% Librarian T09-20OMQ?JСQ?Jy z5ADDSCommand_Summary[COPYCREATEDEFAULTEXITGRANT HELPLISTnMODIFY6REMOVE; RENAMEDREVOKEF@SHOWwz Usage_Summary+=,1 ADDD Adds a user record to the SYSUAF and corresponding identifiers to the rights database. Format ADD newusername 2 Parameter newusername> Specifies the name of the user record to be included in the; SYSUAF. The newusername parameter is a string of 1 to 12@ alphanumeric characters and can contain underscores. AlthoughC dollar signs are permitted, they are usually reserved for system names.B Avoid using fully numeric user names (for example, 89560312). AD fully numeric user name cannot receive a corresponding identifier7 because fully numeric identifiers are not permitted. 2 Qualifiers /ACCESS /ACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:N /[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hou r.< By default, a user has full access every day. See the DCL@ command SET DAY in the OpenVMS DCL Dictionary for informationB on overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the specified period of tim e. Examples:4 /ACCESS Allows unrestricted access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see t he? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ADD_IDENTIFIER /ADD_IDENTIFIER (default) /NOADD_IDENTIFIERC Adds a user (user name and account name) to the rights databa se.A The /NOADD_IDENTIFIER does not create a rights list identifier (user name and account name). /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one time. The default1 is 40 on VAX systems and 250 on Alpha systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=valueB Specifies a buffered I/O count limit for the BIOLM field of theA UAF record. The buffered I/O count limit is the maximum number@ of buffered I/O operations, such as terminal I/O, that can beD outstanding at one time. The default is 40 on VAX systems and 150 on Alpha systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-accessB windows. The default is 32768 on VAX systems and 64000 on Alpha systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is aA string of 1 to 31 alphanumeric characters and should be either> DCL or MCR. The default is DCL. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I/O operations (usually disk) that can be outstandingA at one time. The default is 40 on VAX systems and 150 on Alpha systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks thatC can be queued by the user at one time. The default is 200 on VAX% systems and 2000 on Alpha systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on the> account or resets the expiration time for expired accounts.B The default expiration time period is 90 days for nonprivileged users. /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.> The default is 300 on VAX systems and 100 on Alpha systems. /FLAGS /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:< AUDIT Enables or disables mandatory security? auditing for a specific user. By default,A the system does not audit the activities of/ specific users (NOAUDIT).? AUTOLOGIN Restricts the user to the automatic login> mechanism when logging in to an account.> When set, the flag disables login by anyA terminal that requires entry of a user nameD and password. The default is to require a user6 name and password (NOAUTOLOGIN).B CAPTIVE Prevents the user from changing any defaults@ at login, for example, /CLI or /LGICMD. ItA prevents the user from escaping the captive>  login command procedure specified by theA /LGICMD qualifier and gaining access to theC DCL command level. See Guidelines for Captive@ Command Procedures in the OpenVMS Guide to& System Security.: The CAPTIVE flag also establishes an= environment where Ctrl/Y interrupts are< initially turned off; however, command9  procedures can still turn on Ctrl/YD interrupts with the DCL command SET CONTROL=Y.; By default, an account is not captive" (NOCAPTIVE).? DEFCLI Restricts the user to the default commandD interpreter by prohibiting the use of the /CLIC qualifier at login; the MCR command can stillB be used. By default, a user can choose a CLI!  (NODEFCLI).= DISCTLY Establishes an environment where Ctrl/YA interrupts are initially turned off and areC invalid until a SET CONTROL=Y is encountered.> This could happen in SYLOGIN.COM or in aA procedure called by SYLOGIN.COM. Once a SET> CONTROL=Y is executed (which requires no? privilege), a user can enter a Ctrl/Y andA re ach the DCL prompt ($). If the intent of@ DISCTLY is to force execution of the loginB command files, then SYLOGIN.COM should issueC the DCL command SET CONTROL=Y to turn on CtrlD /Y interrupts before exiting. By default, Ctrl0 /Y is enabled (NODISCTLY).> DISFORCE_PWD_ Removes the requirement that a user must= CHANGE change an expired password at login. ByC  default, a person can use an expired password@ only once (NODISFORCE_PWD_CHANGE) and then< is forced to change the password after? logging in. If the user does not select aA new password, the user is locked out of the system.D To use this feature, set a password expiration; date with the /PWDLIFETIME qualifier.@ DISIMAGE  Prevents the user from executing RUN, MCR,> and foreign commands. By default, a user@ can execute RUN, MCR, and foreign commands# (NODISIMAGE).< DISMAIL Disables mail delivery to the user. ByD default, mail delivery is enabled (NODISMAIL).D DISNEWMAIL Suppresses announcements of new mail at login.? By default, the system announces new mail% (NODISNEWMAIL).C DISPWDDIC Disables automatic screening of new passwords> against a system dictionary. By default,: passwords are automatically screened$ (NODISPWDDIC).B DISPWDHIS Disables automatic checking of new passwordsA against a list of the user's old passwords.B By default, the system screens new passwords$ (NODISPWDHIS).D DISRECONNEC !T Disables automatic reconnection to an existing< process when a terminal connection has= been interrupted. By default, automatic? reconnection is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of the last login time,A login failures, and other security reports.@ By default, login information is displayed$ (NODISREPORT).A DISUSER " Disables the account so the user cannot log= in. For example, the DEFAULT account isA disabled. By default, an account is enabled" (NODISUSER).8 DISWELCOME Suppresses the welcome message (anD informational message displayed during a local@ login). This message usually indicates theD version number of the operating system that isC runn #ing and the name of the node on which theC user is logged in. By default, a system login5 message appears (NODISWELCOME).> EXTAUTH Considers user to be authenticated by anA external user name and password, not by the@ SYSUAF user name and password. (The systemD still uses the SYSUAF record to check a user'sA login restrictions and quotas and to create2 $ the user's process profile.)@ GENPWD Restricts the user to generated passwords.B By default, users choose their own passwords! (NOGENPWD).B LOCKPWD Prevents the user from changing the passwordC for the account. By default, users can change2 their passwords (NOLOCKPWD).B PWD_EXPIRED Marks a password as expired. The user cannotB log %in if this flag is set. The LOGINOUT.EXED image sets the flag when both of the following? conditions exist: a user logs in with theB DISFORCE_PWD_CHANGE flag set, and the user'sB password expires. A system manager can clear> this flag. By default, passwords are not: expired after login (NOPWD_EXPIRED).B PWD2_EXPIRED Marks a secondary password as expired. Users< & cannot log in if this flag is set. The@ LOGINOUT.EXE image sets the flag when bothD of the following conditions exist: a user logsC in with the DISFORCE_PWD_CHANGE flag set, andC the user's password expires. A system manager@ can clear this flag. By default, passwords@ are not set to expire after login (NOPWD2_ EXPIRED).B ' RESTRICTED Prevents the user from changing any defaultsC at login (for example, by specifying /LGICMD)? and prohibits user specification of a CLI= with the /CLI qualifier. The RESTRICTEDB flag establishes an environment where Ctrl/YC interrupts are initially turned off; however,A command procedures can still turn on Ctrl/YD interrupts w(ith the DCL command SET CONTROL=Y.@ Typically, this flag is used to prevent an@ applications user from having unrestricted? access to the CLI. By default, a user can5 change defaults (NORESTRICTED). /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 char )acters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you spec*ify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on inter+active logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logicalD name table is to be created. By default, the value is 4096 on VAX% systems and 4096 on Alpha systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you s,elect the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can -be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS.=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7 qualifier. By default, /network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORD< Specifies up to two passwords for login. Passwords can beA from 0 to 32 characters in length and can include alphanumericB0 characters, dollar signs, and underscores. Avoid using the wordB password as the actual password. Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without 1affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.B By default, the ADD command assigns2 the password USER. When youD create a new UAF record with the COPY or RENAME command, you mustB specify a password. Avoid using the word password as the actual password. /PBYTLM% This flag is reserved for Digital. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging@ file. By default, the value is 32768 pages on VAX systems and# 50000 pagelets on3 Alpha systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the> specified user's process. By default, the value is 2 on VAX" systems and 8 on Alpha systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for logging 4B in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D5 Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the default base priority. The value is an integer inD the range of 0 to 31 on VAX systems and 0 to 63 on Alpha systems.; By default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B a 6lthough these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varying@ degrees of power and potential system impact (see the OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWD 7EXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applie8d to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a password is valid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the 9specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? m:inimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[;=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which repr<esents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can4 have at one time. By default, a user can have 10. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separatedD by a comma and enclosed= in brackets. Digital reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with? the DCL command SET WORKING_SET.) By default, a user has 256; pages on VAX systems an>d 2000 pagelets on Alpha systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA Specifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The val?ue is an integer equal to or greater than WSQUOTA. By< default, the value is 1024 pages on VAX systems and 16384> pagelets on Alpha systems. The value cannot be greater thanD WSMAX. This quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? r@eserves for this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannot@ exceed 64K pages. This quota value replaces smaller values of PQL_MWSQUOTA. 2 Examples4 1.UAF> ADD ROBIN /PASSWORD=SP0152/UIC=[014,006] -J _/DEVICE=SYS$USER/DIRECTORY=[ROBIN]/OWNER="JOSEPH ROBIN" /ACCOUNT=INV2 %UAF-I-ADDMSG, user rec Aord successfully addedH %UAF-I-RDBADDMSGU, identifier ROBIN value: [000014,000006] added to RIGHTSLIST.DATF %UAF-I-RDBADDMSGU, identifier INV value: [000014,177777] added to RIGHTSLIST.DAT9 This example illustrates the typical ADD command andB qualifiers. The record that results from this command appears, in the description of the SHOW command.4 2.UAF> ADD WELCH /PASSWORD=SP0158/UIC=[014,051] -J _/DEVICE=SYS$USER/DIRECTORY=[WELCH]/OWNER="ROB WELC BH"/FLAGS=DISUSER -" _/ACCOUNT=INV/LGICMD=SECUREIN2 %UAF-I-ADDMSG, user record successfully addedH %UAF-I-RDBADDMSGU, identifier WELCH value: [000014,000051] added to RIGHTSLIST.DATR UAF> MODIFY WELCH/FLAGS=(RESTRICTED,DISNEWMAIL,DISWELCOME,NODISUSER,EXTAUTH)-A _/NODIALUP=SECONDARY/NONETWORK=PRIMARY/CLITABLES=DCLTABLES -0 _/NOACCESS=(PRIMARY, 9-16, SECONDARY, 18-8)) %UAF-I-MDFYMSG, user records updated? The commands in this example add a record f Cor a restrictedD account. Because of the number of qualifiers required, a MODIFYD command is used in conjunction with the ADD command. This helps2 to minimize the possibility of typing errors.C In the ADD command line, setting the DISUSER flag prevents theB user from logging in until all the account parameters are setA up. In the MODIFY command line, the DISUSER flag is disabled> (by specifying NODISUSER) to allow access to the account.? The EXTAUTH flag caDuses the system to consider the user asD authenticated by an external user name and password, not by the# SYSUAF user name and password.C The record that results from these commands and an explanation9 of the restrictions the record imposes appear in the% description of the SHOW command. 2 /IDENTIFIERD Adds only an identifier to the rights database. It does not add a user account. Format ADD/IDENTIFIER [id-name] 3 Parameter Eid-name: Specifies the name of the identifier to be added to the> rights database. If you omit the name, you must specify the> /USER qualifier. The identifier name is a string of 1 to 31@ alphanumeric characters. The name can contain underscores andC dollar signs. It must contain at least one nonnumeric character. 3 Qualifiers /ATTRIBUTES! /ATTRIBUTES=(keyword[,...])A Specifies attributes to be associated with the new identifier.$ The following are F valid keywords:C DYNAMIC Allows unprivileged holders of the identifierB to remove and to restore the identifier from> the process rights list by using the DCL. command SET RIGHTS_LIST.B HOLDER_HIDDEN Prevents people from getting a list of usersA who hold an identifier, unless they own the, identifier themselves.@ NAME_HIDDEN Allows holders of an identifier Gto have it= translated, either from binary to ASCII; or from ASCII to binary, but prevents= unauthorized users from translating the! identifier.D NOACCESS Makes any access rights of the identifier nullB and void. If a user is granted an identifierC with the No Access attribute, that identifier? has no effect on the user's access rig HhtsB to objects. This attribute is a modifier forB an identifier with the Resource or Subsystem attribute.D RESOURCE Allows holders of an identifier to charge diskA space to the identifier. Used only for file objects.D SUBSYSTEM Allows holders of the identifier to create andD maintain protected subsystems by assigning theD I Subsystem ACE to the application images in the< subsystem. Used only for file objects.B By default, none of these attributes is associated with the new identifier. /USER /USER=user-spec> Scans the UAF record for the specified user and creates the> corresponding identifier. Specify user-spec by user name orB UIC. You can use the asterisk wildcard to specify multiple user@ names or UICs. Full use of the asterisk and percent wildcards? iJs permitted for user names; UICs must be in the form [*,*],A [n,*], [*,n], or [n,n]. A wildcard user name specification (*)B creates identifiers alphabetically by user name; a wildcard UIC@ specification ([*,*]) creates them in numerical order by UIC. /VALUE /VALUE=value-specifier< Specifies the value to be attached to the identifier. The7 following are valid formats for the value-specifier:> IDENTIFIER:n An integer value in the range of 65,536 to? K 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).? The system displays this type of identifier< in hexadecimal. To differentiate general@ identifiers from UIC identifiers, the system= adds %X80000000 to the value you specify.? UIC:uic A UIC value in standard UIC format consists LB of a member name and, optionally, a group nameA enclosed in brackets. For example, [360,031].A In numeric UICs, the group number is an octalA number in the range of 1 to 37776; the memberB number is an octal number in the range of 0 toC 177776. You can omit leading zeros when you are8 specifying group and member numbers.D Regardless oMf the UIC format you use, the system? translates a UIC to a 32-bit numeric value.6 Alphanumeric UICs are not allowed.> Typically, system managers add identifiers as UIC values toD represent system users; the system applies identifiers in integer format to system resources. 3 Examples6 1.UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORYL %UAF-I-RDBADDMSGU, identifier INVENTORY value: [000300,000011] added to RIGHTSLIST.DAT NC The command in this example adds an identifier named INVENTORY> to the rights database. By default, the identifier is not marked as a resource.0 2.UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) -' _/VALUE=IDENTIFIER:%X80011 PAYROLLE %UAF-I-RDBADDMSGU, identifier PAYROLL value: %X80080011 added to RIGHTSLIST.DAT? This command adds the identifier PAYROLL and marks it as a? resource. To differentiate identifiers with integer valuesA from identifiOers with UIC values, %X80000000 is added to the specified code. 2 /PROXY: Adds an entry to the network proxy authorization files,? NETPROXY.DAT and NET$PROXY.DAT, and signals DECnet to updateD its volatile database. Proxy additions take effect immediately on8 all nodes in a cluster that share the proxy database. Format2 ADD/PROXY node::remote-user local-user[,...] 3 Parameters nodeD Specifies a DECnet node name. If you provide a wildcardP character? (*), the specified remote user on all nodes is served by the! account defined as local-user. remote-user= Specifies the user name of a user at a remote node. If youB specify an asterisk, all users at the specified node are served by the local user.> For systems that are not OpenVMS and that implement DECnet,@ specifies the UIC of a user at a remote node. You can specifyB a wildcard character (*) in the group and member fields of the UIC. Q local-userB Specifies the user names of 1 to 16 users on the local node. IfB you specify an asterisk, a local-user name equal to remote-user name will be used. 3 Positional_Qualifier /DEFAULTD Establishes the specified user name as the default proxy account.D The remote user can request proxy access to an authorized accountA other than the default proxy account by specifying the name of@ the proxy account in the access control string of the network opeRration. 3 Examples3 1.UAF> ADD/PROXY SAMPLE::WALTER ROBIN/DEFAULT@ %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT? Specifies that user WALTER on remote node SAMPLE has proxy? access to user ROBIN's account on local node AXEL. Through@ proxy login, WALTER receives the default privileges of user/ ROBIN when he accesses node AXEL remotely.1 2.UAF> ADD/PROXY MISHA::* MARCO/DEFAULT, OSCAR@ %UAF-I-NAFADDMSG, record successfully added t So NETPROXY.DAT= Specifies that any user on the remote node MISHA can, by@ default, use the MARCO account on the local node for DECnetC tasks such as remote file access. Remote users can also accessA the OSCAR proxy account by specifying the user name OSCAR in the access control string.* 3.UAF> ADD/PROXY MISHA::MARCO */DEFAULT@ %UAF-I-NAFADDMSG, record successfully added to NETPROXY.DATD Specifies that user MARCO on the remote node MISHA can use only@ T the MARCO account on the local node for remote file access.6 4.UAF> ADD/PROXY TAO::MARTIN MARTIN/D,SALES_READERF %UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to MARTIN addedL %UAF-I-NAFADDMSG, proxy from TAO:.TWA.RAN::MARTIN to SALES_READER addedD Adds a proxy from TAO::MARTIN to the local accounts MARTIN (the? default) and SALES_READER on a system running DECnet-Plus. www)=,1 Command_Summary% Command Description@ U Managing System Resources and User Accounts with SYSUAF> ADD Adds a user record to the SYSUAF andA corresponding identifiers to the rights# database.: COPY Creates a new SYSUAF record that8 duplicates an existing record.= DEFAULT Modifies the default SYSUAF record.D LIST Writes reports for selected UAF records to5 V a listing file, SYSUAF.LIS.A MODIFY Changes values in a SYSUAF user record.A Qualifiers not specified in the command+ remain unchanged.: REMOVE Deletes a SYSUAF user record andA corresponding identifiers in the rightsB database. The DEFAULT and SYSTEM records, cannot be deleted.D RENAME ChangeWs the user name of the SYSUAF record? (and, if specified, the corresponding9 identifier) while retaining the< characteristics of the old record.> SHOW Displays reports for selected SYSUAF" records.B Managing Network Proxies with NETPROXY.DAT or NET$PROXY.DATC ADD/PROXY Adds proxy access for the specified user.? CREATE/PROXY CrXeates a network proxy authorization file.= LIST/PROXY Creates a listing file of all proxyB accounts and all remote users with proxy1 access to the accounts.A MODIFY/PROXY Modifies proxy access for the specified user.@ REMOVE/PROXY Deletes proxy access for the specified user.? SHOW/PROXY Displays proxyY access allowed for the) specified user.8 Managing Identifiers with RIGHTSLIST.DAT? ADD/IDENTIFIER Adds an identifier name to the rights# database.= CREATE/RIGHTS Creates a new rights database file.< GRANT/IDENTIFIER Grants an identifier name to a UIC% identifier.D LIST/IDENTIFIER Creates a listing file of identifier names% Zand values.C LIST/RIGHTS Creates a listing file of all identifiers5 held by the specified user.> MODIFY/IDENTIFIER Modifies the named identifier in the* rights database.? REMOVE/IDENTIFIER Removes an identifier from the rights# database.= RENAME/IDENTIFIER Renames an identifier in the rights# database.? REVOKE/IDENTIFIER Revokes an ide[ntifier name from a UIC% identifier.A SHOW/IDENTIFIER Displays identifier names and values on4 the current output device.? SHOW/RIGHTS Displays on the current output deviceB the names of all identifiers held by the) specified user., General Commands@ EXIT Returns the user to DCL command level.D HELP \ Displays HELP text for AUTHORIZE commands.A MODIFY/SYSTEM_ Sets the system password (equivalent to? PASSWORD the DCL command SET PASSWORD/SYSTEM). wwwiB=,1 COPY> Creates a new SYSUAF record that duplicates an existing UAF record. Format" COPY oldusername newusername 2 Parameters oldusernameA Name of an existing user record to serve as a template for the new record. newusername]B Name for the new user record. The user name is a string of 1 to 12 alphanumeric characters. 2 Qualifiers /ACCESS /ACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:N /[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of ^ a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hour.< By default, a user has full access every day. See the DCL@ _ command SET DAY in the OpenVMS DCL Dictionary for informationB on overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the specified period of time. Examples:4 /ACCESS Allows unrestricted `access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTEa qualifiers. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ADD_IDENTIFIER /ADD_IDENTIFIER (default) /NOADD_IDENTIFIERC Adds a user (user name and account name) to the rights database.A The /NOADD_IDENTIFIER does not create a rights list identifbier (user name and account name). /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an in ctegerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ d is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? e The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can hafve queued at one time. The default1 is 40 on VAX systems and 250 on Alpha systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=valueB Specifies a buffered I/O count limit for the BIOLM field of theA UAF record. The buffered I/O count limit is the maximum number@ ogf buffered I/O operations, such as terminal I/O, that can beD outstanding at one time. The default is 40 on VAX systems and 150 on Alpha systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxesh, and file-accessB windows. The default is 32768 on VAX systems and 64000 on Alpha systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is aA string of 1 to 31 alphanumeric characters and should be either> DCL or MCR. The default is DCL. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI taibles for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take pejr session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all ukser privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), yolu must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limimt is the maximum numberB of direct I/O operations (usually disk) that can be outstandingA at one time. The default is 40 on VAX systems and 150 on Alpha systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name n is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks thatC can be queued by the user at one time. The default is 200 on VAX% systems and 2000 on Alpha systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on theo> account or resets the expiration time for expired accounts.B The default expiration time period is 90 days for nonprivileged users. /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.> The default is 300 on VAX systems and 100 on Alpha systems. /FLAGS /FLAGS=([NO]option[,...])? p Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:< AUDIT Enables or disables mandatory security? auditing for a specific user. By default,A the system does not audit the activities of/ specific users (NOAUDIT).? AUTOLOGIN Restricts the user to the automatic login> mechanism when logging in to an account.> When q set, the flag disables login by anyA terminal that requires entry of a user nameD and password. The default is to require a user6 name and password (NOAUTOLOGIN).B CAPTIVE Prevents the user from changing any defaults@ at login, for example, /CLI or /LGICMD. ItA prevents the user from escaping the captive> login command procedure specified by theA r /LGICMD qualifier and gaining access to theC DCL command level. See Guidelines for Captive@ Command Procedures in the OpenVMS Guide to& System Security.: The CAPTIVE flag also establishes an= environment where Ctrl/Y interrupts are< initially turned off; however, command9 procedures can still turn on Ctrl/YD sinterrupts with the DCL command SET CONTROL=Y.; By default, an account is not captive" (NOCAPTIVE).? DEFCLI Restricts the user to the default commandD interpreter by prohibiting the use of the /CLIC qualifier at login; the MCR command can stillB be used. By default, a user can choose a CLI! (NODEFCLI).= DISCTLY Establishes an environment w there Ctrl/YA interrupts are initially turned off and areC invalid until a SET CONTROL=Y is encountered.> This could happen in SYLOGIN.COM or in aA procedure called by SYLOGIN.COM. Once a SET> CONTROL=Y is executed (which requires no? privilege), a user can enter a Ctrl/Y andA reach the DCL prompt ($). If the intent of@ DI uSCTLY is to force execution of the loginB command files, then SYLOGIN.COM should issueC the DCL command SET CONTROL=Y to turn on CtrlD /Y interrupts before exiting. By default, Ctrl0 /Y is enabled (NODISCTLY).> DISFORCE_PWD_ Removes the requirement that a user must= CHANGE change an expired password at login. ByC default, a person can use an expired password@ v only once (NODISFORCE_PWD_CHANGE) and then< is forced to change the password after? logging in. If the user does not select aA new password, the user is locked out of the system.D To use this feature, set a password expiration; date with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN, MCR,> w and foreign commands. By default, a user@ can execute RUN, MCR, and foreign commands# (NODISIMAGE).< DISMAIL Disables mail delivery to the user. ByD default, mail delivery is enabled (NODISMAIL).D DISNEWMAIL Suppresses announcements of new mail at login.? By default, the system announces new mail% (NODISNEWMAIL).C DISPWDDIC Disables automatic screening x of new passwords> against a system dictionary. By default,: passwords are automatically screened$ (NODISPWDDIC).B DISPWDHIS Disables automatic checking of new passwordsA against a list of the user's old passwords.B By default, the system screens new passwords$ (NODISPWDHIS).D DISRECONNECT Disables automatic reconnection to an existing< y process when a terminal connection has= been interrupted. By default, automatic? reconnection is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of the last login time,A login failures, and other security reports.@ By default, login information is displayed$ (NODISREPORT).A DISUSER Disables the account so the user cannot log= z in. For example, the DEFAULT account isA disabled. By default, an account is enabled" (NODISUSER).8 DISWELCOME Suppresses the welcome message (anD informational message displayed during a local@ login). This message usually indicates theD version number of the operating system that isC running and the name of the node on which theC us {er is logged in. By default, a system login5 message appears (NODISWELCOME).> EXTAUTH Considers user to be authenticated by anA external user name and password, not by the@ SYSUAF user name and password. (The systemD still uses the SYSUAF record to check a user'sA login restrictions and quotas and to create2 the user's process profile.)@ GENPWD | Restricts the user to generated passwords.B By default, users choose their own passwords! (NOGENPWD).B LOCKPWD Prevents the user from changing the passwordC for the account. By default, users can change2 their passwords (NOLOCKPWD).B PWD_EXPIRED Marks a password as expired. The user cannotB log in if this flag is set. The LOGINOUT.EXED imag }e sets the flag when both of the following? conditions exist: a user logs in with theB DISFORCE_PWD_CHANGE flag set, and the user'sB password expires. A system manager can clear> this flag. By default, passwords are not: expired after login (NOPWD_EXPIRED).B PWD2_EXPIRED Marks a secondary password as expired. Users< cannot log in if this flag is set. The@ ~ LOGINOUT.EXE image sets the flag when bothD of the following conditions exist: a user logsC in with the DISFORCE_PWD_CHANGE flag set, andC the user's password expires. A system manager@ can clear this flag. By default, passwords@ are not set to expire after login (NOPWD2_ EXPIRED).B RESTRICTED Prevents the user from changing any defaultsC  at login (for example, by specifying /LGICMD)? and prohibits user specification of a CLI= with the /CLI qualifier. The RESTRICTEDB flag establishes an environment where Ctrl/YC interrupts are initially turned off; however,A command procedures can still turn on Ctrl/YD interrupts with the DCL command SET CONTROL=Y.@ Typically, this flag is used to prevent an@ applications user from having unrestricted? access to the CLI. By default, a user can5 change defaults (NORESTRICTED). /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logicalD name table is to be created. By default, the value is 4096 on VAX% systems and 4096 on Alpha systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7 qualifier. By default, network logins have no access restrictions. /OWNER  /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORD< Specifies up to two passwords for login. Passwords can beA from 0 to 32 characters in length and can include alphanumericB characters, dollar signs, and underscores. Avoid using the wordB password as the actual password. Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9  o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.C When you create a new UAF record with the COPY command, you must specify a password. /PBYTLM% This flag is reserved for Digital. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging@ file. By default, the value is 32768 pages on VAX systems and# 50000 pagelets on Alpha systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the> specified user's process. By default, the value is 2 on VAX" systems and 8 on Alpha systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for loggingB in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the def ault base priority. The value is an integer inD the range of 0 to 31 on VAX systems and 0 to 63 on Alpha systems.; By default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B although these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varying@ degrees of power and potential system impact (see the OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWDEXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applied to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a password is va lid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? minimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which represents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can4 have at one time. By default, a user can have 10. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separatedD by a comma and enclosed in brackets. Digital reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with? the DCL command SET WORKING_SET.) By default, a user has 256; pages on VAX systems and 2000 pagelets on Alpha systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA Specifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is an integer equal to or greater than WSQUOTA. By< default, the value is 1024 pages on VAX systems and 16384> pagelets on Alpha systems. The value cannot be greater thanD WSMAX. This quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves for this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannot@ exceed 64K pages. This quota value replaces smaller values of PQL_MWSQUOTA. 2 Examples- 1.UAF> COPY ROBIN SPARROW /PASSWORD=SP0152& %UAF-I-COPMSG, user record copiedF %UAF-E-RDBADDERRU, unable to add SPARROW value: [000014,00006] toD RIGHTSLIST.DAT -SYSTEM-F-DUPIDENT, duplicate identifierA The command in this example adds a record for Thomas SparrowB that is identical, except for the password, to that of Joseph= Robin. Note that because the UIC value has no change, no> identifier is added to RIGHTSLIST.DAT. AUTHORIZE issues a* "duplicate identifier" error message.@ 2.UAF> COPY ROBIN SPARROW /UIC=[200,13]/DIRECTORY=[SPARROW] -- _/PASSWORD=THOMAS/OWNER="THOMAS SPARROW"& %UAF-I-COPMSG, user record copiedJ %UAF-I-RDBADDMSGU, identifier SPARROW value: [000200,000013] added to RIGHTSLIST.DATA The command in this example adds a record for Thomas Sparrow; that is the same as Joseph Robin's except for the UIC,C directory name, password, and owner. Note that you could use aC similar command to copy a template record when adding a record/ for a new user in a particular user group. wwQ=, 1 CREATE 2 /PROXYA Creates and initializes the network proxy authorization files.A The primary network proxy authorization file is NET$PROXY.DAT.9 The file NETPROXY.DAT is maintained for com patibility.& NOTEA Do not delete NETPROXY.DAT because DECnet Phase IV and many$ layered products still use it. Format CREATE/PROXY 3 Example UAF> CREATE/PROXY UAF>D The command in this example creates and initializes the network proxy authorization file. 2 /RIGHTS? Creates and initializes the rights database, RIGHTSLIST.DAT. Format CREATE/RIGHTS 3 Example UAF> CREATE/R IGHTS2 %UAF-E-RDBCREERR, unable to create RIGHTSLIST.DAT0 -RMS-E-FEX, file already exists, not superseded: You can use the command in this example to create and: initialize a new rights database. Note, however, thatD RIGHTSLIST.DAT is created automatically during the installation? process. Thus, you must delete or rename the existing file> before creating a new one. For more information on rights> database management, refer to the OpenVMS Guide to System Security. wwQ=, 1 DEFAULT( Modifies the SYSUAF's DEFAULT record. Format DEFAULT 2 Qualifiers /ACCESS /ACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:N /[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the en ding? hour of a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hour.< By default, a user has full access every da y. See the DCL@ command SET DAY in the OpenVMS DCL Dictionary for informationB on overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the specified period of time. Examples:4 /ACCESS Allo ws unrestricted access< /NOACCESS=SECONDARY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a customer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type  DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one time. The default1 is 40 on VAX systems and 250 on Alpha systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=valueB Specifies a buffered I/O count limit for the BIOLM field of theA UAF record. The buffered I/O count limit is the maximum number@ of buffered I/O operations, such as terminal I/O, that can beD outstanding at one time. The default is 40 on VAX systems and 150 on Alpha systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-accessB windows. The default is 32768 on VAX systems and 64000 on Alpha systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is aA string of 1 to 31 alphanumeric characters and should be either> DCL or MCR. The default is DCL. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I/O operations (usually disk) that can be outstandingA at one time. The default is 40 on VAX systems and 150 on Alpha systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks thatC can be queued by the user at one time. The default is 200 on VAX% systems and 2000 on Alpha systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on the> account or resets the expiration time for expired accounts.B The default expiration time period is 90 days for nonprivileged users. /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.> The default is 300 on VAX systems and 100 on Alpha systems. /FLAGS /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:< AUDIT Enables or disables mandatory security? auditing for a specific user. By default,A the system does not audit the activities of/ specific users (NOAUDIT).? AUTOLOGIN Restricts the user to the automatic login> mechanism when logging in to an account.> When set, the flag disables login by anyA terminal that requires entry of a user nameD and password. The default is to require a user6 name and password (NOAUTOLOGIN).B CAPTIVE Prevents the user from changing any defaults@ at login, for example, /CLI or /LGICMD. ItA prevents the user from escaping the captive> login command procedure specified by theA /LGICMD qualifier and gaining access to theC DCL command level. See Guidelines for Captive@ Command Procedures in the OpenVMS Guide to& System Security.: The CAPTIVE flag also establishes an= environment where Ctrl/Y interrupts are< initially turned off; however, command9 procedures can still turn on Ctrl/YD interrupts with the DCL command SET CONTROL=Y.; By default, an account is not captive" (NOCAPTIVE).? DEFCLI Restricts the user to the default commandD interprete r by prohibiting the use of the /CLIC qualifier at login; the MCR command can stillB be used. By default, a user can choose a CLI! (NODEFCLI).= DISCTLY Establishes an environment where Ctrl/YA interrupts are initially turned off and areC invalid until a SET CONTROL=Y is encountered.> This could happen in SYLOGIN.COM or in aA procedure called by SYLOGIN.COM. Once a SET> CONTROL=Y is executed (which requires no? privilege), a user can enter a Ctrl/Y andA reach the DCL prompt ($). If the intent of@ DISCTLY is to force execution of the loginB command files, then SYLOGIN.COM should issueC the DCL command SET CONTROL=Y to turn on CtrlD /Y interrupts before exiting. By default, Ctrl0 /Y is enabled (NODISCTLY).> DISFORCE_PWD_ Removes the requirement that a user must= CHANGE change an expired password at login. ByC default, a person can use an expired password@ only once (NODISFORCE_PWD_CHANGE) and then< is forced to change the password after? logging in. If the user does not select aA new password, the user is locked out of the system.D To use this feature, set a password expiration; date with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN, MCR,> and foreign commands. By default, a user@ can execute RUN, MCR, and foreign commands# (NODISIMAGE).< DISMAIL Disables mail delivery to the user. ByD default, mai l delivery is enabled (NODISMAIL).D DISNEWMAIL Suppresses announcements of new mail at login.? By default, the system announces new mail% (NODISNEWMAIL).C DISPWDDIC Disables automatic screening of new passwords> against a system dictionary. By default,: passwords are automatically screened$ (NODISPWDDIC).B DISPWDHIS Disables automatic checking of new passw ordsA against a list of the user's old passwords.B By default, the system screens new passwords$ (NODISPWDHIS).D DISRECONNECT Disables automatic reconnection to an existing< process when a terminal connection has= been interrupted. By default, automatic? reconnection is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of the last login time, A login failures, and other security reports.@ By default, login information is displayed$ (NODISREPORT).A DISUSER Disables the account so the user cannot log= in. For example, the DEFAULT account isA disabled. By default, an account is enabled" (NODISUSER).8 DISWELCOME Suppresses the welcome message (anD informational me ssage displayed during a local@ login). This message usually indicates theD version number of the operating system that isC running and the name of the node on which theC user is logged in. By default, a system login5 message appears (NODISWELCOME).> EXTAUTH Considers user to be authenticated by anA external user name and password, not by the@ SYSUAF user name and password. (The systemD still uses the SYSUAF record to check a user'sA login restrictions and quotas and to create2 the user's process profile.)@ GENPWD Restricts the user to generated passwords.B By default, users choose their own passwords! (NOGENPWD).B LOCKPWD Prevents the user from changing the passwordC for the account. By default, users can change2 their passwords (NOLOCKPWD).B PWD_EXPIRED Marks a password as expired. The user cannotB log in if this flag is set. The LOGINOUT.EXED image sets the flag when both of the following? conditions exist: a user logs in with theB DISFORCE_PWD_CHANGE flag set, and the user'sB password expires. A system manager can clear> this flag. By default, passwords are not: expired after login (NOPWD_EXPIRED).B PWD2_EXPIRED Marks a secondary password as expired. Users< cannot log in if this flag is set. The@ LOGINOUT.EXE image sets the flag when bothD of the following conditions exist: a user logsC in with the DISFORCE_PWD_CHANGE flag set, andC the user's password ex pires. A system manager@ can clear this flag. By default, passwords@ are not set to expire after login (NOPWD2_ EXPIRED).B RESTRICTED Prevents the user from changing any defaultsC at login (for example, by specifying /LGICMD)? and prohibits user specification of a CLI= with the /CLI qualifier. The RESTRICTEDB flag establishes an envi ronment where Ctrl/YC interrupts are initially turned off; however,A command procedures can still turn on Ctrl/YD interrupts with the DCL command SET CONTROL=Y.@ Typically, this flag is used to prevent an@ applications user from having unrestricted? access to the CLI. By default, a user can5 change defaults (NORESTRICTED). /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE<  Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logicalD name table is to be created. By default, the value is 4096 on VAX% systems and 4096 on Alpha systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /MODIFY_IDENTIFIER" /MODIFY_IDENTIFIER (default) /NOMODIFY_IDENTIFIER? Specifies whether the identifier associated with the user is@ to be modified in the rights database. This qualifier appliesB only when you modify the UIC or user name in the UAF record. By4 default, the associated identifiers are modified. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7 qualifier. By default, network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORD< Specifies up to two passwords for login. Passwords can beA from 0 to 32 characters in length and can include alphanumericB characters, dollar signs, and underscores. Avoid using the wordB password as the actual password. Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /PBYTLM% This flag is reserved for Digital. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging@ file. By default, the value is 32768 pages on VAX systems and# 50000 pagelets on Alpha systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the> specified user's process. By default, the value is 2 on VAX" systems and 8 on Alpha systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for loggingB in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the default base priority. The value is an integer inD the range of 0 to 31 on VAX systems and 0 to 63 on Alpha systems.; By default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B although these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varying@ degrees of power and potential system impact (see the OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWDEXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warns users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applied to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a passwo rd is valid. Specify aC delta time value in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password expires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? minimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENERATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /ACCESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which represents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can4  have at one time. By default, a user can have 10. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separatedD by a comma and enclosed in brackets. Digital reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the default working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with? the DCL command SET WORKING_SET.) By default, a user has 256; pages on VAX systems and 2000 pagelets on Alpha systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valu eA Specifies the working set maximum. This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is an integer equal to or greater than WSQUOTA. By< default, the value is 1024 pages on VAX systems and 16384> pagelets on Alpha systems. The value cannot be greater thanD WSMAX. This quota value replaces smaller values of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves for this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX and cannot@ exceed 64K pages. This quota value replaces smaller values of PQL_MWSQUOTA. 2 Example= UAF> DEFAULT /DEVICE=SYS$USER/LGICMD=SYS$MANAGER:SECURELGN -( _UAF> /PRIVILEGES=(TMPMBX,GRPNAM,GROUP)' %UAF-I-MDFYMSG, user record(s) updated= The command in this example modifies the DEFAULT record,A changing the default device, default login command file, and default privileges. ww7c=,1 EXIT? Enables you to exit from AUTHORIZE and return to DCL commandB level. You can also return to command level by pressing Ctrl/Z. Format EXIT ww7c=,1 GRANT 2 /IDENTIFIERA Assigns the specified identifier to the user and documents the= user as a holder of the identifier in the rights database. Format( GRANT/IDENTIFIER id-name user-spec 3 Parameters id-nameA Specifies the identifier name. The identifier name is a stringB of 1 to 31 alphanumeric characters that can contain underscoresB and dollar signs. The name must contain at least one nonnumeric character. user-specA Specifies the UIC identifier that uniquely identifies the userA on the system. This type of identifier appears in alphanumeric' format. For example: [GROUP1,JONES]. 3 Qualifier /ATTRIBUTES! /ATTRIBUTES=(keyword[,...])A Specifies attributes to be associated with the identifi er. The following are valid keywords:C DYNAMIC Allows unprivileged holders of the identifierB to remove and to restore the identifier from> the process rights list by using the DCL. command SET RIGHTS_LIST.B HOLDER_HIDDEN Prevents people from getting a list of usersA who hold an identifier, unless they own the, identifier themselves.@ NAME_HIDDEN Allows holders of an identifier to have it= translated, either from binary to ASCII; or from ASCII to binary, but prevents= unauthorized users from translating the! identifier.D NOACCESS Makes any access rights of the identifier nullB and void. If a user is granted an identifierC with the No Access attribute, that identifier? has no effec t on the user's access rightsB to objects. This attribute is a modifier forB an identifier with the Resource or Subsystem attribute.D RESOURCE Allows holders of an identifier to charge diskA space to the identifier. Used only for file objects.D SUBSYSTEM Allows holders of the identifier to create andD maintain protected subsystems by assigning theD Subsystem ACE to the application images in the< subsystem. Used only for file objects.> To remove an attribute from the identifier, add a NO prefix@ to the attribute keyword. For example, to remove the Resource- attribute, specify /ATTRIBUTES=NORESOURCE. 3 Example* UAF> GRANT/IDENTIFIER INVENTORY [300,015]8 %UAF-I-GRANTMSG, identifier INVENTORY granted to CRAMERC The command in this example grants the identifier INVENTORY toD the user named Cramer who has UIC [300,015]. Cramer becomes theC holder of the identifier and any resources associated with it.4 The following command produces the same result:- UAF> GRANT/IDENTIFIER INVENTORY CRAMER wwׁe=,1 HELPB Displays information concerning the use of AUTHORIZE, includingD formats and explanations of commands, parameters, and qualifiers. Format HELP [keyword[,...]] 2 Parameter keyword[,...]C Specifies one or more keywords that refer to the topic, command,A qualifier, or parameter on which you want information from the AUTHORIZE HELP command. wwׁe=,1 LIST= Writes reports for selected UAF records to a listing file,@ SYSUAF.LIS, which is placed in the current default directory. Format LIST [user-spec] 2 Parameter user-spec> Specifies the user name or UIC of the requested UAF record.D Without the user-spec parameter, AUTHORIZE lists the user recordsD of all users. The asterisk (*) and percent sign (%) wildcards are permitted in the user name. 2 Qualifiers /BRIEF> Specifies that a brief report be written to SYSUAF.LIS. TheB /BRIEF qualifier is the default qualifier. SYSUAF.LIS is placed in the SYS$SYSTEM directory. /FULLC Specifies that a full report be written to SYSUAF.LIS, including< identifiers held by the user. SYSUAF.LIS is placed in the SYS$SYSTEM directory. 2 Examples 1.UAF> LIST ROBIN/FULL) %UAF-I-LSTMSG1, writing listing file5 %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete@ This command lists a full report for the user record ROBIN. 2.UAF> LIST *) %UAF-I-LSTMSG1, writing listing file5 %UAF-I-LSTMSG2, listing file SYSUAF.LIS complete; This command results in brief reports for all users inA ascending sequence by user name. Note, however, that this isC the same result you would produce had you omitted the asterisk wildcard. 3.UAF> LIST [300.*]) %UAF-I-LSTMSG1, writing listing file5 %UAF-I-LSTMSG2, listing file SYSUAF.LIS completeB This command lists a brief report for all user records with a group UIC of 300.> Creates a listing file (RIGHTSLIST.LIS) in which identifier6 names, attributes, values, and holders are written. Format LIST/IDENTIFIER [id-name] 3 Parameter id-name= Specifies an identifier name. You can specify the asteriskC wildcard character (*) to list all identifiers. If you omit the5 identifier name, you must specify /USER or /VALUE. 3 Qualifiers /BRIEF? Specifies a brief listing in which only the identifier name, value, and attributes appear. /FULLC Specifies a full listing, in which the names of the identifier'sA holders are displayed along with the identifier's name, value,D and attributes. The /FULL qualifier specifies the default listing format. /USER /USER=user-specB Specifies one or more users whose identifiers are to be listed.; The user-spec can be a user name or UIC. You can use theA asterisk wildcard character (*) to specify multiple user names< or UICs. UICs must be in the form [*,*], [n,*], [*,n], orC [n,n]. A wildcard user name specification (*) lists identifiersD alphabetically by user name; a wildcard UIC specification ([*,*])! lists them numerically by UIC. /VALUE /VALUE=value-specifierD Specifies the value of the identifier to be listed. The following- are valid formats for the value-specifier:; IDENTIFIER:n An integer value in the range 65,536 to? 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).A To differentiate general identifiers from UICA identifiers, %X80000000 is added to the value you specify.; UIC:uic A UIC value in the standard UIC format. 3 Examples# 1.UAF> LIST/IDENTIFIER INVENTORY) %UAF-I-LSTMSG1, writing listing file9 %UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS completeA The command in this example generates a full listing for the@ identifier INVENTORY, including its value (in hexadecimal), holders, and attributes.' 2.UAF> LIST/IDENTIFIER/USER=ANDERSON) %UAF-I-LSTMSG1, writing listing file9 %UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS complete> This command lists an identifier associated with the userB ANDERSON, along with its value and attributes. Note, however,; that this is the same result you would produce had you= specified ANDERSON's UIC with the following forms of the command:* UAF> LIST/IDENTIFIER/USER=[300,015]/ UAF> LIST/IDENTIFIER/VALUE=UIC:[300,015] 2 /PROXYD Creates a listing file of the network proxy database entries from+ the network database file NET$PROXY.DAT. Format LIST/PROXY 3 Qualifiers /OLDA Directs AUTHORIZE to display information from the NETPROXY.DAT8 file rather than from the default file NET$PROXY.DAT.@ If someone modifies the proxy database on a cluster node thatB is not running the current OpenVMS VAX system, then you can use? the /OLD qualifier to list the contents of the old database: NETPROXY.DAT. 3 Example UAF> LIST/PROXY/OLD% %UAF-I-LSTMSG1, writing listing file5 %UAF-I-NETLSTMSG, listing file NETPROXY.LIS completeB The command in this example creates a listing file of all the8 entries in the network proxy database NETPROXY.DAT. 2 /RIGHTSB Lists identifiers held by the specified identifier or, if /USER= is specified, all identifiers held by the specified users. Format LIST/RIGHTS [id-name] 3 Parameter id-nameA Specifies the name of the identifier associated with the user.> If you omit the identifier name, you must specify the /USER qualifier. 3 Qualifier /USER /USER=user-specA Specifies a user whose identifiers are to be listed. The user-D spec can be a user name or UIC. You can use the asterisk wildcardA character (*) to specify multiple UICs or all user names. UICs@ must be in the form [*,*], [n,*], [*,n], or [n,n]. A wildcard= user name specification (*) or wildcard UIC specificationA ([*,*]) lists all identifiers held by users. The wildcard userC name specification lists holders' user names alphabetically; theB wildcard UIC specification lists them in the numerical order of their UICs. 3 Example UAF> LIST/RIGHTS PAYROLL% %UAF-I-LSTMSG1, writing listing file5 %UAF-I-RLSTMSG, listing file RIGHTSLIST.LIS completeC The command in this example lists identifiers held by PAYROLL,> providing PAYROLL is the name of a UIC format identifier. wwwg=, 1 MODIFYC Changes values in a SYSUAF user record. Qualifiers not specified# in the command remain unchanged. Format& MODIFY username /qualifier[,...] 2 Parameter usernameC Specifies the name of a user in the SYSUAF. The asterisk (*) andA percent sign (%) wildcard characters are permitted in the userB name. When you specify a single asterisk for the user name, you# modify the records of all users. 2 Qualifiers /ACCESS /ACCESS[=(range[,...])]D Specifies hours of access for all modes of access. The syntax for specifying the range is:N /[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])= Specify hours as integers from 0 to 23, inclusive. You canD specify single hours (n) or ranges of hours (n-m). If the ending? hour of a range is earlier than the starting hour, the range@ extends from the starting hour through midnight to the endingC hour. The first set of hours after the keyword PRIMARY specifiesC hours on primary days; the second set of hours after the keyword? SECONDARY specifies hours on secondary days. Note that hoursC are inclusive; that is, if you grant access during a given hour,* access extends to the end of that hour.< By default, a user has full access every day. See the DCL@ command SET DAY in the Op enVMS DCL Dictionary for informationB on overriding the defaults for primary and secondary day types.C All the list elements are optional. Unless you specify hours forD a day type, access is permitted for the entire day. By specifying@ an access time, you prevent access at all other times. AddingC NO to the qualifier denies the user access to the system for the specified period of time. Examples:4 /ACCESS Allows unrestricted access< /NOACCESS=SECONDA RY Allows access on primary days onlyC /ACCESS=(9-17) Allows access from 9 A.M. to 5:59 P.M. on" all daysA /NOACCESS=(PRIMARY, Disallows access between 9 A.M. to 5:59@ 9-17, SECONDARY, P.M. on primary days but allows access> 18-8) during these hours on secondary days@ To specify access hours for specific types of access, see the? /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers. /ACCOUNT /ACCOUNT=account-name= Specifies the default name for the account (for example, a> billing name or number). The name can be a string of 1 to 8A alphanumeric characters. By default, AUTHORIZE does not assign an account name. /ALGORITHM& /ALGORITHM=keyword=type [=value]A Sets the password encryption algorithm for a user. The keywordC VMS refers to the algorithm used in the operating system versionB that is running on your system, whereas a cus tomer algorithm isA one that is added through the $HASH_PASSWORD system service byB a customer site, by a layered product, or by a third party. TheC customer algorithm is identified in $HASH_PASSWORD by an integerA in the range of 128 to 255. It must correspond with the number> used in the AUTHORIZE command MODIFY/ALGORITHM. By default,A passwords are encrypted with the VMS algorithm for the current# version of the operating system. Keyword Function: BOTH Set the algorithm for primary and secondary passwords.B CURRENT Set the algorithm for the primary, secondary, both,D or no passwords, depending on account status. CURRENT$ is the default value.? PRIMARY Set the algorithm for the primary password only.A SECONDARY Set the algorithm for the secondary password only.< The following table lists password encryption algorithms: Type DefinitionA VMS The algorithm used in the version of the operating5 system that is running on your system.> CUSTOMER A numeric value in the range of 128 to 255 that/ identifies a customer algorithm.? The following example selects the VMS algorithm for Sontag's primary password:, UAF> MODIFY SONTAG/ALGORITHM=PRIMARY=VMSD If you select a site-specific algorithm, you must give a value to& identify the algorithm, as follows:5 UAF> MODIFY SONTAG/ALGORITHM=CURRENT=CUSTOMER=128 /ASTLM /ASTLM=value> Specifies the AST queue limit, which is the total number ofB asynchronous system trap (AST) operations and scheduled wake-upB requests that the user can have queued at one time. The default1 is 40 on VAX systems and 250 on Alpha systems. /BATCH /BATCH[=(range[,...])]> Specifies the hours of access permitted for batch jobs. For< a description of the range specification, see the /ACCESS@ qualifier. By default, a user can submit batch jobs any time. /BIOLM /BIOLM=valueB Specifies a buffered I/O count limit for the BIOLM field of theA UAF record. The buffered I/O count limit is the maximum number@ of buffered I/O operations, such as terminal I/O, that can beD outstanding at one time. The default is 40 on VAX systems and 150 on Alpha systems. /BYTLM /BYTLM=valueC Specifies the buffered I/O byte limit for the BYTLM field of the@ UAF record. The buffered I/O byte limit is the maximum number? of bytes of nonpaged system dynamic memory that a user's job? can consume at one time. Nonpaged dynamic memory is used for? operations such as I/O buffering, mailboxes, and file-accessB windows. The default is 32768 on VAX systems and 64000 on Alpha systems. /CLI /CLI=cli-nameA Specifies the name of the default command language interpreter? (CLI) for the CLI field of the UAF record. The cli-name is aA string of 1 to 31 alphanumeric characters and should be either> DCL or MCR. The default is DCL. This setting is ignored for network jobs. /CLITABLES /CLITABLES=filespec9 Specifies user-defined CLI tables for the account. The: filespec can contain 1 to 31 characters. The default is? SYS$LIBRARY:DCLTABLES. Note that this setting is ignored for= network jobs to guarantee that the system-supplied commandB procedures used to implement network objects function properly. /CPUTIME /CPUTIME=timeB Specifies the maximum process CPU time for the CPU field of theD UAF record. The maximum process CPU time is the maximum amount ofC CPU time a user's process can take per session. You must specifyA a delta time value. For a discussion of delta time values, see> the OpenVMS User's Manual. The default is 0, which means an infinite amount of time. /DEFPRIVILEGES) /DEFPRIVILEGES=([NO]privname[,...])D Specifies default privileges for the user; that is, those enabledC at login time. A NO prefix removes a privilege from the user. ByD specifying the keyword [NO]ALL with the /DEFPRIVILEGES qualifier,= you can disable or enable all user privileges. The default@ privileges are TMPMBX and NETMBX. Privname is the name of the privilege. /DEVICE /DEVICE=device-name@ Specifies the name of the user's default device at login. TheA device-name is a string of 1 to 31 alphanumeric characters. IfC you omit the colon from the device-name value, AUTHORIZE appends. a colon. The default device is SYS$SYSDISK.A If you specify a logical name as the device-name (for example,D DISK1: for DUA1:), you must make an entry for the logical name inB the LNM$SYSTEM_TABLE in executive mode by using the DCL command DEFINE/SYSTEM/EXEC. /DIALUP /DIALUP[=(range[,...])]= Specifies hours of access permitted for dialup logins. For< a description of the range specification, see the /ACCESS) qualifier. The default is full access. /DIOLM /DIOLM=valueB Specifies the direct I/O count limit for the DIOLM field of the? UAF record. The direct I/O count limit is the maximum numberB of direct I/O operations (usually disk) that can be outstandingA at one time. The default is 40 on VAX systems and 150 on Alpha systems. /DIRECTORY /DIRECTORY=directory-nameB Specifies the default directory name for the DIRECTORY field ofA the UAF record. The directory-name can be 1 to 39 alphanumericD characters. If you do not enclose the directory name in brackets,B AUTHORIZE adds the brackets for you. The default directory name is [USER]. /ENQLM /ENQLM=value@ Specifies the lock queue limit for the ENQLM field of the UAFC record. The lock queue limit is the maximum number of locks thatC can be queued by the user at one time. The default is 200 on VAX% systems and 2000 on Alpha systems. /EXPIRATION /EXPIRATION=time (default) /NOEXPIRATION= Specifies the expiration date and time of the account. The= /NOEXPIRATION qualifier removes the expiration date on the> account or resets the expiration time for expired accounts.B The default expiration time period is 90 days for nonprivileged users. /FILLM /FILLM=value? Specifies the open file limit for the FILLM field of the UAFB record. The open file limit is the maximum number of files thatC can be open at one time, including active network logical links.> The default is 300 on VAX systems and 100 on Alpha systems. /FLAGS /FLAGS=([NO]option[,...])? Specifies login flags for the user. The prefix NO clears the$ flag. The options are as follows:< AUDIT Enables or disables mandatory security? auditing for a specific user. By default,A the system does not audit the acti vities of/ specific users (NOAUDIT).? AUTOLOGIN Restricts the user to the automatic login> mechanism when logging in to an account.> When set, the flag disables login by anyA terminal that requires entry of a user nameD and password. The default is to require a user6 name and password (NOAUTOLOGIN).B CAPTIVE Prevents the user from changing an y defaults@ at login, for example, /CLI or /LGICMD. ItA prevents the user from escaping the captive> login command procedure specified by theA /LGICMD qualifier and gaining access to theC DCL command level. See Guidelines for Captive@ Command Procedures in the OpenVMS Guide to& System Security.: The CAPTIVE flag also establ ishes an= environment where Ctrl/Y interrupts are< initially turned off; however, command9 procedures can still turn on Ctrl/YD interrupts with the DCL command SET CONTROL=Y.; By default, an account is not captive" (NOCAPTIVE).? DEFCLI Restricts the user to the default commandD interpreter by prohibiting the use of the /CLIC  qualifier at login; the MCR command can stillB be used. By default, a user can choose a CLI! (NODEFCLI).= DISCTLY Establishes an environment where Ctrl/YA interrupts are initially turned off and areC invalid until a SET CONTROL=Y is encountered.> This could happen in SYLOGIN.COM or in aA procedure called by SYLOGIN.COM. Once a SET>  CONTROL=Y is executed (which requires no? privilege), a user can enter a Ctrl/Y andA reach the DCL prompt ($). If the intent of@ DISCTLY is to force execution of the loginB command files, then SYLOGIN.COM should issueC the DCL command SET CONTROL=Y to turn on CtrlD /Y interrupts before exiting. By default, Ctrl0 /Y is enabled (N ODISCTLY).> DISFORCE_PWD_ Removes the requirement that a user must= CHANGE change an expired password at login. ByC default, a person can use an expired password@ only once (NODISFORCE_PWD_CHANGE) and then< is forced to change the password after? logging in. If the user does not select aA new password, the user is locked out of the system.D  To use this feature, set a password expiration; date with the /PWDLIFETIME qualifier.@ DISIMAGE Prevents the user from executing RUN, MCR,> and foreign commands. By default, a user@ can execute RUN, MCR, and foreign commands# (NODISIMAGE).< DISMAIL Disables mail delivery to the user. ByD default, mail delivery is enabled (NODISMAIL).D DISNE WMAIL Suppresses announcements of new mail at login.? By default, the system announces new mail% (NODISNEWMAIL).C DISPWDDIC Disables automatic screening of new passwords> against a system dictionary. By default,: passwords are automatically screened$ (NODISPWDDIC).B DISPWDHIS Disables automatic checking of new passwordsA against a list o f the user's old passwords.B By default, the system screens new passwords$ (NODISPWDHIS).D DISRECONNECT Disables automatic reconnection to an existing< process when a terminal connection has= been interrupted. By default, automatic? reconnection is enabled (NODISRECONNECT).@ DISREPORT Suppresses reports of the last login time,A login failures, and other security reports.@ By default, login information is displayed$ (NODISREPORT).A DISUSER Disables the account so the user cannot log= in. For example, the DEFAULT account isA disabled. By default, an account is enabled" (NODISUSER).8 DISWELCOME Suppresses the welcome message (anD informational message displayed during a local@   login). This message usually indicates theD version number of the operating system that isC running and the name of the node on which theC user is logged in. By default, a system login5 message appears (NODISWELCOME).> EXTAUTH Considers user to be authenticated by anA external user name and password, not by the@ SYSUAF user name and password. ( The systemD still uses the SYSUAF record to check a user'sA login restrictions and quotas and to create2 the user's process profile.)@ GENPWD Restricts the user to generated passwords.B By default, users choose their own passwords! (NOGENPWD).B LOCKPWD Prevents the user from changing the passwordC for the account. By default, users can chang e2 their passwords (NOLOCKPWD).B PWD_EXPIRED Marks a password as expired. The user cannotB log in if this flag is set. The LOGINOUT.EXED image sets the flag when both of the following? conditions exist: a user logs in with theB DISFORCE_PWD_CHANGE flag set, and the user'sB password expires. A system manager can clear> this flag. By defaul t, passwords are not: expired after login (NOPWD_EXPIRED).B PWD2_EXPIRED Marks a secondary password as expired. Users< cannot log in if this flag is set. The@ LOGINOUT.EXE image sets the flag when bothD of the following conditions exist: a user logsC in with the DISFORCE_PWD_CHANGE flag set, andC the user's password expires. A system manager@  can clear this flag. By default, passwords@ are not set to expire after login (NOPWD2_ EXPIRED).B RESTRICTED Prevents the user from changing any defaultsC at login (for example, by specifying /LGICMD)? and prohibits user specification of a CLI= with the /CLI qualifier. The RESTRICTEDB flag establishes an environment where Ctrl/YC interrupts are initially turned off; however,A command procedures can still turn on Ctrl/YD interrupts with the DCL command SET CONTROL=Y.@ Typically, this flag is used to prevent an@ applications user from having unrestricted? access to the CLI. By default, a user can5 change defaults (NORESTRICTED). /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$  /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /INTERACTIVE# /INTERACTIVE[ =(range[,...])] /NOINTERACTIVE< Specifies the hours of access for interactive logins. For< a description of the range specification, see the /ACCESS= qualifier. By default, there are no access restrictions on interactive logins. /JTQUOTA /JTQUOTA=valueB Specifies the initial byte quota with which the jobwide logicalD name table is to be created. By default, the value is 4096 on VAX% systems and 4096 on Alpha systems. /LGICMD /LGICMD=filespecA Specifies the name of the default login command file. The fileC name defaults to the device specified for /DEVICE, the directoryB specified for /DIRECTORY, a file name of LOGIN, and a file type@ of .COM. If you select the defaults for all these values, the+ file name is SYS$SYSTEM:[USER]LOGIN.COM. /LOCAL /LOCAL[=(range[,...])]> Specifies hours of access for interactive logins from localC terminals. For a description of the range specification, see theB /ACCESS qualifier. By default, there are no access restrictions on local logins. /MAXACCTJOBS /MAXACCTJOBS=valueC Specifies the maximum number of batch, interactive, and detached@ processes that can be active at one time for all users of the= same account. By default, a user has a maximum of 0, which" represents an unlimited number. /MAXDETACH /MAXDETACH=valueD Specifies the maximum number of detached processes with the cited@ user name that can be active at one time. To prevent the userA from creating detached processes, specify the keyword NONE. ByB default, a user has a value of 0, which represents an unlimited number. /MAXJOBS /MAXJOBS=valueA Specifies the maximum number of processes (interactive, batch,> detached, and network) with the cited user name that can be= active simultaneously. The first four network jobs are not> counted. By default, a user has a maximum value of 0, which" represents an unlimited number. /MODIFY_IDENTIFIER" /MODIFY_IDENTIFIER (default) /NOMODIFY_IDENTIFIER? Specifies whether the identifier associated with the user is@ to be modified in the rights database. This qualifier appliesB only when you modify the UIC or user name in the UAF record. By4 default, the associated identifiers are modified. /NETWORK /NETWORK[=(range[,...])]: Specifies hours of access for network batch jobs. For a; description of how to specify the range, see the /ACCESS7 qualifier. By default, network logins have no access restrictions. /OWNER /OWNER=owner-nameC Specifies the name of the owner of the account. You can use thisD name for billing purposes or similar applications. The owner name7 is 1 to 31 characters. No default owner name exists. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORD< Specifies up to two passwords for login. Passwords can beA from 0 to 32 characters in length and can include alphanumericB characters, dollar signs, and underscores. Avoid using the wordB password as the actual password. Use the /PASSWORD qualifier as follows:B o To set only the first password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new password expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /PBYTLM% This flag is reserved for Digital. /PGFLQUOTA /PGFLQUOTA=valueA Specifies the paging file limit. This is the maximum number of? pages that the person's process can use in the system paging@ file. By default, the value is 32768 pages on VAX systems and# 50000 pagelets on Alpha systems.B If decompressing libraries, make sure to set PGFLQUOTA to twice the size of the library. /PRCLM /PRCLM=value? Specifies the subprocess creation limit. This is the maximum< number of subprocesses that can exist at one time for the> specified user's process. By default, the value is 2 on VAX" systems and 8 on Alpha systems. /PRIMEDAYS /PRIMEDAYS=([NO]day[,...])A Defines the primary and secondary days of the week for loggingB in. Specify the days as a list separated by commas, and encloseB the list in parentheses. To specify a secondary day, prefix theA day with NO (for example, NOFRIDAY). To specify a primary day, omit the NO prefix.C By default, primary days are Monday through Friday and secondaryA days are Saturday and Sunday. If you omit a day from the list,> AUTHORIZE uses the default value. (For example, if you omitD Monday from the list, AUTHORIZE defines Monday as a primary day.)D Use the primary and secondary day definitions in conjunction with8 such qualifiers as /ACCESS, /INTERACTIVE, and /BATCH. /PRIORITY /PRIORITY=valueB Specifies the default base priority. The value is an integer inD the range of 0 to 31 on VAX systems and 0 to 63 on Alpha systems.; By default, the value is set to 4 for timesharing users. /PRIVILEGES& /PRIVILEGES=([NO]privname[,...])= Specifies which privileges the user is authorized to hold,B although these privileges are not necessarily enabled at login.D (The /DEFPRIVILEGES qualifier determines which ones are enabled.)? A NO prefix removes the privilege from the user. The keywordC NOALL disables all user privileges. Many privileges have varying@ degrees of power and potential system impact (see the OpenVMSC Guide to System Security for a detailed discussion). By default,B a user holds TMPMBX and NETMBX privileges. Privname is the name of the privilege. /PWDEXPIRED /PWDEXPIRED (default) /NOPWDEXPIREDB Specifies the password is valid for only one login. A user mustD change a password immediately after login or be locked out of theD system. The system warn s users of password expiration. A user canD either specify a new password, with the DCL command SET PASSWORD,B or wait until expiration and be forced to change. By default, aC user must change a password when first logging in to an account.B The default is applied to the account only when the password is being modified. /PWDLIFETIME! /PWDLIFETIME=time (default) /NOPWDLIFETIME> Specifies the length of time a password is valid. Specify aC delta time value !in the form [dddd-] [hh:mm:ss.cc]. For example,> for a lifetime of 120 days, 0 hours, and 0 seconds, specify? /PWDLIFETIME="120-". For a lifetime of 120 days 12 hours, 30B minutes and 30 seconds, specify /PWDLIFETIME="120-12:30:30". IfB a period longer than the specified time elapses before the userB logs in, the system displays a warning message. The password is marked as expired.D To prevent a password from expiring, specify the time as NONE. By* default, a password exp"ires in 90 days. /PWDMINIMUM /PWDMINIMUM=valueA Specifies the minimum password length in characters. Note thatB this value is enforced only by the DCL command SET PASSWORD. ItA does not prevent you from entering a password shorter than the? minimum length when you use AUTHORIZE to create or modify anC account. By default, a password must have at least 6 characters.B The value specified by the /PWDMINIMUM qualifier conflicts with@ the value used by the /GENE#RATE_PASSWORD qualifier or the DCLB command SET PASSWORD/GENERATE, the operating system chooses theA lesser value. The maximum value for generated passwords is 10. /QUEPRIO /QUEPRIO=value Reserved for future use. /REMOTE /REMOTE[=(range[,...])]C Specifies hours during which access is permitted for interactiveA logins from network remote terminals (with the DCL command SET? HOST). For a description of the range specification, see the> /AC$CESS qualifier. By default, remote logins have no access restrictions. /SHRFILLM /SHRFILLM=valueA Specifies the maximum number of shared files that the user canC have open at one time. By default, the system assigns a value of* 0, which represents an infinite number. /TQELMD Specifies the total number of entries in the timer queue plus theC number of temporary common event flag clusters that the user can4 have at one time. By default, a user can ha%ve 10. /UIC /UIC=valueA Specifies the user identification code (UIC). The UIC value isC a group number in the range from 1 to 37776 (octal) and a memberD number in the range from 0 to 177776 (octal), which are separatedD by a comma and enclosed in brackets. Digital reserves group 1 and" groups 300-377 for its own use.A Each user must have a unique UIC. By default, the UIC value is [200,200]. /WSDEFAULT /WSDEFAULT=value? Specifies the d&efault working set limit. This represents the@ initial limit to the number of physical pages the process canC use. (The user can alter the default quantity up to WSQUOTA with? the DCL command SET WORKING_SET.) By default, a user has 256; pages on VAX systems and 2000 pagelets on Alpha systems.D The value cannot be greater than WSMAX. This quota value replaces$ smaller values of PQL_MWSDEFAULT. /WSEXTENT /WSEXTENT=valueA Specifies the working set maximum. 'This represents the maximum? amount of physical memory allowed to the process. The systemA provides memory to a process beyond its working set quota onlyC when it has excess free pages. The additional memory is recalled by the system if needed.? The value is an integer equal to or greater than WSQUOTA. By< default, the value is 1024 pages on VAX systems and 16384> pagelets on Alpha systems. The value cannot be greater thanD WSMAX. This quota value replaces smaller valu(es of PQL_MWSEXTENT. /WSQUOTA /WSQUOTA=valueA Specifies the working set quota. This is the maximum amount ofC physical memory a user process can lock into its working set. ItC also represents the maximum amount of swap space that the system? reserves for this process and the maximum amount of physical> memory that the system allows the process to consume if the+ systemwide memory demand is significant.A The value cannot be greater than the value of WSMAX a)nd cannot@ exceed 64K pages. This quota value replaces smaller values of PQL_MWSQUOTA. 2 Examples' 1.UAF> MODIFY ROBIN /PASSWORD=SP0172+ %UAF-I-MDFYMSG, user record(s) updatedD The command in this example changes the password for user ROBIN5 without altering any other values in the record.' 2.UAF> MODIFY ROBIN/FLAGS=RESTRICTED+ %UAF-I-MDFYMSG, user record(s) updatedA The command in this example modifies the UAF record for user/ ROBIN b*y adding the login flag RESTRICTED. 2 /IDENTIFIER< Modifies an identifier name, its associated value, or its% attributes in the rights database. Format MODIFY/IDENTIFIER id-name 3 Parameter id-name6 Specifies the name of an identifier to be modified. 3 Qualifiers /ATTRIBUTES! /ATTRIBUTES=(keyword[,...]): Specifies attributes to be associated with the modified0 identifier. The following are valid keywords:C DYN +AMIC Allows unprivileged holders of the identifierB to remove and to restore the identifier from> the process rights list by using the DCL. command SET RIGHTS_LIST.B HOLDER_HIDDEN Prevents people from getting a list of usersA who hold an identifier, unless they own the, identifier themselves.@ NAME_HIDDEN Allows holders of an identifier to have it= , translated, either from binary to ASCII; or from ASCII to binary, but prevents= unauthorized users from translating the! identifier.D NOACCESS Makes any access rights of the identifier nullB and void. If a user is granted an identifierC with the No Access attribute, that identifier? has no effect on the user's access rightsB - to objects. This attribute is a modifier forB an identifier with the Resource or Subsystem attribute.D RESOURCE Allows holders of an identifier to charge diskA space to the identifier. Used only for file objects.D SUBSYSTEM Allows holders of the identifier to create andD maintain protected subsystems by assigning theD Subsystem ACE to the app.lication images in the< subsystem. Used only for file objects.> To remove an attribute from the identifier, add a NO prefix@ to the attribute keyword. For example, to remove the Resource- attribute, specify /ATTRIBUTES=NORESOURCE.& NOTE> If you specify the NORESOURCE keyword without naming any= holder with the /HOLDER qualifier, all holders lose the right to charge resources. /HOLDER /HOLDER=us/ernameC Specifies the holder of an identifier whose attributes are to beC modified. The /HOLDER qualifier is used only in conjunction with the /ATTRIBUTES qualifier.> If you specify /HOLDER, the /NAME and /VALUE qualifiers are ignored. /NAME /NAME=new-id-name< Specifies a new identifier name to be associated with the identifier. /VALUE /VALUE=value-specifierB Specifies a new identifier value. Note that an identifier valueC can 0not be modified from a UIC to a non-UIC format or vice versa.; The following are valid formats for the value-specifier:> IDENTIFIER:n An integer value in the range of 65,536 to? 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).A To differentiate general identifiers from UICA identifiers, %X80000000 is added t1o the value you specify.; UIC:uic A UIC value in the standard UIC format. 3 Examples/ 1.UAF> MODIFY/IDENTIFIER OLD_ID /NAME=NEW_ID2 %UAF-I-RDBMDFYMSG, identifier OLD_ID modified? The command in this example changes the name of the OLD_ID identifier to NEW_ID.9 2.UAF> MODIFY/IDENTIFIER/VALUE=UIC:[300,21] ACCOUNTING6 %UAF-I-RDBMDFYMSG, identifier ACCOUNTING modifiedA The command in this example changes the old UIC val2ue of the* identifier ACCOUNTING to a new value.2 3.UAF> MODIFY/IDENTIFIER/ATTRIBUTES=NORESOURCE-$ _UAF> /HOLDER=CRAMER ACCOUNTING6 %UAF-I-RDBMDFYMSG, identifier ACCOUNTING modifiedD The command in this example associates the attribute NORESOURCEB with the identifier ACCOUNTING in CRAMER's holder record. The* identifier ACCOUNTING is not changed. 2 /PROXY? Modifies an entry in the network proxy authorization file toA specify a different local accou3nt as the default proxy accountA for the remote user or to specify no default proxy account for the remote user.C The command modifies an entry in the network proxy authorization? file NET$PROXY.DAT and, to maintain compatibility with other. systems, modifies an entry in NETPROXY.DAT.& NOTEB You must modify the proxy database from a system running the current OpenVMS system. Format$ MODIFY/PROXY node::remote-user4 3 Parameters node= Specifies a node name. If you specify an asterisk wildcardC character (*), the specified remote user on all nodes is served by the local user. remote-user= Specifies the user name of a user at a remote node. If you; specify an asterisk wildcard character, all users at the/ specified node are served by the local user.B For systems that are not OpenVMS systems that implement DECnet,C specifies the UIC of a user at a remote5 node. You can specify an? asterisk wildcard in the group and member fields of the UIC. 3 Qualifier /DEFAULT /DEFAULT[=local-user] /NODEFAULTC Designates the default user name on the local node through whichB proxy access from the remote user is directed. If /NODEFAULT is. specified, removes the default designation. 3 Example0 UAF> MODIFY/PROXY MISHA::MARCO /DEFAULT=JOHNSON? %UAF-I-NAFADDMSG, record successfully modified in NETPROXY.DATB 6 The command in this example changes the default proxy accountD for user MARCO on the remote node MISHA to the JOHNSON account. 2 /SYSTEM_PASSWORD@ Changes the systemwide password (which, however, is differentD from the password for the SYSTEM username). This command operates4 similarly to the DCL command SET PASSWORD/SYSTEM. Format+ MODIFY/SYSTEM_PASSWORD=system-password 3 Parameter system-password) Specifies the new systemwide password.$7 3 Example( UAF> MODIFY/SYSTEM_PASSWORD=ABRACADABRA UAF>A This command changes the systemwide password to ABRACADABRA. wwWw=, 1 REMOVE@ Deletes a SYSUAF user record and corresponding identifiers in@ the rights database. The DEFAULT and SYSTEM records cannot be deleted. Format REMOVE username 2 Parameter username. Specifies the name of a user in the SYSUAF. 2 Qualifier /REMOVE_IDENTIFIER" 8 /REMOVE_IDENTIFIER (default) /NOREMOVE_IDENTIFIER? Specifies whether the user name and account name identifiers> should be removed from the rights database when a record isB removed from the UAF. If two UAF records have the same UIC, theA user name identifier is removed only when the second record isB deleted. Similarly, the account name identifier is removed onlyC if there are no remaining UAF records with the same group as the deleted record. 2 Example9 UAF> REMOVE ROBIN. %UAF-I-REMMSG, record removed from SYSUAF.DAT %UAF-I-@RDBREMMSGU, identifier ROBIN value: [000014,000006] removed from RIGHTSLIST.DATB The command in this example deletes the record for user ROBIND from the SYSUAF and ROBIN's UIC identifier from RIGHTSLIST.DAT. 2 /IDENTIFIER2 Removes an identifier from the rights database. Format REMOVE/IDENTIFIER id-name 3 Parameter id-name> Specifies the name of an identifier i:n the rights database. 3 Example UAF> REMOVE/IDENTIFIER Q1SALESD %UAF-I-RDBREMMSGU, identifier Q1SALES value %X80010024 removed from RIGHTSLIST.DATD The command in this example removes the identifier Q1SALES fromD the rights database. All of its holder records are removed with it. 2 /PROXY> Deletes network proxy access for the specified remote user. Format5 REMOVE/PROXY node::remote-user [local-user,...] 3 Parameters node;< Specifies the name of a network node in the network proxy authorization file. remote-userA Specifies the user name or UIC of a user on a remote node. TheB asterisk wildcard character (*) is permitted in the remote-user specification. local-userC Specifies the user name of from 1 to 16 users on the local node.D If no local user is specified, proxy access to all local accounts is removed. 3 Example UAF> REMOVE/PROXY MISHA::MARCO7 %UAF-I-<NAFREMMSG, proxy from MISHA::MARCO to * removedD The command in this example deletes the record for MISHA::MARCOB from the network proxy authorization file, removing all proxy; access to the local node for user MARCO on node MISHA. wwWw=, 1 RENAMEA Changes the user name of the SYSUAF record (and, if specified,D the corresponding identifier) while retaining the characteristics of the old record. Format$ RENAME oldusername newuserna=me 2 Parameters oldusername1 Specifies the current user name in the SYSUAF. newusername> Specifies the new name for the user. It can contain 1 to 12A alphanumeric characters and underscores. Although dollar signs= are permitted, they are usually reserved for system names. 2 Qualifiers /GENERATE_PASSWORD" /GENERATE_PASSWORD[=keyword]$ /NOGENERATE_PASSWORD (default); Invokes the password generator to create user passwords.A > Generated passwords can consist of 1 to 10 characters. Specify! one of the following keywords:7 BOTH Generate primary and secondary passwords.@ CURRENT Do whatever the DEFAULT account does (for example,B generate primary, secondary, both, or no passwords).* This is the default keyword.- PRIMARY Generate primary password only./ SECONDARY Generate secondary password only.7 When you modify a password, the new password expires; aut?omatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, users are forced to change their= passwords (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive. /MODIFY_IDENTIFIER" /MODIFY_IDENTIFIER (default) /NOMODIFY_IDENTIFIER? Specifies whether the identifier associated with the user is@ to be modified in the rights database. This qualifier appliesB o@nly when you modify the UIC or user name in the UAF record. By4 default, the associated identifiers are modified. /PASSWORD' /PASSWORD=(password1[,password2]) /NOPASSWORD< Specifies up to two passwords for login. Passwords can beA from 0 to 32 characters in length and can include alphanumericB characters, dollar signs, and underscores. Avoid using the wordB password as the actual password. Use the /PASSWORD qualifier as follows:B o To set only the Afirst password and clear the second, specify /PASSWORD=password.8 o To set both the first and second password, specify' /PASSWORD=(password1, password2).@ o To change the first password without affecting the second,' specify /PASSWORD=(password, "").@ o To change the second password without affecting the first,' specify /PASSWORD=("", password).9 o To set both passwords to null, specify /NOPASSWORD.7 When you modify a password, the new passworBd expires; automatically; it is valid only once (unless you specify= /NOPWDEXPIRED). On login, the user is forced to change the< password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).@ Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are mutually exclusive.@ When you create a new UAF record with the RENAME command, you must specify a password. 2 Examples5 1.UAF> RENAME HAWKES KRAMERDOVE/PASSWORD=MARANNKRA. %UAF-I-PRACREN, proxies to HAWKES C renamed' %UAF-I-RENMSG, user record renamed2 %UAF-I-RDBMDFYMSG, identifier HAWKES modified@ The command in this example changes the name of the accountD Hawkes to Kramerdove, modifies the user name identifier for the5 account, and renames all proxies to the account." 2.UAF> RENAME HAWKES KRAMERDOVE. %UAF-I-PRACREN, proxies to HAWKES renamed' %UAF-I-RENMSG, user record renamedC %UAF-W-DEFPWD, Warning: copied or renamed records must receive newD password2 %UAF-I-RDBMDFYMSG, identifier HAWKES modifiedD This example shows the warning message that the system displaysC if you fail to specify a new password with the RENAME command. 2 /IDENTIFIER0 Renames an identifier in the rights database. Format3 RENAME/IDENTIFIER current-id-name new-id-name 3 Parameters current-id-name5 Specifies the name of an identifier to be renamed. new-id-name- Specifies the new name for th Ee identifier. 3 Example' UAF> RENAME/IDENTIFIER Q1SALES Q2SALES/ %UAF-I-RDBMDFYMSG, identifier Q1SALES modifiedB The command in this example renames the identifier Q1SALES to Q2SALES. wwWy=, 1 REVOKE 2 /IDENTIFIER( Takes an identifier away from a user. Format) REVOKE/IDENTIFIER id-name user-spec 3 Parameters id-nameD Specifies the identifier name. The identifier name is a string ofD 1 to 31 alphaFnumeric characters. The name can contain underscores< and dollar signs. It must contain at least one nonnumeric character. user-specA Specifies the UIC identifier that uniquely identifies the userA on the system. This type of identifier appears in alphanumeric; format, not numeric format; for example, [GROUP1,JONES]. 3 Example( UAF> REVOKE/IDENTIFIER INVENTORY CRAMER; %UAF-I-REVOKEMSG, identifier INVENTORY revoked from CRAMERA The command in this exampGle revokes the identifier INVENTORY> from the user Cramer. Cramer loses the identifier and any" resources associated with it.? Note that because rights identifiers are stored in numericD format, it is not necessary to change records for users holding a renamed identifier. wwW=,1 SHOW; Displays reports for selected UAF records on the current SYS$OUTPUT device. Format SHOW user-spec 2 Parameter user-specHA Specifies the user name or UIC of the requested UAF record. IfA you omit the user-spec parameter, the UAF records of all users> are listed. The asterisk (*) and percent sign (%) wildcard- characters are permitted in the user name. 2 Qualifiers /BRIEFA Specifies that a brief report be displayed. In the report, the7 Directory field displays one of the following items:, o Disuser-The account has been disabled.& o Expired-The account has expired.DI o A device and directory name-The login device and directory for/ the account (for example, DOCD$:[SMITH]).> If you omit the /BRIEF qualifier, AUTHORIZE displays a full report. /FULLC Specifies that a full report be displayed, including identifiersD held by the user. Full reports include the details of the limits,B privileges, login flags, and the command interpreter as well as@ the identifiers held by the user. The password is not listed. /EXACT> J Controls whether the SHOW command matches the search stringD exactly or treats uppercase and lowercase letters as equivalents.B Enclose the specified string within quotation marks (" "). Use5 /EXACT with the /PAGE=SAVE and /SEARCH qualifiers. /HIGHLIGHT /HIGHLIGHT[=keyword] /NOHIGHLIGHT (default)D Identifies how to display the line that contains a string once it. is found. The following keywords are valid: BLINK BOLD (default) REVERSEK UNDERLINE? Use the /HIGHLIGHT qualifier with the /PAGE=SAVE and /SEARCH qualifiers. /PAGE /PAGE[=keyword] /NOPAGE (default)> Controls the information display on a screen. The following keywords are valid:C CLEAR_SCREEN Clear the screen before displaying the next page.= SCROLL Display a continuous stream of information.D SAVE[=n] Store information and enable the navigational keys@ listed in Screen ContrLol Keys. By default, theB command saves 5 pages. The maximum page width is 255 columns. Table 4 Screen Control Keys Key or KeyB Sequence Action Taken When Key or Key Sequence Is Pressed2 v Scroll the display down one line; < - Scroll the display one column to the left< - > Scroll the display one column to the right0 ^ Scroll the display up one lineB Find (E1) Search for a nMew string in the information being displayed@ Insert Here Move the display to the right by half a screen (E2)? Remove (E3) Move the display to the left by half a screen> Select (E4) Switch from 80-column displays to 132-column displays- Prev Screen Return to the previous page (E5)' Next Screen Display the next page (E6)+ CTRL/Z Return to the UAF> prompt- Help Display AUTHORIZE help text; N F16 (Do) Switch from the oldest to the newest page% Ctrl/W Refresh the display /SEARCH /SEARCH=stringD Used with the /PAGE=SAVE qualifier to specify a string to find inB the information being displayed. You can dynamically change theD search string by pressing the Find key (E1) while the information is being displayed. /WRAP /WRAP /NOWRAP (default)D Used with the /PAGE=SAVE qualifier to limit the number of columnsC tOo the width of the screen and wrap lines that extend beyond the( width of the screen to the next line.> The /NOWRAP qualifier extends lines beyond the width of theC screen. Use the /PAGE=SAVE qualifier and the screen control keys; listed in Screen Control Keys to view the entire screen. 2 Examples 1.UAF> SHOW ROBINC The command in this VAX example displays a full report for theD user ROBIN. The display corresponds to the first example in theA descripti Pon of the ADD command. Most defaults are in effect.F Username: ROBIN Owner: JOSEPH ROBINN Account: VMS UIC: [14,6] ([INV,ROBIN])C CLI: DCL Tables: DCLTABLES! Default: SYS$USER:[ROBIN] LGICMD: Login Flags:* Primary days: Mon Tue Wed Thu Fri2 Secondary days: Sat Sun No access restrictionsK Expiration: Q (none) Pwdminimum: 6 Login Fails: 0F Pwdlifetime: (none) Pwdchange: 15-JAN-2000 14:08Q Last Login: (none) (interactive), (none) (non-interactive)@ Maxjobs: 0 Fillm: 300 Bytlm: 32768@ Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0@ Maxdetach: 0 BIOlm: 40 JTquota: 4096@ Prclm: 2 DIOlm: 40 WSdef: 256@ Prio: 4 ASTlm: R 40 WSquo: 512@ Queprio: 0 TQElm: 10 WSextent: 1024@ CPU: (none) Enqlm: 200 Pgflquo: 32768 Authorized Privileges: TMPMBX NETMBX Default Privileges: TMPMBX NETMBXE Identifier Value AttributesO CLASS_CA101 %X80010032 NORESOURCE NODYNAMICO CLASS_PY102 %X80010049 NORESOURCE NODYNAMICS& NOTE: The quotas Pbytlm and Queprio are placeholders only. 2.UAF> SHOW [360,*] /BRIEFB The command in this example displays a brief report for every" user with a group UIC of 360.R Owner Username UIC Account Privs Pri Default DirectoryP JOHN JAMES JAMES [360,201] USER Normal 4 DOCD$:[JAMES]P SUSY JONES JONES [360,203] DOC Devour 4 DOCD$:[JONES]J CLI TFF BROWN BROWN [360,021] DOC All 4 disuserJ JOY CARTER CARTER [360,005] DOCSEC Group 4 expired 3.UAF> SHOW WELCH@ This command displays a full report for the restricted userA WELCH. This display corresponds to the second example in the$ description of the ADD command.C Username: WELCH Owner: ROB WELCHK Account: INV UIC: [14,51] ([14,51])C CLI: U DCL Tables: DCLTABLES! Default: SYS$USER:[WELCH] LGICMD: SECUREIN= Login Flags: Restricted Diswelcome Disnewmail ExtAuth* Primary days: Mon Tue Wed Thu Fri2 Secondary days: Sat SunM Primary 000000000011111111112222 Secondary 000000000011111111112222M Day Hours 012345678901234567890123 Day Hours 012345678901234567890123M Network: ----- No access ------ ##### Full acceVss ######M Batch: #########--------####### ---------#########------M Local: #########--------####### ---------#########------M Dialup: ##### Full access ###### ----- No access ------M Remote: #########--------####### ---------#########------K Expiration: (none) Pwdminimum: 6 Login Fails: 0E Pwdlifetime: (none) Pwdchange: (pre-expired)R Last Login: W (none) (interactive), (none) (non-interactive)@ Maxjobs: 0 Fillm: 300 Bytlm: 32768@ Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0@ Maxdetach: 0 BIOlm: 40 JTquota: 4096@ Prclm: 2 DIOlm: 40 WSdef: 256@ Prio: 4 ASTlm: 40 WSquo: 512@ Queprio: 4 TQElm: 10 WSextent: 1024@ CPU: (none) Enqlm: 200 Pgflq Xuo: 32768 Authorized Privileges: TMPMBX NETMBX Default Privileges: TMPMBX NETMBX; Note that WELCH is a captive user who does not receiveB announcements of new mail or the welcome message when logging> in. His login command file, SECUREIN.COM, is presumably a> captive command file that controls all of his operations.> (Such a command file never exits, but performs operationsA for its user and logs him out when appropriate.) The YCAPTIVEB flag prevents WELCH from escaping control of the command fileB by using Ctrl/Y or other means. Furthermore, he is restrictedB to logging in between the hours of 5:00 P.M. and 8:59 A.M. onB weekdays and 9:00 A.M. and 5:59 P.M. on weekends. Although heB is allowed to use dial-up lines at all times during the week,B he is not allowed to log in over the network. On weekends, heC is further restricted so that he cannot dial in at any time orD use the DCL cZommand SET HOST between the hours of 6:00 P.M. and 8:59 A.M. 2 /IDENTIFIER> Displays information about an identifier, such as its name,D value, attributes, and holders, on the current SYS$OUTPUT device. Format SHOW/IDENTIFIER [id-name] 3 Parameter id-nameC Specifies an identifier name. The identifier name is a string ofD 1 to 31 alphanumeric characters. The name can contain underscores< and dollar signs. It must contain at least one nonn[umeric? character. If you omit the identifier name, you must specify /USER or /VALUE. 3 Qualifiers /BRIEF? Specifies a brief listing in which only the identifier name,= value, and attributes are displayed. The default format is /BRIEF. /FULLB Specifies a full listing in which the names of the identifier'sA holders are displayed along with the identifier's name, value, and attributes. /USER /USER=user-spec: Specifies one\ or more users whose identifiers are to be@ displayed. The user-spec can be a user name or a UIC. You can> use the asterisk wildcard character (*) to specify multipleA UICs or all user names. UICs must be in the form [*,*], [n,*],: [*,n], or [n,n]. A wildcard user name specification (*)? displays identifiers alphabetically by user name; a wildcard> UIC specification ([*,*]) displays them numerically by UIC. /VALUE /VALUE=value-specifierD Specifies the value of ]the identifier to be listed. The following- are valid formats for the value-specifier:> IDENTIFIER:n An integer value in the range of 65,536 to? 268,435,455. You can also specify the valueA in hexadecimal (precede the value with %X) or6 octal (precede the value with %O).A To differentiate general identifiers from UICA identifiers, %X80000000 is added to the value ^you specify.; UIC:uic A UIC value in the standard UIC format. /EXACT> Controls whether the SHOW command matches the search stringD exactly or treats uppercase and lowercase letters as equivalents.B Enclose the specified string within quotation marks (" "). Use5 /EXACT with the /PAGE=SAVE and /SEARCH qualifiers. /HIGHLIGHT /HIGHLIGHT[=keyword] /NOHIGHLIGHT (default)D Identifies how to display the line that contains a string once it. is _found. The following keywords are valid: BLINK BOLD (default) REVERSE UNDERLINE? Use the /HIGHLIGHT qualifier with the /PAGE=SAVE and /SEARCH qualifiers. /PAGE /PAGE[=keyword] /NOPAGE (default)> Controls the information display on a screen. The following keywords are valid:C CLEAR_SCREEN Clear the screen before displaying the next page.= SCROLL Display a continuous stream of information.D SAVE[=n] ` Store information and enable the navigational keys@ listed in Screen Control Keys. By default, theB command saves 5 pages. The maximum page width is 255 columns. Table 4 Screen Control Keys Key or KeyB Sequence Action Taken When Key or Key Sequence Is Pressed2 v Scroll the display down one line; < - Scroll the display one column to the left< - > Scroll the display one column toa the right0 ^ Scroll the display up one lineB Find (E1) Search for a new string in the information being displayed@ Insert Here Move the display to the right by half a screen (E2)? Remove (E3) Move the display to the left by half a screen> Select (E4) Switch from 80-column displays to 132-column displays- Prev Screen Return to the previous page (E5)' Next Screen Display the next page (E6)+ b CTRL/Z Return to the UAF> prompt- Help Display AUTHORIZE help text; F16 (Do) Switch from the oldest to the newest page% Ctrl/W Refresh the display /SEARCH /SEARCH=stringD Used with the /PAGE=SAVE qualifier to specify a string to find inB the information being displayed. You can dynamically change theD search string by pressing the Find key (E1) while the information is being displayed. /WRAP /WRAP /NcOWRAP (default)D Used with the /PAGE=SAVE qualifier to limit the number of columnsC to the width of the screen and wrap lines that extend beyond the( width of the screen to the next line.> The /NOWRAP qualifier extends lines beyond the width of theC screen. Use the /PAGE=SAVE qualifier and the screen control keys; listed in Screen Control Keys to view the entire screen. 3 Examples( 1.UAF> SHOW/IDENTIFIER/FULL INVENTORYD The command in this example would pdroduce output similar to the following:4 Name Value Attributes> INVENTORY %X80010006 NORESOURCE NODYNAMIC% Holder Attributes/ ANDERSON NORESOURCE NODYNAMIC/ BROWN NORESOURCE NODYNAMIC/ CRAMER NORESOURCE NODYNAMIC' 2.UAF> SHOW/IDENTIFIER/USER=ANDERSONB This command displays the identifier associated with the user ANDERSON, as follows:C e Name Value AttributesM ANDERSON [000300,000015] NORESOURCE NODYNAMICB The identifier is shown, along with its value and attributes.B Note, however, that this is the same result you would produceA had you specified ANDERSON's UIC with the following forms of the command:* UAF> SHOW/IDENTIFIER/USER=[300,015]/ UAF> SHOW/IDENTIFIER/VALUE=UIC:[300,015] 2 /PROXY@ Displays all aufthorized proxy access for the specified remote user. Format" SHOW/PROXY node::remote-user 3 Parameters node< Specifies the name of a network node in the network proxy= authorization file. The asterisk wildcard character (*) is' permitted in the node specification. remote-userA Specifies the user name or UIC of a user on a remote node. TheB asterisk wildcard character (*) is permitted in the remote-user specification. 3 Qualigfiers /OLDD Directs AUTHORIZE to display information from NETPROXY.DAT rather' than the default file NET$PROXY.DAT.C If someone modifies the proxy database on a cluster node that isC running an OpenVMS system prior to Version 6.1, then you can useB the /OLD qualifier to display the contents of the old database: NETPROXY.DAT. /EXACT> Controls whether the SHOW command matches the search stringD exactly or treats uppercase and lowercase letters as equivalehnts.B Enclose the specified string within quotation marks (" "). Use5 /EXACT with the /PAGE=SAVE and /SEARCH qualifiers. /HIGHLIGHT /HIGHLIGHT[=keyword] /NOHIGHLIGHT (default)D Identifies how to display the line that contains a string once it. is found. The following keywords are valid: BLINK BOLD (default) REVERSE UNDERLINE? Use the /HIGHLIGHT qualifier with the /PAGE=SAVE and /SEARCH qualifiers. /PAGE i/PAGE[=keyword] /NOPAGE (default)> Controls the information display on a screen. The following keywords are valid:C CLEAR_SCREEN Clear the screen before displaying the next page.= SCROLL Display a continuous stream of information.D SAVE[=n] Store information and enable the navigational keys@ listed in Screen Control Keys. By default, theB command saves 5 pages. The maximum page width is 255 columns. j Table 4 Screen Control Keys Key or KeyB Sequence Action Taken When Key or Key Sequence Is Pressed2 v Scroll the display down one line; < - Scroll the display one column to the left< - > Scroll the display one column to the right0 ^ Scroll the display up one lineB Find (E1) Search for a new string in the information being displayed@ Insert Here Move the display to the right by half a sckreen (E2)? Remove (E3) Move the display to the left by half a screen> Select (E4) Switch from 80-column displays to 132-column displays- Prev Screen Return to the previous page (E5)' Next Screen Display the next page (E6)+ CTRL/Z Return to the UAF> prompt- Help Display AUTHORIZE help text; F16 (Do) Switch from the oldest to the newest page% Ctrl/W Refresh the display /SEARCH /SlEARCH=stringD Used with the /PAGE=SAVE qualifier to specify a string to find inB the information being displayed. You can dynamically change theD search string by pressing the Find key (E1) while the information is being displayed. /WRAP /WRAP /NOWRAP (default)D Used with the /PAGE=SAVE qualifier to limit the number of columnsC to the width of the screen and wrap lines that extend beyond the( width of the screen to the next line.> The /NOWRAP qmualifier extends lines beyond the width of theC screen. Use the /PAGE=SAVE qualifier and the screen control keys; listed in Screen Control Keys to view the entire screen. 3 Examples& 1.UAF> SHOW/PROXY SAMPLE::[200,100]+ Default proxies are flagged with an * SAMPLE::[200,100]5 MARCO * PROXY2 PROXY3> The command in this example displays all authorized proxy@ access for the user on node SAMPLE with a UICn of [200,100].B The default proxy account can be changed from MARCO to PROXY2- or PROXY3 with the MODIFY/PROXY command. 2.UAF> SHOW/PROXY *::** Default proxies are flagged with (D) TAO:.TWA.RANCH::MARTINEZ9 MARTINEZ (D) SALES_READER UAF> show/proxy/old *::** Default proxies are flagged with (D) RANCH::MARTINEZ9 MARTINEZ (D) SALES_READERA The command in this example disploays information about localA authorized proxy access on a system running DECnet-Plus. TheA first command draws information from the file NET$PROXY.DAT.? By including the /OLD qualifier on the SHOW/PROXY command,? AUTHORIZE displays information from the file NETPROXY.DAT. 2 /RIGHTSD Displays the identifiers held by the specified identifiers or, ifC /USER is specified, all identifiers held by the specified users. Format SHOW/RIGHTS [id-name] p 3 Parameter id-nameA Specifies the name of the identifier associated with the user.> If you omit the identifier name, you must specify the /USER qualifier. 3 Qualifier /USER /USER=user-specB Specifies one or more users whose identifiers are to be listed.= The user-spec can be a user name or a UIC. You can use theB asterisk wildcard character (*) to specify multiple UICs or all? user names. UICs must be in the form [*,*], [n,*], [*,n], o qrA [n,n]. A wildcard user name specification (*) or wildcard UIC@ specification ([*,*]) displays all identifiers held by users.D The wildcard user name specification displays holders' user namesB alphabetically; the wildcard UIC specification displays them in% the numerical order of their UICs. /EXACT> Controls whether the SHOW command matches the search stringD exactly or treats uppercase and lowercase letters as equivalents.B Enclose the specified string within qruotation marks (" "). Use5 /EXACT with the /PAGE=SAVE and /SEARCH qualifiers. /HIGHLIGHT /HIGHLIGHT[=keyword] /NOHIGHLIGHT (default)D Identifies how to display the line that contains a string once it. is found. The following keywords are valid: BLINK BOLD (default) REVERSE UNDERLINE? Use the /HIGHLIGHT qualifier with the /PAGE=SAVE and /SEARCH qualifiers. /PAGE /PAGE[=keyword] /NOPAGE (default)> s Controls the information display on a screen. The following keywords are valid:C CLEAR_SCREEN Clear the screen before displaying the next page.= SCROLL Display a continuous stream of information.D SAVE[=n] Store information and enable the navigational keys@ listed in Screen Control Keys. By default, theB command saves 5 pages. The maximum page width is 255 columns. Table 4 Screen Control Keys Key or tKeyB Sequence Action Taken When Key or Key Sequence Is Pressed2 v Scroll the display down one line; < - Scroll the display one column to the left< - > Scroll the display one column to the right0 ^ Scroll the display up one lineB Find (E1) Search for a new string in the information being displayed@ Insert Here Move the display to the right by half a screen (E2)? Remove (E3) Move the disuplay to the left by half a screen> Select (E4) Switch from 80-column displays to 132-column displays- Prev Screen Return to the previous page (E5)' Next Screen Display the next page (E6)+ CTRL/Z Return to the UAF> prompt- Help Display AUTHORIZE help text; F16 (Do) Switch from the oldest to the newest page% Ctrl/W Refresh the display /SEARCH /SEARCH=stringD Used with the /PAGE=SAVE quvalifier to specify a string to find inB the information being displayed. You can dynamically change theD search string by pressing the Find key (E1) while the information is being displayed. /WRAP /WRAP /NOWRAP (default)D Used with the /PAGE=SAVE qualifier to limit the number of columnsC to the width of the screen and wrap lines that extend beyond the( width of the screen to the next line.> The /NOWRAP qualifier extends lines beyond the width of thewC screen. Use the /PAGE=SAVE qualifier and the screen control keys; listed in Screen Control Keys to view the entire screen. 3 Example UAF> SHOW/RIGHTS ANDERSON; This command displays all identifiers held by the user ANDERSON. For example:5 Name Value Attributes? INVENTORY %X80010006 NORESOURCE NODYNAMIC? PAYROLL %X80010022 NORESOURCE NODYNAMICD Note that the following formats oxf the command produce the same result: SHOW/RIGHTS/USER=ANDERSON SHOW/RIGHTS/USER=[300,015]www)=,1 Usage_Summary@ To invoke AUTHORIZE, set your default device and directory toC SYS$SYSTEM and enter RUN AUTHORIZE at the DCL command prompt. At@ the UAF> prompt, you can enter any of the AUTHORIZE commands.D To exit from AUTHORIZE, enter the EXIT command at the UAF> prompt or press Ctrl/Z.C If you move the SYSUAF.DAT file, be sure the logicayl name SYSUAFD is defined and points to an existing file. If AUTHORIZE is unableA to locate the SYSUAF.DAT file, it displays the following error message:+ %UAF-E-NAOFIL, unable to open SYSUAF.DAT -RMS-E-FNF, file not found$ Do you want to create a new file?= A response of YES results in creation of a new SYSUAF fileA containing a SYSTEM record and a DEFAULT record. These records? are initialized with the same values set when the system was installed. ww