% Librarian I01-42!fK;)fKj5ADD Command_SummaryjCOPY$CREATE DEFAULTEXIT Files_UsedGRANTnLIST MODIFYZREMOVE_ZRENAMEhREVOKEk4SHOW\#fK 1 Files_UsedD AUTHORIZE creates new records or modifies existing records in the following files:1 o System user authorization file (SYSUAF.DAT)> You can use AUTHORIZE to assign values to various fields? within each SYSUAF record. The values you assign identifyB the user and the user's work environment, and control use of system resources.B You can redirect SYSUAF logical access by defining a logical7 in your local process logical table; for example:A$ DEFINE/PROCESS/EXEC SYSUAF DISK$USER:[MYPROCESSTABLE]SYSUAF.DATC You can, if you like, define the SYSUAF logical in user mode.? If you move the SYSUAF.DAT file, be sure the logical nameD SYSUAF is defined and points to an existing file. If AUTHORIZE> is unable to locate the SYSUAF.DAT file, it displays the following error message:. %UAF-E-NAOFIL, unable to open SYSUAF.DAT -RMS-E-FNF, file not found' Do you want to create a new file?@ A response of YES results in creation of a new SYSUAF fileD containing a SYSTEM record and a DEFAULT record. These recordsB are initialized with the same values set when the system was installed.& o Network proxy authorization fileD The default network proxy authorization file is NET$PROXY.DAT.< However, AUTHORIZE maintains the file NETPROXY.DAT for compatibility.B In a mixed-version cluster where systems are running OpenVMSA Alpha or a version of OpenVMS VAX earlier than Version 6.1,= you must make all proxy modifications on an OpenVMS VAX" Version 6.1 or later system.D You can redirect NETPROXY logical access by defining a logical7 in your local process logical table; for example:E$ DEFINE/PROCESS/EXEC NETPROXY DISK$USER:[MYPROCESSTABLE]NETPROXY.DAT+ o Rights database file (RIGHTSLIST.DAT)> You can redirect RIGHTSLIST logical access by defining a? logical in your local process logical table; for example:I$ DEFINE/PROCESS/EXEC RIGHTSLIST DISK$USER:[MYPROCESSTABLE]RIGHTSLIST.DATB These files store system authorization information. By default,A they are owned by the system (UIC of [SYSTEM]) and are created! with the following protection:' SYSUAF.DAT S:RWED, O:RWED, G, W' NETPROXY.DAT S:RWED, O:RWED, G, W NET$PROXY.DAT S, O, G, W( RIGHTSLIST.DAT S:RWED, O:RWED, G, W:< To use AUTHORIZE, you must have write access to all three9 of these files (you must have an account with the userB identification code (UIC) of [SYSTEM] or the SYSPRV privilege).A Note that you must have read access to the RIGHTSLIST.DAT fileD (or sufficient privileges) to display the rights identifiers held by other users.? Because certain images (such as MAIL and SET) require access? to the system user authorization file (UAF) and are normallyD installed with the SYSPRV privilege, ensure that you  always grant system access to SYSUAF.DAT.? When you install a new system, the software distribution kitB provides the following records in the system user authorization file in SYS$SYSTEM:) On Alpha and Integrity server systems: DEFAULT SYSTEMB If the SYSUAF.DAT becomes corrupted or is accidentally deleted,B you can use the template file SYSUAF.TEMPLATE in the SYS$SYSTEM. directory to recreate the file, as follows: $ SET DEFAULT SYS$SYSTEM$  $ COPY SYSUAF.TEMPLATE SYSUAF.DATB The file SYSUAF.TEMPLATE contains records that are identical to/ those defined when the system was installed.> To make an emergency backup for the system SYSUAF file, you< can create a private copy of SYSUAF.DAT. To affect futureB logins, copy a private version of SYSUAF.DAT to the appropriate0 directory, as shown in the following example:6 $ COPY MYSYSUAF.DAT SYS$COMMON:[SYSEXE]:SYSUAF.DAT-% _$ /PROTECTION=(S:RWED,O:RWED,G,W)5 U pdated Quotas for the DEFAULT and SYSTEM AccountsD In OpenVMS Version 8.2 the quotas associated with the DEFAULT andC SYSTEM accounts were updated. These updated quotas are seen only@ on fresh installations of OpenVMS or on the creation of a new@ SYSUAF data file. Existing SYSUAF data files are not updated.5 The updates to the DEFAULT account are as follows:% Quota Old Value New Value# ASTLM 250 300# BYTLM 64,000 128,000#  ENQLM 2,000 4,000# FILLM 100 128# PGFLQUOTA 50,000 256,000# TQELM 10 100# WSDEFAULT 2000 4,096# WSQUOTA 4000 8,192@ The updates to the SYSTEM account are the same as the DEFAULT: account with the exception of the following two quotas:% Quota Old Value New Value# BYTLM 64,000 256,000# PGFLQUOTA 50,000 700,000B For upgraded systems with existing SYSUAF files, you might want? to update the DEFAULT and SYSTEM account quotas to these new values. wwl#fK1 Command_Summary% Command Description@ Managing System Resources and User Accounts with SYSUAF> ADD Adds a user record to the SYSUAF andA corresponding identifiers to the rights# database.: COPY Creates a new SYSUAF record that8 duplicates an existing record.= DEFAULT Modifies the default SYSUAF record.D LIST Writes reports for selected UAF records to5 a listing file, SYSUAF.LIS.A MODIFY Changes values in a SYSUAF user record.A Qualifiers not specified in the command+ remain unchanged.: REMOVE Deletes a SYSUAF user record andA  corresponding identifiers in the rightsB database. The DEFAULT and SYSTEM records, cannot be deleted.D RENAME Changes the user name of the SYSUAF record? (and, if specified, the corresponding9 identifier) while retaining the< characteristics of the old record.> SHOW Displays reports for selected SYSUAF"  records.B Managing Network Proxies with NETPROXY.DAT or NET$PROXY.DATC ADD/PROXY Adds proxy access for the specified user.? CREATE/PROXY Creates a network proxy authorization file.= LIST/PROXY Creates a listing file of all proxyB accounts and all remote users with proxy1 access to the accounts.A MODIFY/PROXY Modifies proxy access for the specified user.@ REMOVE/PROXY Deletes proxy access for the specified user.? SHOW/PROXY Displays proxy access allowed for the) specified user.8 Managing Identifiers with RIGHTSLIST.DAT? ADD/IDENTIFIER Adds an identifier name to the rights3 database, rightslist.dat.= CREATE/RIGHTS Creates a new rights database file.< GRANT/IDENTIFIER Grants an identifier name to a UIC% identifier.D LIST/IDENTIFIER Creates a listing file of identifier names% and values.C LIST/RIGHTS Creates a listing file of all identifiers5 held by the specified user.> MODIFY/IDENTIFIER Modifies the named identifier in the* rights database.? REMOVE/IDENTIFIER  Removes an identifier from the rights# database.= RENAME/IDENTIFIER Renames an identifier in the rights# database.? REVOKE/IDENTIFIER Revokes an identifier name from a UIC% identifier.A SHOW/IDENTIFIER Displays identifier names and values on4 the current output device.? SHOW/RIGHTS Displays on the current output deviceB  the names of all identifiers held by the) specified user., General Commands@ EXIT Returns the user to DCL command level.D HELP Displays HELP text for AUTHORIZE commands.A MODIFY/SYSTEM_ Sets the system password (equivalent to? PASSWORD the DCL command SET PASSWORD/SYSTEM). ww|#fK1 ADDD Adds a user record to the SYSUAF and corresponding identifiers to the rights database.D In the list of "Additional information available" in online help,C the first group of qualifiers is used to add user information to the authorization (UAF) file.B Following this list, after "Examples," are two more qualifiers:@ o /IDENTIFIER-used to add identifiers to the rights database2 (but does not affect the authorization file)D o /PROXY-used to add proxies to the proxy database (but does not$ affect the authorization file); These qualifiers use different parameters than other ADD commands. Format ADD newusername 2 Parameter newusername> Specifies the name of the user record to be included in the; SYSUAF. The newusername parameter is a string of 1 to 12@ alphanumeric characters and can contain underscores. AlthoughC dollar signs are permitted, they are usually reserved for system names.B Avoid using fully numeric user names (for example, 89560312). AD fully numeric user name cannot receive a corresponding identifier7 because fully numeric identifiers are not permitted. 2 Qualifiers /ACCESS /ACCESS[=(range[,...])] /NOACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:JUAF> /[NO]ACCESS=([PRIMARY],[n-m],[n],[,...],[SECONDARY],[n-m],[n],[,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hou r.D By default, a user has full access every day. See the DCL commandB SET DAY in the VSI OpenVMS DCL Dictionary for information about? overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the8 specified period of time. See the following examples.4 /ACCESS Allows unrestricted access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.A For information about the effects of login class restrictions,0 see the VSI OpenVMS Guide to System Security. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name.  /ADD_IDENTIFIER /ADD_IDENTIFIER (default) /NOADD_IDENTIFIERB Adds an identifier to the rights database file, RIGHTSLIST.DAT,C and also adds a user to the user authorization file, SYSUAF. The@ /NOADD_IDENTIFIER qualifier does not add an identifier to theB RIGHTSLIST.DAT file but does, however, add a user to the SYSUAFC user record file. Note that the AUTHORIZE command ADD/IDENTIFIERC is quite different: it only adds an entry to the rights database file, RIGHTSLIST.DAT. /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of  128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the defaul t value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following exa!mple selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one t"ime. The default0 is 300 on Alpha and Integrity server systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=value> Specifies a buffered I/O count limit for the BIOLM field of> the UAF record. The buffered I/O count limit is the maximum@ number of buffered I/O operat#ions, such as terminal I/O, thatB can be outstanding at one time. The default is 150 on Alpha and Integrity server systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-access@ $ windows. The default is 128,000 on Alpha and Integrity server systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is a? string of 1 to 31 alphanumeric characters and should be DCL,B which is the default. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec %can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta& time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privile'ges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical nam(e inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I)/O operations (usually disk) that can be outstanding@ at one time. The default is 150 on Alpha and Integrity server systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQ*LM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks that@ can be queued by the user at one time. The default is 4000 on& Alpha and Integrity server systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on theA account. If you do not specify an expirat+ion time when you add? a new account, AUTHORIZE copies the expiration time from theB DEFAULT account. (The expiration time on the DEFAULT account is "none" by default.) /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.< The default is 128 on Alpha and Integrity server systems. /FLAGS , /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:C AUDIT Enables or disables mandatory security auditing for@ a specific user. By default, the system does notA audit the activities of specific users (NOAUDIT).C AUTOLOGIN Restricts the user to the automatic login mechanismA when logging in to an account. When set, the flagB disables - login by any terminal that requires entry> of a user name and password. The default is to? require a user name and password (NOAUTOLOGIN).? CAPTIVE Prevents the user from changing any defaults at@ login, for example, /CLI or /LGICMD. It prevents@ the user from escaping the captive login command< procedure specified by the /LGICMD qualifier@ and gaining access to the DCL command level. SeeB . "Guidelines for Captive Command Procedures" in the5 VSI OpenVMS Guide to System Security.@ The CAPTIVE flag also establishes an environmentA where Ctrl/Y interrupts are initially turned off;D however, command procedures can still turn on Ctrl/YA interrupts with the DCL command SET CONTROL=Y. By? default, an account is not captive (NOCAPTIVE).9 DEFCLI Restricts the user to the de /fault command> interpreter by prohibiting the use of the /CLIA qualifier at login. By default, a user can choose! a CLI (NODEFCLI).B DISCTLY Establishes an environment where Ctrl/Y interrupts@ are initially turned off and are invalid until aB SET CONTROL=Y is encountered. This could happen inD SYLOGIN.COM or in a procedure called by SYLOGIN.COM.@ Once a SET CONTROL=Y is executed 0 (which requiresB no privilege), a user can enter a Ctrl/Y and reach@ the DCL prompt ($). If the intent of DISCTLY is> to force execution of the login command files,= then SYLOGIN.COM should issue the DCL commandA SET CONTROL=Y to turn on Ctrl/Y interrupts beforeC exiting. By default, Ctrl/Y is enabled (NODISCTLY).B DISFORCE_ Removes the requirement that a user must change anC PWD_CHANGE ex 1pired password at login. By default, a person canB use an expired password only once (NODISFORCE_PWD_A CHANGE) and then is forced to change the passwordC after logging in. If the user does not select a new? password, the user is locked out of the system.C To use this feature, set a password expiration date0 with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN and f 2oreign@ commands. By default, a user can execute RUN and. foreign commands (NODISIMAGE).D DISMAIL Disables mail delivery to the user. By default, mail0 delivery is enabled (NODISMAIL).> DISNEWMAIL Suppresses announcements of new mail at login.9 By default, the system announces new mail (NODISNEWMAIL).= DISPWDDIC Disables automatic screening of new passwordsB against a system dic 3tionary. By default, passwords9 are automatically screened (NODISPWDDIC).D DISPWDHIS Disables automatic checking of new passwords againstC a list of the user's old passwords. By default, the; system screens new passwords (NODISPWDHIS).C DISPWDSYNCH Suppresses synchronization of the external password< for this account. See bit 9 in the SECURITY_? POLICY system parameter for systemwide password( 4 synchronization control.> DISRECONNECT Disables automatic reconnection to an existing; process when a terminal connection has been? interrupted. By default, automatic reconnection, is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of the last login time, loginA failures, and other security reports. By default,= login information is displayed (NODISREPORT).? DISUSER Disables the acc 5ount so the user cannot log in.@ For example, the DEFAULT account is disabled. By; default, an account is enabled (NODISUSER).@ DISWELCOME Suppresses the welcome message (an informational= message displayed during a local login). This? message usually indicates the version number ofD the operating system that is running and the name ofD the node on which the user is logged in. By default,> 6 a system login message appears (NODISWELCOME).A EXTAUTH Considers user to be authenticated by an externalC user name and password, not by the SYSUAF user name? and password. (The system still uses the SYSUAF? record to check a user's login restrictions andA quotas and to create the user's process profile.): GENPWD Restricts the user to generated passwords.< By default, users choose their 7 own passwords (NOGENPWD).@ LOCKPWD Prevents the user from changing the password for? the account. By default, users can change their& passwords (NOLOCKPWD).C PWD_EXPIRED Marks a password as expired. The user cannot log inD if this flag is set. The LOGINOUT.EXE image sets theC flag when both of the following conditions exist: aC user logs in with the DISFORCE_PWD_CHANGE flag set,A 8 and the user's password expires. A system managerB can clear this flag. By default, passwords are not4 expired after login (NOPWD_EXPIRED).C PWD2_ Marks a secondary password as expired. Users cannotB EXPIRED log in if this flag is set. The LOGINOUT.EXE imageC sets the flag when both of the following conditionsB exist: a user logs in with the DISFORCE_PWD_CHANGEC flag set, and the user's p 9assword expires. A systemB manager can clear this flag. By default, passwordsC are not set to expire after login (NOPWD2_EXPIRED).= PWDMIX Enables case-sensitive and extended-character passwords.B After PWDMIX is specified, you can then use mixed-C case and extended characters in passwords. Be awareB that before the PWDMIX flag is enabled, the systemD stores passwords in al :l upper-case. Therefore, untilD you change passwords, you must enter your pre-PWDMIX( passwords in upper-case.? To change the password after PWDMIX is enabled:= o You (the user) can use the DCL command SETC PASSWORD, specifying the new mixed-case password. (omitting quotation marks).A o You (the system manager) can use the AUTHORIZEB command MODIFY/PASSWO ;RD, and enclose the user'sB new mixed-case password in quotation marks " ".? RESTRICTED Prevents the user from changing any defaults at> login (for example, by specifying /LGICMD) and> prohibits user specification of a CLI with the? /CLI qualifier. The RESTRICTED flag establishesD an environment where Ctrl/Y interrupts are initiallyA turned off; however, command procedures can stillB < turn on Ctrl/Y interrupts with the DCL command SETB CONTROL=Y. Typically, this flag is used to preventD an applications user from having unrestricted accessB to the CLI. By default, a user can change defaults (NORESTRICTED).7 VMSAUTH Allows account to use standard (SYSUAF)D authentication when the EXTAUTH flag would otherwiseD require external authentication. This depends on theD = application. An application specifies the VMS domainA of interpretation when calling SYS$ACM to requestC standard VMS authentication for a user account that6 normally uses external authentication. /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the fo>llowing keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On ?login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. !/IDENTIFIER>! Adds an identifier to the rights database, RIGHTSLIST.DAT.A! The ADD/IDENTIFIER command does not add a user account to the! authorization file, SYSUAF.C! The ADD/ADD_IDENTIFIER command, however, adds a user account toB! the authorization file, SYSUAF, and also add@s an identifier to(! the rights database, RIGHTSLIST.DAT. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logical@ name table is to be created. By defAault, the value is 4096 on& Alpha and Integrity server systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of accessB for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH C /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. DThe first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7 qualifier. By default, network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD nEame for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORDC Specifies up to two passwords for login. Passwords can be from 0D to 32 alphanumeric characters in length. The dollar sign ($) and& underscore (_) are also permitted.C Uppercase and lowercase characters are equivalent. All lowercase? characters are converted to uppercase beforFe the password isC encrypted. Avoid using the word password as the actual password.* Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the Gfirst,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.B By default, the ADD command assigns the password HUSER. When youD create a new UAF record with the COPY or RENAME command, you mustB specify a password. Avoid using the word password as the actual password. /PBYTLM! This flag is reserved for VSI. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging? file. By default, the value is 256,000 pagelets on Alpha and Integrity server systems.B If Idecompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the@ specified user's process. By default, the value is 8 on Alpha and Integrity server systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for loggingB in. Specify the days Jas a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D Use the primary and secKondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the default base priority. The value is an integer inA the range of 0 to 63 on Alpha and Integrity server systems. By8 default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B although these privileges are not L necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varyingD degrees of power and potential system impact (see the VSI OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWDEXPIRED /PWDEXPIRE MD (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applied to the account only when tNhe password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a password is valid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the specified time elapses beforOe the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? minimum length when you use APUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[=(range[,...])]C SpeciQfies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which represents an infinite number.R /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can5 have at one time. By default, a user can have 100. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separated@ by a comma and enclosed in brackets. VSI reservesS group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with@ the DCL command SET WORKING_SET.) By default, a user has 40962 pagelets on Alpha and Integrity server systems.D T The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA Specifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is an integer equal to or greater thaUn WSQUOTA. By> default, the value is 16384 pagelets on Alpha and Integrity? server systems. The value cannot be greater than WSMAX. This) quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves for this process and the maximum aVmount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannotD exceed 8,192 pagelets on Alpha and Integrity server systems. This7 quota value replaces smaller values of PQL_MWSQUOTA. 2 Examples4 1.UAF> ADD ROBIN /PASSWORD=SP0152/UIC=[014,006] -J _/DEVICE=SYS$USER/DIRECTORY=[ROBIN]/OWNER="JOSEPH ROBIN" /ACCOUNT=INV2 %UAF-I-ADDMSG, user r Wecord successfully addedH %UAF-I-RDBADDMSGU, identifier ROBIN value: [000014,000006] added to RIGHTSLIST.DATF %UAF-I-RDBADDMSGU, identifier INV value: [000014,177777] added to RIGHTSLIST.DAT9 This example illustrates the typical ADD command and? qualifiers. The resulting record from this command appears, in the description of the SHOW command.4 2.UAF> ADD WELCH /PASSWORD=SP0158/UIC=[014,051] -J _/DEVICE=SYS$USER/DIRECTORY=[WELCH]/OWNER="ROB WELC XH"/FLAGS=DISUSER -" _/ACCOUNT=INV/LGICMD=SECUREIN2 %UAF-I-ADDMSG, user record successfully addedH %UAF-I-RDBADDMSGU, identifier WELCH value: [000014,000051] added to RIGHTSLIST.DATA UAF> MODIFY WELCH/FLAGS=(RESTRICTED,DISNEWMAIL,DISWELCOME, -? _NODISUSER,EXTAUTH)/NODIALUP=SECONDARY/NONETWORK=PRIMARY -C /CLITABLES=DCLTABLES/NOACCESS=(PRIMARY, 9-16, SECONDARY, 18-8)) %UAF-I-MDFYMSG, user records updated? The commands in this example add a record Y for a restrictedD account. Because of the number of qualifiers required, a MODIFYD command is used in conjunction with the ADD command. This helps2 to minimize the possibility of typing errors.C In the ADD command line, setting the DISUSER flag prevents theB user from logging in until all the account parameters are setA up. In the MODIFY command line, the DISUSER flag is disabled> (by specifying NODISUSER) to allow access to the account.? The EXTAUTH flag Zcauses the system to consider the user asD authenticated by an external user name and password, not by the# SYSUAF user name and password.C The record that results from these commands and an explanation9 of the restrictions the record imposes appear in the% description of the SHOW command. 2 /IDENTIFIER E! Adds only an identifier to the rights database. It does not add a! user account.= Adds an identifier to the rights database, RIGHTSLIST.DAT[.@ The ADD/IDENTIFIER command does not add a user account to the authorization file, SYSUAF.B The ADD/ADD_IDENTIFIER command, however, adds a user account toA the authorization file, SYSUAF, and also adds an identifier to' the rights database, RIGHTSLIST.DAT. Format ADD/IDENTIFIER [id-name] 3 Parameter id-name: Specifies the name of the identifier to be added to the> rights database. If you omit the name, you must specify the> /USER quali\fier. The identifier name is a string of 1 to 32@ alphanumeric characters. The name can contain underscores andC dollar signs. It must contain at least one nonnumeric character. 3 Qualifiers /ATTRIBUTES! /ATTRIBUTES=(keyword[,...])A Specifies attributes to be associated with the new identifier.$ The following keywords are valid:A DYNAMIC Allows unprivileged holders of the identifier to> remove and to restore the identifier from the ]A process rights list by using the DCL command SET RIGHTS_LIST.A HOLDER_ Prevents people from getting a list of users whoC HIDDEN hold an identifier, unless they own the identifier themselves.; NAME_HIDDEN Allows holders of an identifier to have it@ translated, either from binary to ASCII or fromA ASCII to binary, but prevents unauthorized users1 from translating th ^e identifier.? NOACCESS Makes any access rights of the identifier nullB and void. If a user is granted an identifier with@ the No Access attribute, that identifier has noD effect on the user's access rights to objects. ThisC attribute is a modifier for an identifier with the1 Resource or Subsystem attribute.? RESOURCE Allows holders of an identifier to charge disk< space to th_e identifier. Used only for file objects.? SUBSYSTEM Allows holders of the identifier to create and? maintain protected subsystems by assigning the? Subsystem ACE to the application images in the7 subsystem. Used only for file objects.B By default, none of these attributes is associated with the new identifier. /USER /USER=user-spec> Scans the UAF record for the specified user and creates ` the> corresponding identifier. Specify user-spec by user name orB UIC. You can use the asterisk wildcard to specify multiple user@ names or UICs. Full use of the asterisk and percent wildcards? is permitted for user names; UICs must be in the form [*,*],A [n,*], [*,n], or [n,n]. A wildcard user name specification (*)B creates identifiers alphabetically by user name; a wildcard UIC@ specification ([*,*]) creates them in numerical order by UIC. /VALUE /VALUE=value a-specifier< Specifies the value to be attached to the identifier. The7 following formats are valid for the value-specifier:; IDENTIFIER:n An integer value in the range of 65,536 to? 268,435,455. You can also specify the value inA hexadecimal (precede the value with %X) or octal- (precede the value with %O).? The system displays this type of identifier inB hexadecimal. To differentiate general ide bntifiersD from UIC identifiers, the system adds %X80000000 to' the value you specify.D GID:n GID is the POSIX group identifier. It is an integer? value in the range 0 to 16,777,215 (%XFFFFFF).A The system will add %XA400.0000 to the value you? specify and then enter this new value into the4 system RIGHTSLIST as an identifier.A UIC:uic A UIC value in standard UIC format cons cists of aC member name and, optionally, a group name enclosed5 in brackets. For example, [360,031].> In numeric UICs, the group number is an octal> number in the range of 1 to 37776; the member? number is an octal number in the range of 0 to@ 177776. You can omit leading zeros when you are5 specifying group and member numbers.A Regardless of the UIC format yodu use, the system< translates a UIC to a 32-bit numeric value.3 Alphanumeric UICs are not allowed.> Typically, system managers add identifiers as UIC values toD represent system users; the system applies identifiers in integer format to system resources. 3 Examples6 1.UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORYC %UAF-I-RDBADDMSGU, identifier INVENTORY value: [000300,000011] added to RIGHTSLIST.DATC The command in ethis example adds an identifier named INVENTORY> to the rights database. By default, the identifier is not marked as a resource.0 2.UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) -' _/VALUE=IDENTIFIER:%X80011 PAYROLLE %UAF-I-RDBADDMSGU, identifier PAYROLL value: %X80080011 added to RIGHTSLIST.DAT? This command adds the identifier PAYROLL and marks it as a? resource. To differentiate identifiers with integer valuesA from identifiers with UIC values, %X8f0000000 is added to the specified code. 2 /PROXY: Adds an entry to the network proxy authorization files,? NETPROXY.DAT and NET$PROXY.DAT, and signals DECnet to updateD its volatile database. Proxy additions take effect immediately on8 all nodes in a cluster that share the proxy database. Format2 ADD/PROXY node::remote-user local-user[,...] 3 Parameters nodeD Specifies a DECnet node name. If you provide a wildcard character? (*), the gspecified remote user on all nodes is served by the! account defined as local-user. remote-user= Specifies the user name of a user at a remote node. If youB specify an asterisk, all users at the specified node are served by the local user.> For systems that are not OpenVMS and that implement DECnet,@ specifies the UIC of a user at a remote node. You can specifyB a wildcard character (*) in the group and member fields of the UIC. local-userB Specihfies the user names of 1 to 16 users on the local node. IfB you specify an asterisk, a local-user name equal to remote-user name will be used. 3 Positional_Quals. /DEFAULTD Establishes the specified user name as the default proxy account.D The remote user can request proxy access to an authorized accountA other than the default proxy account by specifying the name of@ the proxy account in the access control string of the network operation. 3 Examples i3 1.UAF> ADD/PROXY SAMPLE::WALTER ROBIN/DEFAULT@ %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT? Specifies that user WALTER on remote node SAMPLE has proxy? access to user ROBIN's account on local node AXEL. Through@ proxy login, WALTER receives the default privileges of user/ ROBIN when he accesses node AXEL remotely.1 2.UAF> ADD/PROXY MISHA::* MARCO/DEFAULT, OSCAR@ %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT= Speci jfies that any user on the remote node MISHA can, by@ default, use the MARCO account on the local node for DECnetC tasks such as remote file access. Remote users can also accessA the OSCAR proxy account by specifying the user name OSCAR in the access control string.* 3.UAF> ADD/PROXY MISHA::MARCO */DEFAULT@ %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DATD Specifies that user MARCO on the remote node MISHA can use only@ the MARCO account on the klocal node for remote file access.6 4.UAF> ADD/PROXY TAO::MARTIN MARTIN/D,SALES_READERF %UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to MARTIN addedF %UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to SALES_READER addedD Adds a proxy from TAO::MARTIN to the local accounts MARTIN (the? default) and SALES_READER on a system running DECnet-Plus. ww$fK1 COPY> Creates a new SYSUAF record that duplicates an existing UAF record. l Format" COPY oldusername newusername 2 Parameters oldusernameA Name of an existing user record to serve as a template for the new record. newusernameB Name for the new user record. The user name is a string of 1 to 12 alphanumeric characters. 2 Qualifiers /ACCESS /ACCESS[=(range[,...])] /NOACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is: mJUAF> /[NO]ACCESS=([PRIMARY],[n-m],[n],[,...],[SECONDARY],[n-m],[n],[,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY speci nfies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hour.D By default, a user has full access every day. See the DCL commandB SET DAY in the VSI OpenVMS DCL Dictionary for information about? overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifyiong@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the8 specified period of time. See the following examples.4 /ACCESS Allows unrestricted access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SpECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.A For information about the effects of login class restrictions,0 see the VSI OpenVMS Guide to System Security. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> q billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ADD_IDENTIFIER /ADD_IDENTIFIER (default) /NOADD_IDENTIFIERC! Adds an identifier to the rights database file, RIGHTSLIST.DAT,D! and also adds a user to the user authorization file, SYSUAF. TheA! /NOADD_IDENTIFIER qualifier does not add an identifier to theC! RIGHTSLIST.DAT file but does, however, add a user to t rhe SYSUAFD! user record file. Note that the AUTHORIZE command ADD/IDENTIFIERD! is quite different: it only adds an entry to the rights database! file, RIGHTSLIST.DAT. ? Creates an entry (user name and account name) in the rightsC database file, rightslist.dat. Also (because this is part of anB ADD command), adds a record to the authorization file, SYSUAF.9 The /NOADD_IDENTIFIER does not create an entry in theE rightslist.dat database; however, because this is ans ADD command,= a user record is added to the authorization file, SYSUAF.D The AUTHORIZE command ADD/IDENTIFIER is quite different: it only5 adds a record to the AUTHORIZE database UAF file. /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the t $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary u passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 v system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLMw=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one time. The default0 is 300 on Alpha and Integrity server systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. x/BIOLM /BIOLM=value> Specifies a buffered I/O count limit for the BIOLM field of> the UAF record. The buffered I/O count limit is the maximum@ number of buffered I/O operations, such as terminal I/O, thatB can be outstanding at one time. The default is 150 on Alpha and Integrity server systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of byytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-access@ windows. The default is 128,000 on Alpha and Integrity server systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is a? string of 1 to 31 alphanumeric characters and should be DCL,zB which is the default. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum p{rocess CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO| prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE }appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full acce~ss. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I/O operations (usually disk) that can be outstanding@ at one time. The default is 150 on Alpha and Integrity server systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks that@ can be queued by the user at one time. The default is 4000 on& Alpha and Integrity server systems. /EXPIRATION /EXPIRATION=time (default)  /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on theA account. If you do not specify an expiration time when you add? a new account, AUTHORIZE copies the expiration time from theB DEFAULT account. (The expiration time on the DEFAULT account is "none" by default.) /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.< The default is 128 on Alpha and Integrity server systems. /FLAGS /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:C AUDIT Enables or disables mandatory security auditing for@ a specific user. By default, the system does notA audit the activities of specific users (NOAUDIT).C AUTOLOGIN Restricts the user to the automatic login mechanismA when logging in to an account. When set, the flagB disables login by any terminal that requires entry> of a user name and password. The default is to? require a user name and password (NOAUTOLOGIN).? CAPTIVE Prevents the user from changing any defaults at@ login, for example, /CLI or /LGICMD. It prevents@ the user from escaping the captive login command< procedure specified by the /LGICMD qualifier@ and gaining access to the DCL command level. SeeB "Guidelines for Captive Command Procedures" in the5 VSI OpenVMS Guide to System Security.@ The CAPTIVE flag also establishes an environmentA where Ctrl/Y interrupts are initially turned off;D however, command procedures can still turn on Ctrl/YA interrupts with the DCL command SET CONTROL=Y. By? default, an account is not captive (NOCAPTIVE).9 DEFCLI Restricts the user to the default command> interpreter by prohibiting the use of the /CLIA qualifier at login. By default, a user can choose! a CLI (NODEFCLI).B DISCTLY Establishes an environment where Ctrl/Y interrupts@ are initially turned off and are invalid unt il aB SET CONTROL=Y is encountered. This could happen inD SYLOGIN.COM or in a procedure called by SYLOGIN.COM.@ Once a SET CONTROL=Y is executed (which requiresB no privilege), a user can enter a Ctrl/Y and reach@ the DCL prompt ($). If the intent of DISCTLY is> to force execution of the login command files,= then SYLOGIN.COM should issue the DCL commandA SET CONTROL=Y to t urn on Ctrl/Y interrupts beforeC exiting. By default, Ctrl/Y is enabled (NODISCTLY).B DISFORCE_ Removes the requirement that a user must change anC PWD_CHANGE expired password at login. By default, a person canB use an expired password only once (NODISFORCE_PWD_A CHANGE) and then is forced to change the passwordC after logging in. If the user does not select a new? password, the user is locked out of the system.C To use this feature, set a password expiration date0 with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN and foreign@ commands. By default, a user can execute RUN and. foreign commands (NODISIMAGE).D DISMAIL Disables mail delivery to the user. By default, mail0 delivery is enabled (NODISMAIL).> DISNEWMAIL Suppresses announcements of new mail at login.9 By default, the system announces new mail (NODISNEWMAIL).= DISPWDDIC Disables automatic screening of new passwordsB against a system dictionary. By default, passwords9 are automatically screened (NODISPWDDIC).D DISPWDHIS Disables automatic checking of new passwords againstC a list of the user's old passwords. By default, the; system screens new passwords (NODISPWDHIS).C DISPWDSYNCH Suppresses synchronization of the external password< for this account. See bit 9 in the SECURITY_? POLICY system parameter for systemwide password( synchronization control.> DISRECONNECT Disables automatic reconnection to an existing; process when a terminal connection has been? interrupted. By default, automatic reconnection, is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of th e last login time, loginA failures, and other security reports. By default,= login information is displayed (NODISREPORT).? DISUSER Disables the account so the user cannot log in.@ For example, the DEFAULT account is disabled. By; default, an account is enabled (NODISUSER).@ DISWELCOME Suppresses the welcome message (an informational= message displayed during a local login). This? mess age usually indicates the version number ofD the operating system that is running and the name ofD the node on which the user is logged in. By default,> a system login message appears (NODISWELCOME).A EXTAUTH Considers user to be authenticated by an externalC user name and password, not by the SYSUAF user name? and password. (The system still uses the SYSUAF? record to check a user's login res trictions andA quotas and to create the user's process profile.): GENPWD Restricts the user to generated passwords.< By default, users choose their own passwords (NOGENPWD).@ LOCKPWD Prevents the user from changing the password for? the account. By default, users can change their& passwords (NOLOCKPWD).C PWD_EXPIRED Marks a password as expired. The user cannot log inD if thi s flag is set. The LOGINOUT.EXE image sets theC flag when both of the following conditions exist: aC user logs in with the DISFORCE_PWD_CHANGE flag set,A and the user's password expires. A system managerB can clear this flag. By default, passwords are not4 expired after login (NOPWD_EXPIRED).C PWD2_ Marks a secondary password as expired. Users cannotB EXPIRED log in if this flag is set. The LOGINOUT .EXE imageC sets the flag when both of the following conditionsB exist: a user logs in with the DISFORCE_PWD_CHANGEC flag set, and the user's password expires. A systemB manager can clear this flag. By default, passwordsC are not set to expire after login (NOPWD2_EXPIRED).= PWDMIX Enables case-sensitive and extended-character passwords.B After PWDMIX is specified, you can t hen use mixed-C case and extended characters in passwords. Be awareB that before the PWDMIX flag is enabled, the systemD stores passwords in all upper-case. Therefore, untilD you change passwords, you must enter your pre-PWDMIX( passwords in upper-case.? To change the password after PWDMIX is enabled:= o You (the user) can use the DCL command SETC PASSWORD, specify ing the new mixed-case password. (omitting quotation marks).A o You (the system manager) can use the AUTHORIZEB command MODIFY/PASSWORD, and enclose the user'sB new mixed-case password in quotation marks " ".? RESTRICTED Prevents the user from changing any defaults at> login (for example, by specifying /LGICMD) and> prohibits user specification of a CLI with the? /CLI q ualifier. The RESTRICTED flag establishesD an environment where Ctrl/Y interrupts are initiallyA turned off; however, command procedures can stillB turn on Ctrl/Y interrupts with the DCL command SETB CONTROL=Y. Typically, this flag is used to preventD an applications user from having unrestricted accessB to the CLI. By default, a user can change defaults (NORESTRICTED).7 VMSAUTH Allows account to use standard (SYSUAF)D authentication when the EXTAUTH flag would otherwiseD require external authentication. This depends on theD application. An application specifies the VMS domainA of interpretation when calling SYS$ACM to requestC standard VMS authentication for a user account that6 normally uses external authentication. /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./  SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. !/IDENTIFIER>! Adds an identifier to the rights database, RIGHTSLIST.DAT.A! The ADD/IDENTIFIER command does not add a user account to the! authorization file, SYSUAF.C! The ADD/ADD_IDENTIFIER command, however, adds a user account toB! the authorization file, SYSUAF, and also adds an identifier to(! the rights database, RIGHTSLIST.DAT. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logical@ name table is to be created. By default, the value is 4096 on& Alpha and Integrity server systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7  qualifier. By default, network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORDC Specifies up to two passwords for login. Passwords can be from 0D to 32 alphanumeric characters in length. The dollar sign ($) and& underscore (_) are also permitted.C Uppercase and lowercase characters are equivalent. All lowercase? characters are converted to uppercase before the password isC encrypted. Avoid using the word password as the actual password.* Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.C When you create a new UAF record with the COPY command, you must specify a password. /PBYTLM! This flag is reserved for VSI. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging? file. By default, the value is 256,000 pagelets on Alpha and Integrity server systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the@ specified user's process. By default, the value is 8 on Alpha and Integrity server systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for loggingB in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the default base priority. The value is an integer inA the range of 0 to 63 on Alpha and Integrity server systems. By8 default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B although these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varyingD degrees of power and potential system impact (see the VSI OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWDEXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applied to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a password is valid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? minimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which represents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can5 have at one time. By default, a user can have 100. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separated@ by a comma and enclosed in brackets. VSI reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with@ the DCL command SET WORKING_SET.) By default, a user has 40962 pagelets on Alpha and Integrity server systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA Specifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is an integer equal to or greater than WSQUOTA. By> default, the value is 16384 pagelets on Alpha and Integrity? server systems. The value cannot be greater than WSMAX. This) quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves for this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannotD exceed 8,192 pagelets on Alpha and Integrity server systems. This7 quota value replaces smaller values of PQL_MWSQUOTA. 2 Examples- 1.UAF> COPY ROBIN SPARROW /PASSWORD=SP0152& %UAF-I-COPMSG, user record copiedF %UAF-E-RDBADDERRU, unable to add SPARROW value: [000014,00006] toD RIGHTSLIST.DAT -SYSTEM-F-DUPIDENT, duplicate identifierA The command in this example adds a record for Thomas SparrowB that is identical, except for the password, to that of Joseph= Robin. Note that because the UIC value has no change, no> identifier is added to RIGHTSLIST.DAT. AUTHORIZE issues a* "duplicate identifier" error message.@ 2.UAF> COPY ROBIN SPARROW /UIC=[200,13]/DIRECTORY=[ SPARROW] -- _/PASSWORD=THOMAS/OWNER="THOMAS SPARROW"& %UAF-I-COPMSG, user record copiedJ %UAF-I-RDBADDMSGU, identifier SPARROW value: [000200,000013] added to RIGHTSLIST.DATA The command in this example adds a record for Thomas Sparrow; that is the same as Joseph Robin's except for the UIC,C directory name, password, and owner. Note that you could use aC similar command to copy a template record when adding a record/ for a new user in a particular user group. ww|U&fK 1 CREATE 2 /PROXYA Creates and initializes the network proxy authorization files.A The primary network proxy authorization file is NET$PROXY.DAT.9 The file NETPROXY.DAT is maintained for compatibility.& NOTEA Do not delete NETPROXY.DAT because DECnet Phase IV and many$ layered products still use it. Format CREATE/PROXY 3 Example UAF> CREATE/PROXY UAF>D The command in this example creates and initializes the network proxy authorization file. 2 /RIGHTS? Creates and initializes the rights database, RIGHTSLIST.DAT. Format CREATE/RIGHTS 3 Example UAF> CREATE/RIGHTS2 %UAF-E-RDBCREERR, unable to create RIGHTSLIST.DAT0 -RMS-E-FEX, file already exists, not superseded: You can use the command in this example to create and: initialize a new rights database. Note, however, thatD RIGHTSLIST.DAT is created automatically during the installation? process. Thus, you must delete or rename the existing fileA before creating a new one. For more information about rights= database management, see the VSI OpenVMS Guide to System Security. ww|&fK 1 DEFAULT( Modifies the SYSUAF's DEFAULT record. Format DEFAULT 2 Qualifiers /ACCESS /ACCESS[=(range[,...])] /NOACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:JUAF> /[NO]ACCESS=([PRIMARY],[n-m],[n],[,...],[SECONDARY],[n-m],[n],[,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hour.D By default, a user has full access every day. See the DCL commandB SET DAY in the VSI OpenVMS DCL Dictionary for information about? overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the8 specified period of time. See the following examples.4 /ACCESS Allows unrestricted access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.A For information about the effects of login class restrictions,0 see the VSI OpenVMS Guide to System Security. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one time. The default0 is 300 on Alpha and Integrity server systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=value> Specifies a buffered I/O count limit for the BIOLM field of> the UAF record. The buffered I/O count limit is the maximum@ number of buffered I/O operations, such as terminal I/O, thatB can be outstanding at one time. The default is 150 on Alpha and Integrity server systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-access@ windows. The default is 128,000 on Alpha and Integrity server systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is a? string of 1 to 31 alphanumeric characters and should be DCL,B which is the default. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I/O operations (usually disk) that can be outstanding@ at one time. The default is 150 on Alpha and Integrity server systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks that@ can be queued by the user at one time. The default is 4000 on& Alpha and Integrity server systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on theA account. If you do not specify an expiration time when you add? a new account, AUTHORIZE copies the expiration time from theB DEFAULT account. (The expiration time on the DEFAULT account is "none" by default.) /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.< The default is 128 on Alpha and Integrity server systems. /FLAGS /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:C AUDIT Enables or disables mandatory security auditing for@ a specific user. By default, the system does notA audit the activities of specific users (NOAUDIT).C AUTOLOGIN Restricts the user to the automatic login mechanismA when logging in to an account. When set, the flagB disables login by any terminal that requires entry> of a user name and password. The default is to? require a user name and password (NOAUTOLOGIN).? CAPTIVE Prevents the user from changing any defaults at@ login, for example, /CLI or /LGICMD. It prevents@ the user from escaping the captive login command< procedure specified by the /LGICMD qualifier@ and gaining access to the DCL command level. SeeB "Guidelines for Captive Command Procedures" in the5 VSI OpenVMS Guide to System Security.@ The CAPTIVE flag also establishes an environmentA where Ctrl/Y interrupts are initially turned off;D however, c ommand procedures can still turn on Ctrl/YA interrupts with the DCL command SET CONTROL=Y. By? default, an account is not captive (NOCAPTIVE).9 DEFCLI Restricts the user to the default command> interpreter by prohibiting the use of the /CLIA qualifier at login. By default, a user can choose! a CLI (NODEFCLI).B DISCTLY Establishes an environment where Ctrl/Y interrupts@ are initiall y turned off and are invalid until aB SET CONTROL=Y is encountered. This could happen inD SYLOGIN.COM or in a procedure called by SYLOGIN.COM.@ Once a SET CONTROL=Y is executed (which requiresB no privilege), a user can enter a Ctrl/Y and reach@ the DCL prompt ($). If the intent of DISCTLY is> to force execution of the login command files,= then SYLOGIN.COM should issue the DCL commandA SET CONTROL=Y to turn on Ctrl/Y interrupts beforeC exiting. By default, Ctrl/Y is enabled (NODISCTLY).B DISFORCE_ Removes the requirement that a user must change anC PWD_CHANGE expired password at login. By default, a person canB use an expired password only once (NODISFORCE_PWD_A CHANGE) and then is forced to change the passwordC after logging in. If the user does not select a new? password , the user is locked out of the system.C To use this feature, set a password expiration date0 with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN and foreign@ commands. By default, a user can execute RUN and. foreign commands (NODISIMAGE).D DISMAIL Disables mail delivery to the user. By default, mail0 delivery is enabled (NODISMAIL).> DISNEWMAIL Suppresses announcem ents of new mail at login.9 By default, the system announces new mail (NODISNEWMAIL).= DISPWDDIC Disables automatic screening of new passwordsB against a system dictionary. By default, passwords9 are automatically screened (NODISPWDDIC).D DISPWDHIS Disables automatic checking of new passwords againstC a list of the user's old passwords. By default, the; system screens new passwords (NO DISPWDHIS).C DISPWDSYNCH Suppresses synchronization of the external password< for this account. See bit 9 in the SECURITY_? POLICY system parameter for systemwide password( synchronization control.> DISRECONNECT Disables automatic reconnection to an existing; process when a terminal connection has been? interrupted. By default, automatic reconnection, is enabled (NODISRECONNECT).@ DISRE PORT Suppresses reports of the last login time, loginA failures, and other security reports. By default,= login information is displayed (NODISREPORT).? DISUSER Disables the account so the user cannot log in.@ For example, the DEFAULT account is disabled. By; default, an account is enabled (NODISUSER).@ DISWELCOME Suppresses the welcome message (an informational= message displayed during a local log in). This? message usually indicates the version number ofD the operating system that is running and the name ofD the node on which the user is logged in. By default,> a system login message appears (NODISWELCOME).A EXTAUTH Considers user to be authenticated by an externalC user name and password, not by the SYSUAF user name? and password. (The system still uses the SYSUAF? re cord to check a user's login restrictions andA quotas and to create the user's process profile.): GENPWD Restricts the user to generated passwords.< By default, users choose their own passwords (NOGENPWD).@ LOCKPWD Prevents the user from changing the password for? the account. By default, users can change their& passwords (NOLOCKPWD).C PWD_EXPIRED Marks a password as expired. The user cannot log inD if this flag is set. The LOGINOUT.EXE image sets theC flag when both of the following conditions exist: aC user logs in with the DISFORCE_PWD_CHANGE flag set,A and the user's password expires. A system managerB can clear this flag. By default, passwords are not4 expired after login (NOPWD_EXPIRED).C PWD2_ Marks a secondary password as expired. Users cannotB EXPIRED log in i f this flag is set. The LOGINOUT.EXE imageC sets the flag when both of the following conditionsB exist: a user logs in with the DISFORCE_PWD_CHANGEC flag set, and the user's password expires. A systemB manager can clear this flag. By default, passwordsC are not set to expire after login (NOPWD2_EXPIRED).= PWDMIX Enables case-sensitive and extended-character passwords.B Afte r PWDMIX is specified, you can then use mixed-C case and extended characters in passwords. Be awareB that before the PWDMIX flag is enabled, the systemD stores passwords in all upper-case. Therefore, untilD you change passwords, you must enter your pre-PWDMIX( passwords in upper-case.? To change the password after PWDMIX is enabled:= o You (the user) can use the DCL command SETC PASSWORD, specifying the new mixed-case password. (omitting quotation marks).A o You (the system manager) can use the AUTHORIZEB command MODIFY/PASSWORD, and enclose the user'sB new mixed-case password in quotation marks " ".? RESTRICTED Prevents the user from changing any defaults at> login (for example, by specifying /LGICMD) and> prohibits user specification of a CLI with the? /CLI qualifier. The RESTRICTED flag establishesD an environment where Ctrl/Y interrupts are initiallyA turned off; however, command procedures can stillB turn on Ctrl/Y interrupts with the DCL command SETB CONTROL=Y. Typically, this flag is used to preventD an applications user from having unrestricted accessB to the CLI. By default, a user can change defaults (N ORESTRICTED).7 VMSAUTH Allows account to use standard (SYSUAF)D authentication when the EXTAUTH flag would otherwiseD require external authentication. This depends on theD application. An application specifies the VMS domainA of interpretation when calling SYS$ACM to requestC standard VMS authentication for a user account that6 normally uses external authentication. /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. !/IDENTIFIER>! Adds an identifier to the rights database, RIGHTSLIST.DAT.A! The ADD/IDENTIFIER command does not add a user account to the! authorization file, SYSUAF.C! The ADD/ADD_IDENTIFIER command, however, adds a user account toB! the authorization file, SYSUAF, and also adds an identifier to(! the rights database, RIGHTSLIST.DAT. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logical@ name table is to be created. By default, the value is 4096 on& Alpha and Integrity server systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /MODIFY_IDENTIFIER" /MODIFY_IDENTIFIER (default) /NOMODIFY_IDENTIFIER? Specifies whether the identifier associated with the user is@ to be modified in the rights database. This qualifier appliesB only when you modify the UIC or user name in the UAF record. By4 default, the associated identifiers are modified. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7 qualifier. By default, network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORDC Specifies up to two passwords for login. Passwords can be from 0D to 32 alphanumeric characters in length. The dollar sign ($) and& underscore (_) are also permitted.C Uppercase and lowercase characters are equivalent. All lowercase? characters are converted to uppercase before the password isC encrypted. Avoid using the word password as the actual password.* Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /PBYTLM! This flag is reserved for VSI. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging? file. By default, the value is 256,000 pagelets on Alpha and Integrity server systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the@ specified user's process. By default, the value is 8 on Alpha and Integrity server systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for loggingB in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Speci fies the default base priority. The value is an integer inA the range of 0 to 63 on Alpha and Integrity server systems. By8 default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B although these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varyingD degrees of power and potential system impact (see the VSI OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWDEXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applied to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a pass word is valid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? minimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which represents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can5 have at one time. By default, a user can have 100. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separated@ by a comma and enclosed in brackets. VSI reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with@ the DCL command SET WORKING_SET.) By default, a user has 40962 pagelets on Alpha and Integrity server systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA S pecifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is an integer equal to or greater than WSQUOTA. By> default, the value is 16384 pagelets on Alpha and Integrity? server systems. The value cannot be greater than WSMAX. This) quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves for this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannotD exceed 8,192 pagelets on Alpha and Integrity server systems. This7 quota value replaces smaller values of PQL_MWSQUOTA. 2 DescriptionA Modify the DEFAULT record when qualifiers normally assigned to@ a new user differ from the VSI-supplied values. The followingA qualifiers correspond to fields in the default record that are commonly modified:& Qualifier Reason for ModificationC /CLI Specifies the default Command Line Interpreter to beB used for this user. (Most OpenVMS users use the DCL$ command interpreter.)@ /DEVICE If most users have the same default login device,? allows you to specify a default login device for# newly-created users.8 The use of a logical name is recommended.B /LGICMD Specifies the filename of a command procedure to be4 invoked during the login of the user.D 1. OpenVMS first looks for a systemwide login command> procedure, using the systemwide logical name@ SYS$SYLOGIN. If this logical name successfully? translates to a valid file specification, theC command interpreter invokes the resulting command) procedure during login.> If the file specification does not include aA file extension, the command interpreter appliesB a default value that is specific to that commandB interpreter. In the case of the DCL interpreter,5 the default file extension is .COM.C 2. OpenVMS then looks for a LGICMD specification. IfB it finds this specification, OpenVMS invokes the$ command procedure.@ If the LGICMD specification does not include aA file extension, the current command interpreterA applies a default value. In the case of the DCLB interpreter, the default file extension is .COM.@ You can disable or override the command procedure? invocation during login by specifying qualifiersB such as /NOCOMMAND or /LGICMD at the login username prompt.9 Also see the CAPTIVE and RESTRICTED flags.C /PRIVILEGES When users are given different privileges than those supplied by VSI.: Quota When the default quotas are insufficient or1 qualifiers inappropriate for mainstream work. 2 Example= UAF> DEFAULT /DEVICE=SYS$USER/LGICMD=SYS$MANAGER:SECURELGN -( _UAF> /PRIVILEGES=(TMPMBX,GRPNAM,GROUP)' %UAF-I-MDFYMSG, user record(s) updated= The command in this example modifies the DEFAULT record,A changing the default device, default login command file, and default privileges. ww'fK1 EXIT? Enables you to exit from AUTHORIZE and return to DCL commandB level. You can also return to command level by pressing Ctrl/Z. Format EXIT ww'fK1 GRANT 2 /IDENTIFIERA Assigns the specified identifier to the user and documents the= user as a holder of the identifier in the rights database. Format( GRANT/IDENTIFIER id-name user-spec 3 Parameters id-nameA Specifies the identifier name. The identifier name is a stringB of 1 to 31 alphanumeric characters that can contain underscoresB and dollar signs. The name must contain at least one nonnumeric character. user-specA Specifies the UIC identifier that uniquely identifies the userA on the system. This type of identifier appears in alphanumeric' format. For example: [GROUP1,JONES]. 3 Qualifier /ATTRIBUTES! /ATTRIBUTES=(keyword[,...])A Specifies attributes to be associated with the identifier. The following are valid keywords:A DYNAMIC Allows unprivileged holders of the identifier to> remove and to restore the identifier from theA process rights list by using the DCL command SET RIGHTS_LIST.A HOLDER_ Prevents people from getting a list of users whoC HIDDEN hold an identifier, unless they own the identifier themselves.; NAME_HIDDEN Allows holders of an identifier to have it@ translated, either from binary to ASCII or fromA ASCII to binary, but prevents unauthorized users1 from translating the identifier.? NOACCESS Makes any access rights of the identifier nullB and void. If a user is granted an identifier with@ the No Access attribute, that identifier has noD effect on the user's access rights to objects. ThisC attribute is a modifier for an id entifier with the1 Resource or Subsystem attribute.? RESOURCE Allows holders of an identifier to charge disk< space to the identifier. Used only for file objects.? SUBSYSTEM Allows holders of the identifier to create and? maintain protected subsystems by assigning the? Subsystem ACE to the application images in the7 subsystem. Used only for file objects.> To remove an attribute from the identifier, add a NO prefix@ to the attribute keyword. For example, to remove the Resource- attribute, specify /ATTRIBUTES=NORESOURCE. 3 Example* UAF> GRANT/IDENTIFIER INVENTORY [300,015]8 %UAF-I-GRANTMSG, identifier INVENTORY granted to CRAMERC The command in this example grants the identifier INVENTORY toD the user named Cramer who has UIC [300,015]. Cramer becomes theC holder of the identifier and any resources associated with it.4 The following command produces the same result:- UAF> GRANT/IDENTIFIER INVENTORY CRAMER ww 'fK1 LIST= Writes reports for selected UAF records to a listing file,@ SYSUAF.LIS, which is placed in the current default directory.D In the list of "Additional information available" in online help,? the first group of qualifiers determines whether a /BRIEF or/ /FULL report is to be written to SYSUAF.LIS.? Following these qualifiers, after "Examples," are additional: qualifiers, some of which have their own parameters and qualifiers:9 o /IDENTIFIER-creates the listing file RIGHTSLIST.LISC o /PROXY-creates a listing file from the network database file, NET$PROXY.DAT$ o /RIGHTS-lists identifiers held Format LIST [user-spec] 2 Parameter user-spec> Specifies the user name or UIC of the requested UAF record.D Without the user-spec parameter, AUTHORIZE lists the user recordsD of all users. The asterisk (*) and percent sign (%) wildcards are permitted in the user name. 2 Qualifiers /BRIEF> Specifies that a brief report be written to SYSUAF.LIS. TheB /BRIEF qualifier is the default qualifier. SYSUAF.LIS is placed in the default directory. /FULLC Specifies that a full report be written to SYSUAF.LIS, including< identifiers held by the user. SYSUAF.LIS is placed in the SYS$SYSTEM directory.B The LIST command creates a list ing file of reports for selected@ UAF records. Print the listing file, SYSUAF.LIS, with the DCL command PRINT.@ Specification of a user name results in a single-user report.= Specification of the asterisk wildcard character followingA the LIST command results in reports for all users in ascendingC sequence by user name. Specification of a UIC results in reportsD for all users with that UIC. (VSI recommends that you assign each? user a unique UIC, but if users share a UIC, the report willC show all users with that UIC.) You can use the asterisk wildcard character to specify the UIC.? The following table shows how to specify a UIC with the LIST? command and use the asterisk wildcard character with the UIC5 specification to produce various types of reports:! Command DescriptionA LIST [14,6] Lists a full report for the user (or users)7 with member number 6 in group 14.A LIST [14,*] Li sts a brief report for all users in groupA /BRIEF 14, in ascending sequence by member number.? LIST [*,6] /BRIEF Lists a brief report for all users with a) member number of 6.< LIST [*,*] /BRIEF Lists a brief report for all users, in0 ascending sequence by UIC.B Although you must provide separate UICs for each user, the LIST@ command reports users with the same UIC in the order in whichB they were added to the SYSUAF. Full reports list the details of@ the limits, privileges, login flags, and command interpreter.C Brief reports do not include the limits, login flags, or command? interpreter, nor do they summarize the privileges. AUTHORIZE. never displays the password for an account.? See the SHOW command for examples of brief and full reports. 2 Examples 1.UAF> LIST ROBIN/FULL) %UAF-I-LSTMSG1, writing listing file5 %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete@ This command lists a full report for the user record ROBIN. 2.UAF> LIST *) %UAF-I-LSTMSG1, writing listing file5 %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete; This command results in brief reports for all users inA ascending sequence by user name. Note, however, that this isC the same result you would produce had you omitted the asterisk wildcard. 3.UAF> LIST [300,*]) %UAF-I-LSTMSG1, writing listing file5 %UAF-I-LSTMSG2, listing file SYSUAF.LIS completeB This command lists a brief report for all user records with a group UIC of 300. 2 /IDENTIFIERG! Exit the file and check it into Help as UAFHELP.HLP. This help isE! internal utility help that gets checked into the [UAF] facility.> Creates a listing file (RIGHTSLIST.LIS) in which identifier6 names, attributes, values, and holders are written. Format LIST/IDENTIFIER [id-name] 3 Parameter id-name= Specifies an identifier name. You can specify the asteriskC wildcard character (*) to list all identifiers. If you omit the5 identifier name, you must specify /USER or /VALUE. 3 Qualifiers /BRIEF? Specifies a brief listing in which only the identifier name, value, and attributes appear. /FULLC Specifies a full listing, in which the names of the identifier'sA holders are displayed along with the identifier's name, value,D and attributes. The /FULL qualifier specifies the default listing format. /USER /USER=user-specB Specifies one or more users whose identifiers are to be listed.; The user-spec can be a user name or UIC. You can use theA asterisk wildcard character (*) to specify multiple user names< or UICs. UICs must be in the form [*,*], [n,*], [*,n], orC [n,n]. A wildcard user name specification (*) lists identifiersD alphabetically by user name; a wildcard UIC specification ([*,*])! lists them numerically by UIC. /VALUE /VALUE=value-specifierD Specifies the value of the identifier to be listed. The following- formats are valid for the value-specifier:; IDENTIFIER:n An integer value in the range 65,536 to? 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).A To differentiate general identifiers from UI CA identifiers, %X80000000 is added to the value you specify.? GID:n GID is the POSIX group identifier. It is an> integer value in the range 0 to 16,777,215? (%XFFFFFF). The system will add %XA400.0000@ to the value you specify and then enter this> new value into the system RIGHTSLIST as an identifier.; UIC:uic A UIC value in the standard UIC format. 3 Examples# 1.UAF> LIST/IDENTIFIER INVENTORY) %UAF-I-LSTMSG1, writing listing file9 %UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS completeA The command in this example generates a full listing for the@ identifier INVENTORY, including its value (in hexadecimal), holders, and attributes.' 2.UAF> LIST/IDENTIFIER/USER=ANDERSON) %UAF-I-LSTMSG1, writing listing file9 %UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS complete> This command lists an identifier associated with the userB ANDERSON, along with its value and attributes. Note, however,; that this is the same result you would produce had you= specified ANDERSON's UIC with the following forms of the command:* UAF> LIST/IDENTIFIER/USER=[300,015]/ UAF> LIST/IDENTIFIER/VALUE=UIC:[300,015] 2 /PROXYD Creates a listing file of the network proxy database entries from+ the network database file NET$PROXY.DAT.  Format LIST/PROXY 3 Qualifiers /OLDA Directs AUTHORIZE to display information from the NETPROXY.DAT8 file rather than from the default file NET$PROXY.DAT.@ If someone modifies the proxy database on a cluster node thatB is not running the current OpenVMS VAX system, then you can use? the /OLD qualifier to list the contents of the old database: NETPROXY.DAT. 3 Example UAF> LIST/PROXY/OLD% %UAF-I-LSTMSG1, writing listing file5 %UAF- I-NETLSTMSG, listing file NETPROXY.LIS completeB The command in this example creates a listing file of all the8 entries in the network proxy database NETPROXY.DAT. 2 /RIGHTSB Lists identifiers held by the specified identifier or, if /USER= is specified, all identifiers held by the specified users. Format LIST/RIGHTS [id-name] 3 Parameter id-nameA Specifies the name of the identifier associated with the user.> If you omit the identif ier name, you must specify the /USER qualifier. 3 Qualifier /USER /USER=user-specA Specifies a user whose identifiers are to be listed. The user-D spec can be a user name or UIC. You can use the asterisk wildcardA character (*) to specify multiple UICs or all user names. UICs@ must be in the form [*,*], [n,*], [*,n], or [n,n]. A wildcard= user name specification (*) or wildcard UIC specificationA ([*,*]) lists all identifiers held by users. The wi ldcard userC name specification lists holders' user names alphabetically; theB wildcard UIC specification lists them in the numerical order of their UICs. 3 Example UAF> LIST/RIGHTS PAYROLL% %UAF-I-LSTMSG1, writing listing file5 %UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS completeC The command in this example lists identifiers held by PAYROLL,> providing PAYROLL is the name of a UIC format identifier. ww'fK 1 MODIFYC Changes value s in a SYSUAF user record. Qualifiers not specified# in the command remain unchanged.> In the list of "Additional information available" in online= help, the first group of qualifiers is used to modify user@ information in the authorization (UAF) file. Below this list,B after "Examples," are three more qualifiers, some of which have' their own parameters and qualifiers:D o /IDENTIFIER-modifies an identifier name, its associated value,/ or its attributes in the rights database.A o /PROXY-modifies an entry in the network proxy authorization file.8 o /SYSTEM_PASSWORD-modifies the systemwide password.> These qualifiers use different parameters than other MODIFY commands. Format& MODIFY username /qualifier[,...] 2 Parameter usernameC Specifies the name of a user in the SYSUAF. The asterisk (*) andA percent sign (%) wildcard characters are permitted in the userB name. When you specify a single asterisk for the user name, you# modify the records of all users. 2 Qualifiers /ACCESS /ACCESS[=(range[,...])] /NOACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:JUAF> /[NO]ACCESS=([PRIMARY],[n-m],[n],[,...],[SECONDARY],[n-m],[n],[,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of a r ange is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hour.D By default, a user has full access every day. See the DCL comma ndB SET DAY in the VSI OpenVMS DCL Dictionary for information about? overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the8 specified period of time. See the following examples.4 /ACCESS Allo ws unrestricted access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.A For information about the effects of login class restrictions,0 see the VSI OpenVMS Guide to System Security. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one time. The default0 is 300 on Alpha and Integrity server systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=value> Specifies a buffered I/O count limit for the BIOLM field of> the UAF record. The buffered I/O count limit is the maximum@ number of buffered I/O operations, such as terminal I/O, thatB can be outstanding at one time. The default is 150 on Alpha and Integrity server systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-access@ windows. The default is 128,000 on Alpha and Integrity server systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is a? string of 1 to 31 alphanumeric characters and should be DCL,B which is the default. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE  /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I/O operations (usually disk) that can be outstanding@ at one time. The default is 150 on Alpha and Integrity server systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The  lock queue limit is the maximum number of locks that@ can be queued by the user at one time. The default is 4000 on& Alpha and Integrity server systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on theA account. If you do not specify an expiration time when you add? a new account, AUTHORIZE copies the expiration time from theB ! DEFAULT account. (The expiration time on the DEFAULT account is "none" by default.) /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.< The default is 128 on Alpha and Integrity server systems. /FLAGS /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears "the$ flag. The options are as follows:C AUDIT Enables or disables mandatory security auditing for@ a specific user. By default, the system does notA audit the activities of specific users (NOAUDIT).C AUTOLOGIN Restricts the user to the automatic login mechanismA when logging in to an account. When set, the flagB disables login by any terminal that requires entry> of a user name and password. The # default is to? require a user name and password (NOAUTOLOGIN).? CAPTIVE Prevents the user from changing any defaults at@ login, for example, /CLI or /LGICMD. It prevents@ the user from escaping the captive login command< procedure specified by the /LGICMD qualifier@ and gaining access to the DCL command level. SeeB "Guidelines for Captive Command Procedures" in the5 VSI OpenVMS $Guide to System Security.@ The CAPTIVE flag also establishes an environmentA where Ctrl/Y interrupts are initially turned off;D however, command procedures can still turn on Ctrl/YA interrupts with the DCL command SET CONTROL=Y. By? default, an account is not captive (NOCAPTIVE).9 DEFCLI Restricts the user to the default command> interpreter by prohibiting the use of the /CLIA % qualifier at login. By default, a user can choose! a CLI (NODEFCLI).B DISCTLY Establishes an environment where Ctrl/Y interrupts@ are initially turned off and are invalid until aB SET CONTROL=Y is encountered. This could happen inD SYLOGIN.COM or in a procedure called by SYLOGIN.COM.@ Once a SET CONTROL=Y is executed (which requiresB no privilege), a user can enter a Ctrl/Y and reach@ & the DCL prompt ($). If the intent of DISCTLY is> to force execution of the login command files,= then SYLOGIN.COM should issue the DCL commandA SET CONTROL=Y to turn on Ctrl/Y interrupts beforeC exiting. By default, Ctrl/Y is enabled (NODISCTLY).B DISFORCE_ Removes the requirement that a user must change anC PWD_CHANGE expired password at login. By default, a person canB use an expired password 'only once (NODISFORCE_PWD_A CHANGE) and then is forced to change the passwordC after logging in. If the user does not select a new? password, the user is locked out of the system.C To use this feature, set a password expiration date0 with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN and foreign@ commands. By default, a user can execute RUN and. fo (reign commands (NODISIMAGE).D DISMAIL Disables mail delivery to the user. By default, mail0 delivery is enabled (NODISMAIL).> DISNEWMAIL Suppresses announcements of new mail at login.9 By default, the system announces new mail (NODISNEWMAIL).= DISPWDDIC Disables automatic screening of new passwordsB against a system dictionary. By default, passwords9 are automatically screened (NODISPWDDIC). )D DISPWDHIS Disables automatic checking of new passwords againstC a list of the user's old passwords. By default, the; system screens new passwords (NODISPWDHIS).C DISPWDSYNCH Suppresses synchronization of the external password< for this account. See bit 9 in the SECURITY_? POLICY system parameter for systemwide password( synchronization control.> DISRECONNECT Disables automatic reconnection to an exis *ting; process when a terminal connection has been? interrupted. By default, automatic reconnection, is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of the last login time, loginA failures, and other security reports. By default,= login information is displayed (NODISREPORT).? DISUSER Disables the account so the user cannot log in.@ For example, the DEFAULT account is disabl +ed. By; default, an account is enabled (NODISUSER).@ DISWELCOME Suppresses the welcome message (an informational= message displayed during a local login). This? message usually indicates the version number ofD the operating system that is running and the name ofD the node on which the user is logged in. By default,> a system login message appears (NODISWELCOME).A EXTAUTH Considers user t ,o be authenticated by an externalC user name and password, not by the SYSUAF user name? and password. (The system still uses the SYSUAF? record to check a user's login restrictions andA quotas and to create the user's process profile.): GENPWD Restricts the user to generated passwords.< By default, users choose their own passwords (NOGENPWD).@ LOCKPWD Prevents the user from chang -ing the password for? the account. By default, users can change their& passwords (NOLOCKPWD).C PWD_EXPIRED Marks a password as expired. The user cannot log inD if this flag is set. The LOGINOUT.EXE image sets theC flag when both of the following conditions exist: aC user logs in with the DISFORCE_PWD_CHANGE flag set,A and the user's password expires. A system managerB can clear th .is flag. By default, passwords are not4 expired after login (NOPWD_EXPIRED).C PWD2_ Marks a secondary password as expired. Users cannotB EXPIRED log in if this flag is set. The LOGINOUT.EXE imageC sets the flag when both of the following conditionsB exist: a user logs in with the DISFORCE_PWD_CHANGEC flag set, and the user's password expires. A systemB manager can clear this flag. By default, passwor /dsC are not set to expire after login (NOPWD2_EXPIRED).= PWDMIX Enables case-sensitive and extended-character passwords.B After PWDMIX is specified, you can then use mixed-C case and extended characters in passwords. Be awareB that before the PWDMIX flag is enabled, the systemD stores passwords in all upper-case. Therefore, untilD you change passwords, you must enter your pr 0e-PWDMIX( passwords in upper-case.? To change the password after PWDMIX is enabled:= o You (the user) can use the DCL command SETC PASSWORD, specifying the new mixed-case password. (omitting quotation marks).A o You (the system manager) can use the AUTHORIZEB command MODIFY/PASSWORD, and enclose the user'sB new mixed-case password in quotation marks " 1".? RESTRICTED Prevents the user from changing any defaults at> login (for example, by specifying /LGICMD) and> prohibits user specification of a CLI with the? /CLI qualifier. The RESTRICTED flag establishesD an environment where Ctrl/Y interrupts are initiallyA turned off; however, command procedures can stillB turn on Ctrl/Y interrupts with the DCL command SETB CONTROL=Y. Typical 2ly, this flag is used to preventD an applications user from having unrestricted accessB to the CLI. By default, a user can change defaults (NORESTRICTED).7 VMSAUTH Allows account to use standard (SYSUAF)D authentication when the EXTAUTH flag would otherwiseD require external authentication. This depends on theD application. An application specifies the VMS domainA of interpretat3ion when calling SYS$ACM to requestC standard VMS authentication for a user account that6 normally uses external authentication. /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT 4 Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_P5WD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. !/IDENTIFIER>! Adds an identifier to the rights database, RIGHTSLIST.DAT.A! The ADD/IDENTIFIER command does not add a user account to the! authorization file, SYSUAF.C! The ADD/ADD_IDENTIFIER command, however, adds a user account toB! the authorization file, SYSUAF, and also adds an identifier to(! the rights database, RIGHTSLIST.DAT. /INTERACTIVE# /INT6ERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logical@ name table is to be created. By default, the value is 4096 on& Alpha and Integrity server systems. /LGICMD /L7GICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification8, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ 9 user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0,: which" represents an unlimited number. /MODIFY_IDENTIFIER" /MODIFY_IDENTIFIER (default) /NOMODIFY_IDENTIFIER? Specifies whether the identifier associated with the user is@ to be modified in the rights database. This qualifier appliesB only when you modify the UIC or user name in the UAF record. By4 default, the associated identifiers are modified. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; ; description of how to specify the range, see the /ACCESS7 qualifier. By default, network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORDC Specifies up to two passwords for login. <Passwords can be from 0D to 32 alphanumeric characters in length. The dollar sign ($) and& underscore (_) are also permitted.C Uppercase and lowercase characters are equivalent. All lowercase? characters are converted to uppercase before the password isC encrypted. Avoid using the word password as the actual password.* Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set bot=h the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED).> On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /PBYTLM! This flag is reserved for VSI. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging? file. By default, the value is 256,000 pagelets on Alpha and Int?egrity server systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the@ specified user's process. By default, the value is 8 on Alpha and Integrity server systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for lo @ggingB in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary dayA.)D Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the default base priority. The value is an integer inA the range of 0 to 63 on Alpha and Integrity server systems. By8 default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B a Blthough these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varyingD degrees of power and potential system impact (see the VSI OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. C/PWDEXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is apDplied to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a password is valid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than Ethe specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the?F minimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMGOTE[=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which Hrepresents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can5 have at one time. By default, a user can have 100. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separated@ by a comma and enIclosed in brackets. VSI reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with@ the DCL command SET WORKING_SET.) By default, a user has 40962 pagelets on Alpha andJ Integrity server systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA Specifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is anK integer equal to or greater than WSQUOTA. By> default, the value is 16384 pagelets on Alpha and Integrity? server systems. The value cannot be greater than WSMAX. This) quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves foLr this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannotD exceed 8,192 pagelets on Alpha and Integrity server systems. This7 quota value replaces smaller values of PQL_MWSQUOTA. 2 Examples' 1.UAF> MODIFY ROBIN /PASSWORD=SP0172+ %UAF-I-MDFYMSG, user record(s) updatedD The command in this example cMhanges the password for user ROBIN5 without altering any other values in the record.' 2.UAF> MODIFY ROBIN/FLAGS=RESTRICTED+ %UAF-I-MDFYMSG, user record(s) updatedA The command in this example modifies the UAF record for user/ ROBIN by adding the login flag RESTRICTED. 2 /IDENTIFIER< Modifies an identifier name, its associated value, or its% attributes in the rights database. Format MODIFY/IDENTIFIER id-name 3 Parameter id-nName6 Specifies the name of an identifier to be modified. 3 Qualifiers /ATTRIBUTES! /ATTRIBUTES=(keyword[,...]): Specifies attributes to be associated with the modified0 identifier. The following keywords are valid:A DYNAMIC Allows unprivileged holders of the identifier to> remove and to restore the identifier from theA process rights list by using the DCL command SET RIGHTS_LIST.A HOLDER_ O Prevents people from getting a list of users whoC HIDDEN hold an identifier, unless they own the identifier themselves.; NAME_HIDDEN Allows holders of an identifier to have it@ translated, either from binary to ASCII or fromA ASCII to binary, but prevents unauthorized users1 from translating the identifier.? NOACCESS Makes any access rights of the identifier nullB and void. If a us Per is granted an identifier with@ the No Access attribute, that identifier has noD effect on the user's access rights to objects. ThisC attribute is a modifier for an identifier with the1 Resource or Subsystem attribute.? RESOURCE Allows holders of an identifier to charge disk< space to the identifier. Used only for file objects.? SUBSYSTEM Allows holders of the identifier to c Qreate and? maintain protected subsystems by assigning the? Subsystem ACE to the application images in the7 subsystem. Used only for file objects.> To remove an attribute from the identifier, add a NO prefix@ to the attribute keyword. For example, to remove the Resource- attribute, specify /ATTRIBUTES=NORESOURCE.& NOTE> If you specify the NORESOURCE keyword without naming any= holder witRh the /HOLDER qualifier, all holders lose the right to charge resources. /HOLDER /HOLDER=usernameC Specifies the holder of an identifier whose attributes are to beC modified. The /HOLDER qualifier is used only in conjunction with the /ATTRIBUTES qualifier.> If you specify /HOLDER, the /NAME and /VALUE qualifiers are ignored. /NAME /NAME=new-id-name< Specifies a new identifier name to be associated with the identifier. S/VALUE /VALUE=value-specifierB Specifies a new identifier value. Note that an identifier valueC cannot be modified from a UIC to a non-UIC format or vice versa.; The following formats are valid for the value-specifier:> IDENTIFIER:n An integer value in the range of 65,536 to? 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).A T To differentiate general identifiers from UICA identifiers, %X80000000 is added to the value you specify.? GID:n GID is the POSIX group identifier. It is an> integer value in the range 0 to 16,777,215? (%XFFFFFF). The system will add %XA400.0000@ to the value you specify and then enter this> new value into the system RIGHTSLIST as an U identifier.; UIC:uic A UIC value in the standard UIC format. 3 Examples/ 1.UAF> MODIFY/IDENTIFIER OLD_ID /NAME=NEW_ID2 %UAF-I-RDBMDFYMSG, identifier OLD_ID modified? The command in this example changes the name of the OLD_ID identifier to NEW_ID.9 2.UAF> MODIFY/IDENTIFIER/VALUE=UIC:[300,21] ACCOUNTING6 %UAF-I-RDBMDFYMSG, identifier ACCOUNTING modifiedA The command in this example changes the old UIC value of the* identifieVr ACCOUNTING to a new value.2 3.UAF> MODIFY/IDENTIFIER/ATTRIBUTES=NORESOURCE-$ _UAF> /HOLDER=CRAMER ACCOUNTING6 %UAF-I-RDBMDFYMSG, identifier ACCOUNTING modifiedD The command in this example associates the attribute NORESOURCEB with the identifier ACCOUNTING in CRAMER's holder record. The* identifier ACCOUNTING is not changed. 2 /PROXY? Modifies an entry in the network proxy authorization file toA specify a different local account as the default proxy acWcountA for the remote user or to specify no default proxy account for the remote user.C The command modifies an entry in the network proxy authorization? file NET$PROXY.DAT and, to maintain compatibility with other. systems, modifies an entry in NETPROXY.DAT.& NOTEB You must modify the proxy database from a system running the current OpenVMS system. Format$ MODIFY/PROXY node::remote-user 3 Parameters Xnode= Specifies a node name. If you specify an asterisk wildcardC character (*), the specified remote user on all nodes is served by the local user. remote-user= Specifies the user name of a user at a remote node. If you; specify an asterisk wildcard character, all users at the/ specified node are served by the local user.B For systems that are not OpenVMS systems that implement DECnet,C specifies the UIC of a user at a remote node. You can specify anY? asterisk wildcard in the group and member fields of the UIC. 3 Qualifier /DEFAULT /DEFAULT[=local-user] /NODEFAULTC Designates the default user name on the local node through whichB proxy access from the remote user is directed. If /NODEFAULT is. specified, removes the default designation. 3 Example0 UAF> MODIFY/PROXY MISHA::MARCO /DEFAULT=JOHNSON? %UAF-I-NAFADDMSG, record successfully modified in NETPROXY.DATB The command in this exaZmple changes the default proxy accountD for user MARCO on the remote node MISHA to the JOHNSON account. 2 /SYSTEM_PASSWORD# Changes the systemwide password.& NOTE@ The systemwide password is different from the password for< the SYSTEM user name. See the note in the Description.9 This command operates similarly to the DCL command SET PASSWORD/SYSTEM. Format+ MODIFY/SYSTEM_PASSWORD=system-password 3 Par"[ameter system-password) Specifies the new systemwide password. 3 Example( UAF> MODIFY/SYSTEM_PASSWORD=ABRACADABRA UAF>A This command changes the systemwide password to ABRACADABRA. ww)fK 1 REMOVE@ Deletes a SYSUAF user record and corresponding identifiers in@ the rights database. The DEFAULT and SYSTEM records cannot be deleted. Format REMOVE username 2 Parameter username. Specifies the name \of a user in the SYSUAF. 2 Qualifier /REMOVE_IDENTIFIER" /REMOVE_IDENTIFIER (default) /NOREMOVE_IDENTIFIER? Specifies whether the user name and account name identifiers> should be removed from the rights database when a record isB removed from the UAF. If two UAF records have the same UIC, theA user name identifier is removed only when the second record isB deleted. Similarly, the account name identifier is removed onlyC if there are no remaining UAF] records with the same group as the deleted record. 2 Example UAF> REMOVE ROBIN. %UAF-I-REMMSG, record removed from SYSUAF.DAT %UAF-I-@RDBREMMSGU, identifier ROBIN value: [000014,000006] removed from RIGHTSLIST.DATB The command in this example deletes the record for user ROBIND from the SYSUAF and ROBIN's UIC identifier from RIGHTSLIST.DAT. 2 /IDENTIFIER2 Removes an identifier from the rights database. Format REMOVE/IDENTIFIER id-name^ 3 Parameter id-name> Specifies the name of an identifier in the rights database. 3 Example UAF> REMOVE/IDENTIFIER Q1SALESD %UAF-I-RDBREMMSGU, identifier Q1SALES value %X80010024 removed from RIGHTSLIST.DATD The command in this example removes the identifier Q1SALES fromD the rights database. All of its holder records are removed with it. 2 /PROXY> Deletes network proxy access for the specified remote user. Format5 REMOV_E/PROXY node::remote-user [local-user,...] 3 Parameters node< Specifies the name of a network node in the network proxy authorization file. remote-userA Specifies the user name or UIC of a user on a remote node. TheB asterisk wildcard character (*) is permitted in the remote-user specification. local-userC Specifies the user name of from 1 to 16 users on the local node.D If no local user is specified, proxy access to all local accounts` is removed. 3 Example UAF> REMOVE/PROXY MISHA::MARCO7 %UAF-I-NAFREMMSG, proxy from MISHA::MARCO to * removedD The command in this example deletes the record for MISHA::MARCOB from the network proxy authorization file, removing all proxy; access to the local node for user MARCO on node MISHA. ww)fK 1 RENAMEA Changes the user name of the SYSUAF record (and, if specified,D the corresponding identifier) while retaining the characteristiacs of the old record. Format$ RENAME oldusername newusername 2 Parameters oldusername1 Specifies the current user name in the SYSUAF. newusername> Specifies the new name for the user. It can contain 1 to 12A alphanumeric characters and underscores. Although dollar signs= are permitted, they are usually reserved for system names. 2 Qualifiers /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWObRD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondaryc password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /MODIFY_IDENTIFIER" /MODIFY_IDENTIFIER (default) /NOMODIFY_IDENTIFIER? Specifies whether the identifier associated with dthe user is@ to be modified in the rights database. This qualifier appliesB only when you modify the UIC or user name in the UAF record. By4 default, the associated identifiers are modified. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORDC Specifies up to two passwords for login. Passwords can be from 0D to 32 alphanumeric characters in length. The dollar sign ($) and& underscore (_) are also permitted.C Uppercase and lowercase characters eare equivalent. All lowercase? characters are converted to uppercase before the password isC encrypted. Avoid using the word password as the actual password.* Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=f(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers areg mutually exclusive.@ When you create a new UAF record with the RENAME command, you must specify a password. 2 Examples5 1.UAF> RENAME HAWKES KRAMERDOVE/PASSWORD=MARANNKRA. %UAF-I-PRACREN, proxies to HAWKES renamed' %UAF-I-RENMSG, user record renamed2 %UAF-I-RDBMDFYMSG, identifier HAWKES modified@ The command in this example changes the name of the accountD Hawkes to Kramerdove, modifies the user name identifier for the5 account, and renames hall proxies to the account." 2.UAF> RENAME HAWKES KRAMERDOVE. %UAF-I-PRACREN, proxies to HAWKES renamed' %UAF-I-RENMSG, user record renamedC %UAF-W-DEFPWD, Warning: copied or renamed records must receive new password2 %UAF-I-RDBMDFYMSG, identifier HAWKES modifiedD This example shows the warning message that the system displaysC if you fail to specify a new password with the RENAME command. 2 /IDENTIFIER0 Renames an identifier in the rights d#iatabase. Format3 RENAME/IDENTIFIER current-id-name new-id-name 3 Parameters current-id-name5 Specifies the name of an identifier to be renamed. new-id-name- Specifies the new name for the identifier. 3 Example' UAF> RENAME/IDENTIFIER Q1SALES Q2SALES/ %UAF-I-RDBMDFYMSG, identifier Q1SALES modifiedB The command in this example renames the identifier Q1SALES to Q2SALES. ww;)fK 1 REVOKE 2 /IDjENTIFIER( Takes an identifier away from a user. Format) REVOKE/IDENTIFIER id-name user-spec 3 Parameters id-nameD Specifies the identifier name. The identifier name is a string ofD 1 to 31 alphanumeric characters. The name can contain underscores< and dollar signs. It must contain at least one nonnumeric character. user-specA Specifies the UIC identifier that uniquely identifies the userA on the system. This type of identifier appearks in alphanumeric; format, not numeric format; for example, [GROUP1,JONES]. 3 Example( UAF> REVOKE/IDENTIFIER INVENTORY CRAMER; %UAF-I-REVOKEMSG, identifier INVENTORY revoked from CRAMERA The command in this example revokes the identifier INVENTORY> from the user Cramer. Cramer loses the identifier and any" resources associated with it.? Note that because rights identifiers are stored in numericD format, it is not necessary to change records for users hlolding a renamed identifier. ww;)fK1 SHOW; Displays reports for selected UAF records on the current SYS$OUTPUT device.D In the list of "Additional information available" in online help,A the first group of qualifiers selects specific UAF records for displayed reports.? Following these qualifiers, after "Examples," are additional: qualifiers, some of which have their own parameters and qualifiers:: o /IDENTIFIER-displays informamtion about an identifierD o /PROXY-displays authorized proxy access for a specified remote user0 o /RIGHTS-displays identifiers held by users Format SHOW user-spec 2 Parameter user-specA Specifies the user name or UIC of the requested UAF record. IfA you omit the user-spec parameter, the UAF records of all users> are listed. The asterisk (*) and percent sign (%) wildcard- characters are permitted in the user name. 2 Qualifierns /BRIEFA Specifies that a brief report be displayed. In the report, the7 Directory field displays one of the following items:, o Disuser-The account has been disabled.& o Expired-The account has expired.D o A device and directory name-The login device and directory for/ the account (for example, DOCD$:[SMITH]).> If you omit the /BRIEF qualifier, AUTHORIZE displays a full report. /FULLC Specifies that a full report be displayed, includinog identifiersD held by the user. Full reports include the details of the limits,B privileges, login flags, and the command interpreter as well as@ the identifiers held by the user. The password is not listed. /EXACT> Controls whether the SHOW command matches the search stringD exactly or treats uppercase and lowercase letters as equivalents.B Enclose the specified string within quotation marks (" "). Use5 /EXACT with the /PAGE=SAVE and /SEARCH qualifiers. /HIGHLpIGHT /HIGHLIGHT[=keyword] /NOHIGHLIGHT (default)D Identifies how to display the line that contains a string once it. is found. The following keywords are valid: BLINK BOLD (default) REVERSE UNDERLINE? Use the /HIGHLIGHT qualifier with the /PAGE=SAVE and /SEARCH qualifiers. /PAGE /PAGE[=keyword] /NOPAGE (default)> Controls the information display on a screen. The following keywords are valid:C CLE qAR_SCREEN Clear the screen before displaying the next page.= SCROLL Display a continuous stream of information.D SAVE[=n] Store information and enable the navigational keys@ listed in Screen Control Keys. By default, theB command saves 5 pages. The maximum page width is 255 columns. Table 1 Screen Control Keys Key or KeyB Sequence Action Taken When Key or Key Sequence Is Pressed2 DOWN ARROW Sc rroll the display down one line KEY; LEFT ARROW Scroll the display one column to the left KEY< RIGHT ARROW Scroll the display one column to the right KEY0 UP ARROW KEY Scroll the display up one lineB Find (E1) Search for a new string in the information being displayed@ Insert Here Move the display to the right by half a screen (E2)? Remove (E3) Move the display to the left by half a screen> Select (E4) Switch from 80-colsumn displays to 132-column displays- Prev Screen Return to the previous page (E5)' Next Screen Display the next page (E6)+ CTRL/Z Return to the UAF> prompt- Help Display AUTHORIZE help text; F16 (Do) Switch from the oldest to the newest page% Ctrl/W Refresh the display /SEARCH /SEARCH=stringD Used with the /PAGE=SAVE qualifier to specify a string to find inB the information being displayted. You can dynamically change theD search string by pressing the Find key (E1) while the information is being displayed. /WRAP /WRAP /NOWRAP (default)D Used with the /PAGE=SAVE qualifier to limit the number of columnsC to the width of the screen and wrap lines that extend beyond the( width of the screen to the next line.> The /NOWRAP qualifier extends lines beyond the width of theC screen. Use the /PAGE=SAVE qualifier and the screen control keys; u listed in Screen Control Keys to view the entire screen.C The SHOW command produces reports on user authorization records.: You can select the reports to be displayed, as follows:; o To display a single-user report, specify a user name.D o To display reports for all users in ascending sequence by user7 name, specify an asterisk wildcard character (*).A o To display reports for all users with a common UIC, specifyA the UIC. Users with the same UIC are listevd in the order in* which they were added to the SYSUAF.A You can also use the asterisk wildcard character to specifyA all or part of the UIC, as shown in the following examples:" Command Description? SHOW [14,*] Displays a brief report for all users in@ /BRIEF group 14, in ascending sequence by member number.C SHOW [*,6] Displays a brief report for all users with a* /BRIEF membewr number of 6.@ SHOW [*,*] Displays a brief report for all users, in1 /BRIEF ascending sequence by UIC. 2 Examples 1.UAF> SHOW ROBIN? The command in this example displays a full report for theD user ROBIN. The display corresponds to the first example in theA description of the ADD command. Most defaults are in effect.A Username: ROBIN Owner: JOSEPH ROBINI Account: VMS UIC: x [14,6] ([INV,ROBIN])> CLI: DCL Tables: DCLTABLES! Default: SYS$USER:[ROBIN] LGICMD: Login Flags:* Primary days: Mon Tue Wed Thu Fri2 Secondary days: Sat Sun No access restrictionsC Expiration: (none) Pwdminimum: 6 Login Fails: 0> Pwdlifetime: (none) Pwdchange: 15-JAN-2000 14:08I Last Login: (none) (interactive), (none) (non-interactive)@ y Maxjobs: 0 Fillm: 300 Bytlm: 32768@ Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0@ Maxdetach: 0 BIOlm: 40 JTquota: 4096@ Prclm: 2 DIOlm: 40 WSdef: 256@ Prio: 4 ASTlm: 40 WSquo: 512@ Queprio: 0 TQElm: 10 WSextent: 1024@ CPU: (none) Enqlm: 200 Pgflquo: 32768 Authorized Privileges: TMPMBX zNETMBX Default Privileges: TMPMBX NETMBX> Identifier Value AttributesH CLASS_CA101 %X80010032 NORESOURCE NODYNAMICH CLASS_PY102 %X80010049 NORESOURCE NODYNAMIC& NOTE: The quotas Pbytlm and Queprio are placeholders only. 2.UAF> SHOW [360,*] /BRIEFB The command in this example displays a brief report for every" user with a group UIC { of 360.J Owner Username UIC Account Privs Pri Default DirectoryF JOHN JAMES JAMES [360,201] USER Normal 4 DOCD$:[JAMES]F SUZY JONES JONES [360,203] DOC Devour 4 DOCD$:[JONES]@ CLIFF BROWN BROWN [360,021] DOC All 4 disuser@ JOY CARTER CARTER [360,005] DOCSEC Group 4 expired 3.UAF> SHOW WELCH@ This command displays a full report for the restricted userA WELCH. This display corresponds to the second | example in the$ description of the ADD command.3Username: WELCH Owner: ROB WELCH;Account: INV UIC: [14,51] ([14,51])3CLI: DCL Tables: DCLTABLESDefault: SYS$USER:[WELCH]LGICMD: SECUREIN6Login Flags: Restricted Diswelcome Disnewmail ExtAuth#Primary days: Mon Tue Wed Thu Fri+Secondary days: Sat SunFPrimary 000000000011111111112222 Secondary 000000000011111111112222FDay Hours 01234567}8901234567890123 Day Hours 012345678901234567890123FNetwork: ----- No access ------ ##### Full access ######FBatch: #########--------####### ---------#########------FLocal: #########--------####### ---------#########------FDialup: ##### Full access ###### ----- No access ------FRemote: #########--------####### ---------#########------?Expiration: (none) Pwdminimum: 6 Login Fails: 0:Pwdlifetime: (none) ~ Pwdchange: (pre-expired)ELast Login: (none) (interactive), (none) (non-interactive)9Maxjobs: 0 Fillm: 300 Bytlm: 327689Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 09Maxdetach: 0 BIOlm: 40 JTquota: 40969Prclm: 2 DIOlm: 40 WSdef: 2569Prio: 4 ASTlm: 40 WSquo: 5129Queprio: 4 TQElm: 10 WSextent: 10249CPU: (none) Enqlm: 200 Pg flquo: 32768Authorized Privileges: TMPMBX NETMBXDefault Privileges: TMPMBX NETMBX; Note that WELCH is a captive user who does not receiveB announcements of new mail or the welcome message when logging> in. His login command file, SECUREIN.COM, is presumably a> captive command file that controls all of his operations.> (Such a command file never exits, but performs operationsA for its user and logs him out when appropriate.) The CAPTIVEB flag prevents WELCH from escaping control of the command fileB by using Ctrl/Y or other means. Furthermore, he is restrictedB to logging in between the hours of 5:00 P.M. and 8:59 A.M. onB weekdays and 9:00 A.M. and 5:59 P.M. on weekends. Although heB is allowed to use dial-up lines at all times during the week,B he is not allowed to log in over the network. On weekends, heC is further restricted so that he cannot dial in at any time orD use the DCL command SET HOST between the hours of 6:00 P.M. and 8:59 A.M. 2 /IDENTIFIER> Displays information about an identifier, such as its name,D value, attributes, and holders, on the current SYS$OUTPUT device. Format SHOW/IDENTIFIER [id-name] 3 Parameter id-nameC Specifies an identifier name. The identifier name is a string ofD 1 to 31 alphanumeric characters. The name can contain underscores< and dollar signs. It must contain at least one nonnumeric? character. If you omit the identifier name, you must specify /USER or /VALUE. 3 Qualifiers /BRIEF? Specifies a brief listing in which only the identifier name,= value, and attributes are displayed. The default format is /BRIEF. /FULLB Specifies a full listing in which the names of the identifier'sA holders are displayed along with the identifier's name, value, and attributes. /USER /USER=user-spec: Specifies one or more users whose identifiers are to be@ displayed. The user-spec can be a user name or a UIC. You can> use the asterisk wildcard character (*) to specify multipleA UICs or all user names. UICs must be in the form [*,*], [n,*],: [*,n], or [n,n]. A wildcard user name specification (*)? displays identifiers alphabetically by user name; a wildcard> UIC specification ([*,*]) displays them numerically by UIC. /VALUE /VALUE=value-specifierD Specifies the value of the identifier to be l isted. The following- formats are valid for the value-specifier:> IDENTIFIER:n An integer value in the range of 65,536 to? 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).A To differentiate general identifiers from UICA identifiers, %X80000000 is added to the value you specify.? GID:n GID is the POSIX group identifier. It is an> integer value in the range 0 to 16,777,215? (%XFFFFFF). The system will add %XA400.0000@ to the value you specify and then enter this> new value into the system RIGHTSLIST as an identifier.; UIC:uic A UIC value in the standard UIC format. 3 Examples( 1.UAF> SHOW/IDENTIFIER/FULL INVENTORY? This command would produce output similar to the following example:4 Name Value Attributes> INVENTORY %X80010006 NORESOURCE NODYNAMIC% Holder Attributes/ ANDERSON NORESOURCE NODYNAMIC/ BROWN NORESOURCE NODYNAMIC/ CRAMER NORESOURCE NODYNAMIC' 2.UAF> SHOW/IDENTIFIER/USER=ANDERSONB This command displays the identifier associated with the user ANDERSON, as follows:< Name Value AttributesF ANDERSON [000300,000015] NORESOURCE NODYNAMICB The identifier is shown, along with its value and attributes.B Note, however, that this is the same result you would produceA had you specified ANDERSON's UIC with the following forms of the command:* UAF> SHOW/IDENTIFIER/USER=[300,015]/ UAF> SHOW/IDENTIFIER/VALUE=UIC:[300,015] 2 /PROXY@ Displays all authorized proxy access for the specified remote user. Format" SHOW/PROXY node::remote-user 3 Parameters node< Specifies the name of a network node in the network proxy= authorization file. The asterisk wildcard character (*) is' permitted in the node specification. remote-userA Specifies the user name or UIC of a user on a remote node. TheB asterisk wildcard character (*) is permitted in the remote-user specification. 3 Examples& 1.UAF> SHOW/PROXY SAMPLE::[200,100]+ Default proxies are flagged with an * SAMPLE::[200,100]5 MARCO * PROXY2 PROXY3> The command in this example displays all authorized proxy@ access for the user on node SAMPLE with a UIC of [200,100].B The default proxy account can be changed from MARCO to PROXY2- or PROXY3 with the MODIFY/PROXY command. 2.UAF> SHOW/PROXY *::** Default proxies are flagged with (D) TAO:.TWA.RANCH::MARTINEZ9 MARTINEZ (D) SALES_READER UAF> show/proxy/old *::** Default proxies are flagged with (D) RANCH::MARTINEZ9 MARTINEZ (D) SALES_READERA The command in this example displays information about localA authorized proxy access on a system running DECnet-Plus. TheA first command draws information from the file NET$PROXY.DAT.? By including the /OLD qualifier on the SHOW/PROXY command,? AUTHORIZE displays information from the file NETPROXY.DAT. 2 /RIGHTSD Displays the identifiers held by the specified identifiers or, ifC /USER is specified, all identifiers held by the specified users. Format SHOW/RIGHTS [id-name] 3 Parameter id-nameA Specifies the name of the identifier associated with the user.> If you omit the identifier name, you must specify the /USER qualifier. 3 Qualifier /USER /USER=user-specB Specifies one or more users whose identifiers are to be listed.= The user-spec can be a user name or a UIC. You can use theB asterisk wildcard character (*) to specify multiple UICs or all? user names. UICs must be in the form [*,*], [n,*], [*,n], orA [n,n]. A wildcard user name specification (*) or wildcard UIC@ specification ([*,*]) displays all identifiers held by users.D The wildcard user name specification displays holders' user namesB alphabetically; the wildcard UIC specification displays them in% the numerical order of their UICs. 3 Example UAF> SHOW/RIGHTS ANDERSON; This command displays all identifiers held by the user ANDERSON. For example:5 Name Value Attributes? INVENTORY %X80010006 NORESOURCE NODYNAMIC? PAYROLL %X80010022 NORESOURCE NODYNAMICD Note that the following formats of the command produce the same result: SHOW/RIGHTS/USER=ANDERSON SHOW/RIGHTS/USER=[300,015]ww