ALTUSER

Generated from C.65.00 /SYSADMIN/PUB/MYCICAT last modified on Sun Aug 29 15:08:37 2004

Back to Main Index


ALTUSER


     Changes the attributes currently defined for a user.  (CM)

SYNTAX


     ALTUSER username[.acctname]

              [;PASS=[password]         ]
              [;CAP=[capabilitylist]    ]
              [;MAXPRI=[subqueuename]   ]
              [;LOCATTR=[localattribute]]
              [;HOME=[homegroupname]    ]
              [;UID=[uid]]
              [;USERPASS=[{REQ}][,EXPIRED]]   (1)
                          {OPT}

              (1) The USERPASS parameter is only available if the
                  HP Security Monitor has been installed


PARAMETERS


username            The name assigned to the user within a logon
                    account.

acctname            Specifies the account in which the user is to
                    reside.  This parameter is available only to those
                    users who have System Manager (SM) capability.

password            The password to be assigned to the user.  If
                    password is omitted, any existing password is
                    removed.  If ;PASS is omitted entirely, the
                    password is unchanged.

capabilitylist      Either 1) a list of capabilities, separated by
                    commas, permitted to this user, or 2) a list of
                    additions and/or deletions to be applied to the
                    user's existing set of capabilities.  Additions
                    and deletions are specified by a "+" or "-"
                    immediately followed by the capability to add
                    or delete, separated by commas.

                    If you plan to specify "+" or "-" in the list, then
                    you must begin the list with "+" or "-".  For
                    example, CAP=+MR,-PH is legal, but CAP=MR,-PH is
                    not.

                    It is not necessary to prefix each capability you
                    are adding or deleting with "+" or "-"; the
                    occurrence of "+" or "-" indicates an action that
                    remains in effect until the indicator changes.  For
                    example, CAP=+MR,PH,-PM,DS is equivalent to
                    CAP=+MR,+PH,-PM,-DS.

                    The capabilities that a user may exercise are
                    limited by the capabilities assigned to the
                    account.  For example, suppose both the user and
                    account are assigned DS capability (allowing extra
                    data segments).  If DS capability is subsequently
                    removed from the account, the user is denied DS
                    capability even if that capability is not
                    explicitly removed from the user.

                    Each capability is denoted by a two letter mnemonic
                    as follows:

                    System Manager        =    SM
                    Account Manager       =    AM
                    Account Librarian     =    AL
                    Group Librarian       =    GL
                    Diagnostician         =    DI
                    System Supervisor     =    OP
                    Network Administrator =    NA
                    Node Manager          =    NM
                    Save Files            =    SF
                    Access to nonsharable
                      I/O devices         =    ND
                    Use Volumes           =    UV
                    Create Volumes        =    CV
                    Use Communication
                      Subsystem           =    CS
                    Programmatic Sessions =    PS
                    User Logging          =    LG
                    Process Handling      =    PH
                    Extra Data Segments   =    DS
                    Multiple RINs         =    MR
                    Privileged Mode       =    PM
                    Interactive Access    =    IA
                    Batch Access          =    BA
                    Programmatic Sessions =    PS

                    Default is SF, ND, IA, and BA.  Note that CV
                    automatically gives the user UV capability.

subqueuename        The name of the highest priority subqueue that may
                    be requested by any process of any job/session
                    initiated by the user.  This parameter is specified
                    as AS, BS, CS, DS, or ES, but cannot be greater than
                    that specified with the NEWACCT or ALTACCT
                    commands.  The subqueuename defined for the user is
                    checked against the subqueuename defined for the
                    account at logon, and the lower priority of the two
                    is used as the maximum priority restricting all
                    processes of the job/session.  Also, the priority
                    requested by the user at logon is checked against
                    the subqueuename defined for the user, and the user
                    is granted the lower of these two values.  Default
                    is CS.

CAUTION


Processes capable of executing in the AS or BS subqueues can deadlock
the system.  By assigning non-priority processes to these subqueues,
you may prevent critical system processes from executing. Exercise
extreme care when assigning processes to the AS or BS subqueue.

localattribute      Defined at the installation site, this arbitrary
                    double word bit map is used to further classify
                    users.  While it is not part of standard MPE/iX
                    security provisions, programmers may define it
                    (through the WHO intrinsic) to enhance the security
                    of their own programs.  The bit map for the user
                    local attributes must be a subset of the bit map for
                    the account local attributes.  The ALTUSER command
                    checks the local attributes of the user with those
                    of the account. Default is double word 0 (null).

homegroupname       The name of an existing group to be assigned as the
                    home group for this user.  The first user
                    established when an account is created will, by
                    default, have PUB assigned as the home group.
                    Subsequent new users will by default have no home
                    group assigned. If no home group is assigned, the
                    user must always specify an existing group when
                    logging on.

uid                 User ID to be altered for the account manager in
                    the user database.  The uid must be an unique
                    positive (non zero) 32-bit integer.

Req                 USERPASS=REQ specifies that the user must have a
                    non-blank password. It is available only if the HP
                    Security Monitor has been installed.

Opt                 USERPASS=OPT specifies that this user may or may
                    not have a password. It is available only if the
                    HP Security Monitor has been installed.

Expired             The password expires immediately. The user cannot
                    logon without selecting a new password. It is only
                    available if the HP Security Monitor has been
                    installed.


OPERATION


     The ALTUSER command allows the account manager to change
     the password, capabilities, processing subqueue, security
     checking, and home group currently defined for a user.  More
     than one of these attributes may be changed at a time, by
     entering multiple keyword parameters on a single command
     line, using the semicolon (;) delimiter.

     To change an attribute, enter the keyword and its new value.
     When an entire keyword parameter group is omitted from the
     ALTUSER command, the corresponding value for the user
     remains unchanged.  When a keyword is included, but the
     corresponding parameter is omitted (as in ;PASS=[Return]), a
     default value is assigned as follows.

     This command may be issued from a session, job, program, or
     in BREAK. Pressing [Break] has no effect on this command. You
     user must have account manager (AM) capability to use this
     command.  You must have System Manager (SM) capability to use
     specify a user in an account other than your own.

                    Default Parameters for ALTUSER

PARAMETER           DEFAULT VALUES

password            NULL password

capabilitylist      SF, ND, IA, and BA (provided these
                    capabilities have been specified for the
                    account)

subqueuename        CS

localattribute      0 (null)

homegroupname       The first user established when the account is
                    created has PUB assigned as home group.
                    Subsequent users have no group assigned as
                    home.  If a user has no home group assigned,
                    an existing group must be specified when
                    initiating a job or a session.

     When a parameter is modified with the ALTUSER command, it
     is immediately registered in the directory.  However, it
     will not affect users who are currently logged on to the
     system.  They will be affected the next time they log on to
     the same user name and account.  For this reason, you should
     warn users in advance of the intended changes.

     You should avoid changing the capabilitylist or
     homegroupname of the user MANAGER.SYS. SM capability cannot
     be taken away from MANAGER.SYS.

     ALTUSER will not allow a user with AM capability to remove AM
     from their own capability list. However, a user with AM can
     remove AM from the capability list of another AM user inside
     the same account.


EXAMPLE(S)


     Suppose an account's capabilities are AM, AL, GL, SF, ND,
     PH, DS, MR, IA, and BA.  To change the capabilitylist of the
     user JONES from IA, BA, SF, PH, DS to include Multiple RIN
     capability (MR), enter

     ALTUSER JONES;CAP=IA,BA,SF,PH,DS,MR

     To alter two attributes, password and subqueuename, for user
     JONES enter

     ALTUSER JONES;PASS=JJ;MAXPRI=DS

ADDITIONAL INFORMATION


Commands:  ALTACCT, ALTGROUP, LISTUSER, NEWACCT, NEWUSER

Manuals :  Performing System Management Tasks (32650-90004)
           Performing System Operation Tasks (32650-90137)

Back to Main Index