| Previous | Contents | Index |
Terminates the session.
EXIT
None.
None.
Provides online help information for using ANALYZE/AUDIT commands.
HELP [topic]
topic
Specifies the command for which help information is to be displayed. If you omit the keyword, HELP displays a list of available help topics and prompts you for a particular keyword.
None.
COMMAND> HELP DISPLAY
|
The command in this example displays help information about the DISPLAY command.
Changes the criteria used to select event records. The LIST command is synonymous with the DISPLAY command.
LIST
None.
See the description of the DISPLAY command.
COMMAND> LIST/EVENT_TYPE=SYSUAF
COMMAND> CONTINUE
|
The first command in this example selects records that were generated as a result of a modification to the system user authorization file (SYSUAF). The second command displays the selected records.
Controls whether the current security audit log file is closed and the next log file opened. The command is useful when you supply a wildcard file specification to the ANALYZE/AUDIT command; for example *.AUDIT$JOURNAL. If there are no other audit log files to open, the audit analysis session terminates and control returns to DCL.
NEXT FILE
None.
None.
Controls whether the next audit record is displayed. The NEXT RECORD command is the default for interactive mode.This command is synonymous with the POSITION command.
NEXT RECORD
None.
None.
Moves the full-format display forward or backward the specified number of event records.
POSITION number
number
For positive numbers, displays the record that is the specified number of records after the current record. For negative numbers, displays the record that is the specified number of records before the current record.
None.
| #1 |
|---|
COMMAND> POSITION 100
|
The command in this example moves the display forward 100 event records.
| #2 |
|---|
COMMAND> POSITION -100
|
The command in this example moves the display back 100 event records.
Displays information about the selection or exclusion criteria currently being used to select event records.
SHOW option[,...]
option[,...]
Displays information about selection or exclusion criteria currently being used to select records. Specify one or more of the following options:
ALL Displays all criteria being used to select event records. EXCLUSION_CRITERIA Displays the criteria being used to exclude event records. SELECTION_CRITERIA Displays the criteria being used to select event records.
None.
COMMAND> SHOW SELECTION_CRITERIA
|
The command in this example displays the selection criteria currently in use to select records.
The Authorize utility (AUTHORIZE) is a system management tool used to control access to the system and to allocate resources to users.
AUTHORIZE creates new records or modifies existing records in the following files:
$ DEFINE/PROCESS/EXEC SYSUAF DISK$USER:[MYPROCESSTABLE]SYSUAF.DAT |
%UAF-E-NAOFIL, unable to open SYSUAF.DAT -RMS-E-FNF, file not found Do you want to create a new file? |
$ DEFINE/PROCESS/EXEC NETPROXY DISK$USER:[MYPROCESSTABLE]NETPROXY.DAT |
$ DEFINE/PROCESS/EXEC RIGHTSLIST DISK$USER:[MYPROCESSTABLE]RIGHTSLIST.DAT |
These files store system authorization information. By default, they are owned by the system (UIC of [SYSTEM]) and are created with the following protection:
SYSUAF.DAT S:RWED, O:RWED, G, W NETPROXY.DAT S:RWED, O:RWED, G, W NET$PROXY.DAT S, O, G, W RIGHTSLIST.DAT S:RWED, O:RWED, G, W: |
To use AUTHORIZE, you must have write access to all three of these files (you must have an account with the user identification code (UIC) of [SYSTEM] or the SYSPRV privilege).
Note that you must have read access to the RIGHTSLIST.DAT file (or sufficient privileges) to display the rights identifiers held by other users.
Because certain images (such as MAIL and SET) require access to the system user authorization file (UAF) and are normally installed with the SYSPRV privilege, ensure that you always grant system access to SYSUAF.DAT.
When you install a new system, the software distribution kit provides the following records in the system user authorization file in SYS$SYSTEM:
On VAX systems:
DEFAULT
FIELD
SYSTEM
SYSTEST
SYSTEST_CLIG
On Alpha and I64 systems:
DEFAULT
SYSTEM
If the SYSUAF.DAT becomes corrupted or is accidentally deleted, you can use the template file SYSUAF.TEMPLATE in the SYS$SYSTEM directory to recreate the file, as follows:
$ SET DEFAULT SYS$SYSTEM $ COPY SYSUAF.TEMPLATE SYSUAF.DAT |
The file SYSUAF.TEMPLATE contains records that are identical to those defined when the system was installed.
To make an emergency backup for the system SYSUAF file, you can create a private copy of SYSUAF.DAT. To affect future logins, copy a private version of SYSUAF.DAT to the appropriate directory, as shown in the following example:
$ COPY MYSYSUAF.DAT SYS$COMMON:[SYSEXE]:SYSUAF.DAT- _$ /PROTECTION=(S:RWED,O:RWED,G,W) |
Updated Quotas for the DEFAULT and SYSTEM Accounts
In OpenVMS Version 8.2 the quotas associated with the DEFAULT and SYSTEM accounts were updated. These updated quotas are seen only on fresh installations of OpenVMS or on the creation of a new SYSUAF data file. Existing SYSUAF data files are not updated.
The updates to the DEFAULT account are as follows:
| Quota | Old Value | New Value |
|---|---|---|
| ASTLM | 250 | 300 |
| BYTLM | 64,000 | 128,000 |
| ENQLM | 2,000 | 4,000 |
| FILLM | 100 | 128 |
| PGFLQUOTA | 50,000 | 256,000 |
| TQELM | 10 | 100 |
| WSDEFAULT | 2000 | 4,096 |
| WSQUOTA | 4000 | 8,192 |
The updates to the SYSTEM account are the same as the DEFAULT account with the exception of the following two quotas:
| Quota | Old Value | New Value |
|---|---|---|
| BYTLM | 64,000 | 256,000 |
| PGFLQUOTA | 50,000 | 700,000 |
For upgraded systems with existing SYSUAF files, you might want to
update the DEFAULT and SYSTEM account quotas to these new values.
5.2 AUTHORIZE Usage Summary
The Authorize utility (AUTHORIZE) is a system management tool that enables you to control access to the system and to allocate resources to users.
RUN SYS$SYSTEM:AUTHORIZE
None.
To invoke AUTHORIZE, set your default device and directory to SYS$SYSTEM and enter RUN AUTHORIZE at the DCL command prompt.At the UAF> prompt, you can enter any AUTHORIZE command described in the following section.
To exit from AUTHORIZE, enter the EXIT command at the UAF> prompt or press Ctrl/Z.
This section describes the AUTHORIZE commands and provides examples of their use. You can abbreviate any command, keyword, or qualifier as long as the abbreviation is not ambiguous. The asterisk (*) and the percent sign (%) can be used as wildcard characters to specify user names, node names, and UICs.
AUTHORIZE commands fall into the following four categories:
The following table summarizes the AUTHORIZE commands according to these categories:
| Command | Description |
|---|---|
| Managing System Resources and User Accounts with SYSUAF | |
| ADD | Adds a user record to the SYSUAF and corresponding identifiers to the rights database. |
| COPY | Creates a new SYSUAF record that duplicates an existing record. |
| DEFAULT | Modifies the default SYSUAF record. |
| LIST | Writes reports for selected UAF records to a listing file, SYSUAF.LIS. |
| MODIFY | Changes values in a SYSUAF user record. Qualifiers not specified in the command remain unchanged. |
| REMOVE | Deletes a SYSUAF user record and corresponding identifiers in the rights database. The DEFAULT and SYSTEM records cannot be deleted. |
| RENAME | Changes the user name of the SYSUAF record (and, if specified, the corresponding identifier) while retaining the characteristics of the old record. |
| SHOW | Displays reports for selected SYSUAF records. |
| Managing Network Proxies with NETPROXY.DAT or NET$PROXY.DAT | |
| ADD/PROXY | Adds proxy access for the specified user. |
| CREATE/PROXY | Creates a network proxy authorization file. |
| LIST/PROXY | Creates a listing file of all proxy accounts and all remote users with proxy access to the accounts. |
| MODIFY/PROXY | Modifies proxy access for the specified user. |
| REMOVE/PROXY | Deletes proxy access for the specified user. |
| SHOW/PROXY | Displays proxy access allowed for the specified user. |
| Managing Identifiers with RIGHTSLIST.DAT | |
| ADD/IDENTIFIER | Adds an identifier name to the rights database, rightslist.dat. |
| CREATE/RIGHTS | Creates a new rights database file. |
| GRANT/IDENTIFIER | Grants an identifier name to a UIC identifier. |
| LIST/IDENTIFIER | Creates a listing file of identifier names and values. |
| LIST/RIGHTS | Creates a listing file of all identifiers held by the specified user. |
| MODIFY/IDENTIFIER | Modifies the named identifier in the rights database. |
| REMOVE/IDENTIFIER | Removes an identifier from the rights database. |
| RENAME/IDENTIFIER | Renames an identifier in the rights database. |
| REVOKE/IDENTIFIER | Revokes an identifier name from a UIC identifier. |
| SHOW/IDENTIFIER | Displays identifier names and values on the current output device. |
| SHOW/RIGHTS | Displays on the current output device the names of all identifiers held by the specified user. |
| General Commands | |
| EXIT | Returns the user to DCL command level. |
| HELP | Displays HELP text for AUTHORIZE commands. |
| MODIFY/SYSTEM_PASSWORD | Sets the system password (equivalent to the DCL command SET PASSWORD/SYSTEM). |
Adds a user record to the SYSUAF and corresponding identifiers to the rights database.
Note
ADD/IDENTIFIER and ADD/PROXY are documented as separate commands.
ADD newusername
newusername
Specifies the name of the user record to be included in the SYSUAF. The newusername parameter is a string of 1 to 12 alphanumeric characters and can contain underscores. Although dollar signs are permitted, they are usually reserved for system names.Avoid using fully numeric user names (for example, 89560312). A fully numeric user name cannot receive a corresponding identifier because fully numeric identifiers are not permitted.
/ACCESS[=(range[,...])]
/NOACCESS[=(range[,...])]
Specifies hours of access for all modes of access. The syntax for specifying the range is:
/[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])
Specify hours as integers from 0 to 23, inclusive. You can specify single hours (n) or ranges of hours (n-m). If the ending hour of a range is earlier than the starting hour, the range extends from the starting hour through midnight to the ending hour. The first set of hours after the keyword PRIMARY specifies hours on primary days; the second set of hours after the keyword SECONDARY specifies hours on secondary days. Note that hours are inclusive; that is, if you grant access during a given hour, access extends to the end of that hour.
By default, a user has full access every day. See the DCL command SET DAY in the HP OpenVMS DCL Dictionary for information about overriding the defaults for primary and secondary day types.
All the list elements are optional. Unless you specify hours for a day type, access is permitted for the entire day. By specifying an access time, you prevent access at all other times. Adding NO to the qualifier denies the user access to the system for the specified period of time. See the following examples.
/ACCESS Allows unrestricted access /NOACCESS=SECONDARY Allows access on primary days only /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on all days /NOACCESS=(PRIMARY, 9-17, SECONDARY, 18-8) Disallows access between 9 A.M. to 5:59 P.M. on primary days but allows access during these hours on secondary days To specify access hours for specific types of access, see the /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.
For information about the effects of login class restrictions, see the HP OpenVMS Guide to System Security.
/ACCOUNT=account-name
Specifies the default name for the account (for example, a billing name or number). The name can be a string of 1 to 8 alphanumeric characters. By default, AUTHORIZE does not assign an account name./ADD_IDENTIFIER (default)
/NOADD_IDENTIFIER
Adds an identifier to the rights database file, RIGHTSLIST.DAT, and also adds a user to the user authorization file, SYSUAF. The /NOADD_IDENTIFIER qualifier does not add an identifier to the RIGHTSLIST.DAT file but does, however, add a user to the SYSUAF user record file. Note that the AUTHORIZE command ADD/IDENTIFIER is quite different: it only adds an entry to the rights database file, RIGHTSLIST.DAT./ALGORITHM=keyword=type [=value]
Sets the password encryption algorithm for a user. The keyword VMS refers to the algorithm used in the operating system version that is running on your system, whereas a customer algorithm is one that is added through the $HASH_PASSWORD system service by a customer site, by a layered product, or by a third party. The customer algorithm is identified in $HASH_PASSWORD by an integer in the range of 128 to 255. It must correspond with the number used in the AUTHORIZE command MODIFY/ALGORITHM. By default, passwords are encrypted with the VMS algorithm for the current version of the operating system.
Keyword Function BOTH Set the algorithm for primary and secondary passwords. CURRENT Set the algorithm for the primary, secondary, both, or no passwords, depending on account status. CURRENT is the default value. PRIMARY Set the algorithm for the primary password only. SECONDARY Set the algorithm for the secondary password only. The following table lists password encryption algorithms:
Type Definition VMS The algorithm used in the version of the operating system that is running on your system. CUSTOMER A numeric value in the range of 128 to 255 that identifies a customer algorithm. The following example selects the VMS algorithm for Sontag's primary password:
UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSIf you select a site-specific algorithm, you must give a value to identify the algorithm, as follows:
UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128/ASTLM=value
Specifies the AST queue limit, which is the total number of asynchronous system trap (AST) operations and scheduled wake-up requests that the user can have queued at one time. The default is 40 on VAX systems and 300 on Alpha and I64 systems./BATCH[=(range[,...])]
Specifies the hours of access permitted for batch jobs. For a description of the range specification, see the /ACCESS qualifier. By default, a user can submit batch jobs any time./BIOLM=value
Specifies a buffered I/O count limit for the BIOLM field of the UAF record. The buffered I/O count limit is the maximum number of buffered I/O operations, such as terminal I/O, that can be outstanding at one time. The default is 40 on VAX systems and 150 on Alpha and I64 systems./BYTLM=value
Specifies the buffered I/O byte limit for the BYTLM field of the UAF record. The buffered I/O byte limit is the maximum number of bytes of nonpaged system dynamic memory that a user's job can consume at one time. Nonpaged dynamic memory is used for operations such as I/O buffering, mailboxes, and file-access windows. The default is 32768 on VAX systems and 128,000 on Alpha and I64 systems./CLI=cli-name
Specifies the name of the default command language interpreter (CLI) for the CLI field of the UAF record. The cli-name is a string of 1 to 31 alphanumeric characters and should be DCL, which is the default. This setting is ignored for network jobs./CLITABLES=filespec
Specifies user-defined CLI tables for the account. The filespec can contain 1 to 31 characters. The default is SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for network jobs to guarantee that the system-supplied command procedures used to implement network objects function properly./CPUTIME=time
Specifies the maximum process CPU time for the CPU field of the UAF record. The maximum process CPU time is the maximum amount of CPU time a user's process can take per session. You must specify a delta time value. For a discussion of delta time values, see the OpenVMS User's Manual. The default is 0, which means an infinite amount of time./DEFPRIVILEGES=([NO]privname[,...])
Specifies default privileges for the user; that is, those enabled at login time. A NO prefix removes a privilege from the user. By specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier, you can disable or enable all user privileges. The default privileges are TMPMBX and NETMBX. Privname is the name of the privilege./DEVICE=device-name
Specifies the name of the user's default device at login. The device-name is a string of 1 to 31 alphanumeric characters. If you omit the colon from the device-name value, AUTHORIZE appends a colon. The default device is SYS$SYSDISK.
Previous Next Contents Index