new UIC group, that name is used as the name for the UIC group identifier.
Flags
Account flags control password settings, external authentication, accessibility of a user record and some user environment settings. They can be set with the /FLAGS qualifier:
MOD USER1 /FLAGS=(NODISUSER,PWDMIX)
Limits and quotas
- /ASTLM specifies the total number of asynchronous system trap operations and scheduled wake-up requests that the user can have queued at one time. Default: 300.
- /BIOLM specifies the buffered I/O count limit. Default: 150.
- /BYTLM specifies the buffered I/O byte limit. Default: 128,000.
- /DIOLM specifies the direct I/O count limit. Default: 150.
- /ENQLM specifies the lock queue limit . Default: 4000.
- /FILLM specifies the open file limit.
- /CPUTIME specifies the maximum process CPU time. A delta time value must be specified. Default: 0 (infinite).
- /JTQUOTA specifies the initial byte quota with which the jobwide logical name table is to be created.
- /MAXACCTJOBS specifies the maximum number of batch, interactive, and detached processes that can be active at one time for all users of the same account. Default: 0 (unlimited)
- /MAXDETACH specifies the maximum number of detached processes with the cited user name that can be active at one time. Default: 0 (unlimited)
- /MAXJOBS Specifies the maximum number of processes (interactive, batch, detached, and network) with the cited user name that can be active simultaneously. The first four network jobs are not counted. Default: 0 (unlimited).
- /PGFLQUOTA specifies the paging file limit. Default: 256,000 pages.
- /PRCLM specifies the subprocess limit. Default: 8.
- /SHRFILLM specifies the maximum number of shared files that the user can have open at one time. Default: 0 (unlimited)
- /TQELM specifies the total number of entries in the timer queue plus the number of temporary common event flag clusters that the user can have at one time. Default: 100
- /WSDEFAULT specifies the default working set limit.
- /WSEXTENT specifies the working set maximum.
- /WSQUOTA specifies the working set quota.
Password settings
- /GENERATE_PASSWORD defines whether the system will enforce the use of system generated passwords for this user. Default: /NOGENERATE_PASSWORD. /PASSWORD and /GENERATE_PASSWORD are mutually exclusive. Note that the OpenVMS password generator imposes the maximum length of 10 characters, so even if a higher minimum length is defined with /PWDMINIMUM, 10-character passwords will still be generated.
- /PASSWORD defines the password(s) for this user. Default: USER. Unless PWDMIX flag is set, passwords are not case-sensitive (converted to uppercase before the password is encrypted), allowed characters are all alphanumeric characters, the dollar sign ($) and the underscore (_).
- /PWDEXPIRED specifies the password is valid for only one login: the user will have to change it immediately after login or be locked out of the system.
- /PWDLIFETIME specifies the length of time a password is valid. A delta time value must be specified. Specify NONE to prevent the password from expiring.
- /PWDMINIMUM specifies the minimum password length in characters. Default: 6.
Privileges
- /DEFPRIVILEGES specifies the default privileges granted to the user: those that are already enabled when the user is logged in.
- /PRIVILEGES specifies the authorized privileges granted to the user: those that are authorized but require to be enabled with SET PROCESS/PRIVILEGE before they can be used.
Avoid granting default privileges unless absolutely necessary.
Identifiers
/ADD_IDENTIFIER controls whether a rights identifier is also added to the rights database when the user record is created. Note that you can also manually create identifiers with the ADD/IDENTIFIER command.