Generated from C.60.01 /SYS/PUB/CICAT last modified on Thu Jan 11 09:18:52 2001
Creates a new account and an associated account manager and PUB group. (CM)
NEWACCT acctname,mgrname [;PASS=[password]] [;FILES=[filespace]] [;CPU=[cpu]] [;CONNECT=[connect]] [;CAP=[capabilitylist]] [;ACCESS=[(fileaccess)]] [;MAXPRI=[subqueuename]] [;LOCATTR=[localattribute]] [;ONVS=volumesetname] [;GID=[gid]] [;UID=[uid]] [;USERPASS=[{REQ}]] (1) {OPT} (1) The USERPASS parameter is only available if the HP Security Monitor has been installed
acctname Name to be assigned to the new account. This name must contain from one to eight alphanumeric characters, beginning with an alphabetic character. mgrname Name of the account manager. This is always the first user created under the account. The manager receives the following attributes Account Manager Default Capabilities ATTRIBUTE DEFAULT ----------------------------------------------------- password None capabilitylist Same as the account capability subqueuename Same as the account max priority localattribute Same as account local attributes Home Group PUB UID A unique identifier GID A unique identifier The attributes of an account manager may be changed with the ALTUSER command after mgrname is defined. However, in no case is this user granted attributes greater than those assigned the account. password Account password, used for verifying logon access only. This password must contain from one to eight alphanumeric characters, beginning with an alphabetic character. Default is that no password is assigned. filespace Disk storage limit, in sectors, for the permanent files of the account. The maximum value you may define is 2,147,483,647 sectors. Default is unlimited file space. cpu Limit on total CPU time, in seconds, for this account. This limit is checked only when a job or session is initiated, and so the limit never causes the job or session to abort. The maximum value you may define with NEWACCT is 2,147,483,647 seconds. Default is that no limit is assigned. connect Limit on total session connect time, in minutes, allowed the account. This limit is checked at logon, and when the job or session initiates a new process. The maximum value you may define is 2,147,483,647 minutes. Default is that no limit is assigned. capabilitylist The list of capabilities, separated by commas, permitted this account. Each capability is denoted by a two letter mnemonic, as follows. System Manager = SM Account Manager = AM Diagnostician = DI System Supervisor = OP Network Administrator = NA Node Manager = NM Save Files = SF Access to nonsharable I/O devices = ND Use Volumes = UV Create Volumes = CV Use Communication Subsystem = CS Programmatic Sessions = PS User Logging = LG Process Handling = PH Extra Data Segments = DS Multiple RINs = MR Privileged Mode = PM Interactive Access = IA Batch Access = BA Default is AM, SF, ND, IA, BA. Note that CV capability permits account members to create and use mountable, nonsystem volumes automatically. fileaccess The restriction on file access pertinent to this account. Default is R,L,A,W,X:AC, where R, L, A, W, and X specify modes of access by types of users (ANY, AC, CR) as follows: R = Read L = Lock (allows exclusive access) A = Append (implicitly specifies L) W = Write (implicitly specifies A) X = Execute S = Save LOCK allows exclusive access to the file. APPEND implicitly specifies LOCK. WRITE implicitly specifies APPEND. The user types are specified as follows ANY = Any user AC = Member of this account only CR = Creating user only The default is no security restrictions at the account level. Two or more user types may be specified if they are separated by commas. subqueuename The name of the subqueue of highest priority that can be requested by any process of any job/session in the account. This parameter is specified as AS, BS, CS, DS, or ES.
Processes capable of executing in the AS or BS subqueues can deadlock the system. Assigning nonpriority system and user processes to these subqueues can prevent critical processes from executing. Exercise extreme caution when assigning processes to these subqueues. localattribute The local attribute of the account, as defined at the installation site. This is a double word bit map used to further classify accounts. While it is not part of standard MPE/iX security provisions, programmers may define local attributes (which will be checked by the WHO intrinsic) to enhance their software's security. Default is double word 0 . ONVS Specifies a particular volume set on which the account is to be built. It must be a volume set already defined and recognized by the system. A NEWACCT must be specified twice, once without the ;ONVS parameter, and once with it. The first NEWACCT will build the account on the system volume set (from which the account is accessed). The second will build it on the volume set where files in this account will exist. If you specify ONVS, the only other parameter that will work with it is ;FILES. volumesetname For MPE/iX, volume set names are no longer invariably composed of volumesetname.group.account. Instead, volume set names consist simply of one (1) to thirty-two (32) characters, beginning with an alphabetic character. The remaining characters may be alphabetic, numeric, the underscore, and periods. If you specify a volsetname, you must specify the full name of the volume set. MPE V/E permitted you to use part of the volume set name and rely upon the default characteristics of the system to search out the remainder of the name. MPE/iX does not permit this. If you wish, you may use the older MPE V/E conventions when assigning a name to a volume set. If you do, you are then obliged to refer to that volume set by its full (fully qualified) name. The MPE/iX naming convention gives you greater freedom in creating names, and so its use is encouraged. Refer to the VSxxxxxx commands. gid Group ID to be added to the group database. The gid must be an unique positive (non-zero) 32-bit integer. Default is for MPE to create a value. uid User ID to be created for the account manager in the user database. The uid must be an unique positive (non-zero) 32-bit integer. Default is for MPE to create a value. Req USERPASS=REQ specifies that all users in the account must have non-blank passwords. If you require user passwords, MPE/iX assigns the account manager a blank, expired password. The account manager must select a new password the first time the Manager logs on. It is available only if the HP Security Monitor has been installed. Opt USERPASS=OPT specifies that the users in this account may or may not have passwords. If you do not use the USERPASS parameter, the old value remains. It is available only if the HP Security Monitor has been installed.
The NEWACCT command may be executed only by the system manager. The system manager is responsible for establishing the accounting structure best suited to the computer installation. When a keyword is specified, but its corresponding parameter is omitted (as in ;ACCESS= [Return]), the default value for that keyword is assigned (in this case, R,L,A,W,X:AC). The default is also assigned when an entire keyword parameter group (such as ;ACCESS=fileaccess) is omitted. After the system manager creates accounts and their PUB groups, and has designated the account managers for those accounts, the new account managers may log on and redefine their own attributes and those of their PUB groups. Account Managers can also define new users and groups. The capabilities and attributes the Account Managers assign to groups and users cannot exceed those assigned to the account itself by the system manager. For example, if the system manager does not assign the account DS capability, no users in the account are permitted DS capability (which prohibits them from linking programs that use extra data segments). The PUB Group is initially assigned the same capability class attributes, permanent file space limit, CPU limit, and connect time limit as the account, but no password. Its initial security allows READ and EXECUTE access to all users who successfully log on to the account. These access provisions are (R,X:ANY;A,W,L,S). This command may be issued from a session, job, program, or in BREAK. Pressing [Break] has no effect on this command. A user must have System Manager (SM) capability to execute this command.
If you specify volume-related commands or parameters for a volume set that is not currently mounted, or for an account that does not exist, MPE/iX will return a corresponding error message.
To create an account with the account name ACI, and the Account Manager name MNGR, with all other parameters assigned by default, enter NEWACCT ACI,MNGR To create an account doctor on the system volume set, with the manager named who, and on the volume set called time_lord, you must create it with two parallel commands NEWACCT doctor,who;cap=ia,ba,am NEWACCT doctor,who;ONVS=time_lord The first command creates the account doctor on the system volume set. The second creates it on the volume set time_lord and connects the accounting structures established on the system volume and on the volume set. By default, however, the PUB group of this account will be on the system volume set. To place the PUB group on the volume set time_lord, you need to use the PUB parameter in the first command NEWACCT doctor,who;cap=ia,ba,sf,nd,am NEWACCT doctor,who;ONVS=time_lord ALTGROUP pub.doctor;homevs=time_lord To create the account DOCTOR on the system volume set, with the manager named WHO, and a UID of 50 and a GID of 20, enter NEWACCT doctor,who;uid=50;gid=20;cap=ia,ba,sf,nd,gl,am,al
Commands: NEWGROUP, NEWUSER, LISTACCT, ALTACCT Manuals : Native Mode Spooler Reference Manual (32650-90166) Back to Main Index