Generated from C.65.00 /SYSADMIN/PUB/MYCICAT last modified on Sun Aug 29 15:08:37 2004
Changes the attributes currently defined for a user. (CM)
ALTUSER username[.acctname] [;PASS=[password] ] [;CAP=[capabilitylist] ] [;MAXPRI=[subqueuename] ] [;LOCATTR=[localattribute]] [;HOME=[homegroupname] ] [;UID=[uid]] [;USERPASS=[{REQ}][,EXPIRED]] (1) {OPT} (1) The USERPASS parameter is only available if the HP Security Monitor has been installed
username The name assigned to the user within a logon account. acctname Specifies the account in which the user is to reside. This parameter is available only to those users who have System Manager (SM) capability. password The password to be assigned to the user. If password is omitted, any existing password is removed. If ;PASS is omitted entirely, the password is unchanged. capabilitylist Either 1) a list of capabilities, separated by commas, permitted to this user, or 2) a list of additions and/or deletions to be applied to the user's existing set of capabilities. Additions and deletions are specified by a "+" or "-" immediately followed by the capability to add or delete, separated by commas. If you plan to specify "+" or "-" in the list, then you must begin the list with "+" or "-". For example, CAP=+MR,-PH is legal, but CAP=MR,-PH is not. It is not necessary to prefix each capability you are adding or deleting with "+" or "-"; the occurrence of "+" or "-" indicates an action that remains in effect until the indicator changes. For example, CAP=+MR,PH,-PM,DS is equivalent to CAP=+MR,+PH,-PM,-DS. The capabilities that a user may exercise are limited by the capabilities assigned to the account. For example, suppose both the user and account are assigned DS capability (allowing extra data segments). If DS capability is subsequently removed from the account, the user is denied DS capability even if that capability is not explicitly removed from the user. Each capability is denoted by a two letter mnemonic as follows: System Manager = SM Account Manager = AM Account Librarian = AL Group Librarian = GL Diagnostician = DI System Supervisor = OP Network Administrator = NA Node Manager = NM Save Files = SF Access to nonsharable I/O devices = ND Use Volumes = UV Create Volumes = CV Use Communication Subsystem = CS Programmatic Sessions = PS User Logging = LG Process Handling = PH Extra Data Segments = DS Multiple RINs = MR Privileged Mode = PM Interactive Access = IA Batch Access = BA Programmatic Sessions = PS Default is SF, ND, IA, and BA. Note that CV automatically gives the user UV capability. subqueuename The name of the highest priority subqueue that may be requested by any process of any job/session initiated by the user. This parameter is specified as AS, BS, CS, DS, or ES, but cannot be greater than that specified with the NEWACCT or ALTACCT commands. The subqueuename defined for the user is checked against the subqueuename defined for the account at logon, and the lower priority of the two is used as the maximum priority restricting all processes of the job/session. Also, the priority requested by the user at logon is checked against the subqueuename defined for the user, and the user is granted the lower of these two values. Default is CS.
Processes capable of executing in the AS or BS subqueues can deadlock the system. By assigning non-priority processes to these subqueues, you may prevent critical system processes from executing. Exercise extreme care when assigning processes to the AS or BS subqueue. localattribute Defined at the installation site, this arbitrary double word bit map is used to further classify users. While it is not part of standard MPE/iX security provisions, programmers may define it (through the WHO intrinsic) to enhance the security of their own programs. The bit map for the user local attributes must be a subset of the bit map for the account local attributes. The ALTUSER command checks the local attributes of the user with those of the account. Default is double word 0 (null). homegroupname The name of an existing group to be assigned as the home group for this user. The first user established when an account is created will, by default, have PUB assigned as the home group. Subsequent new users will by default have no home group assigned. If no home group is assigned, the user must always specify an existing group when logging on. uid User ID to be altered for the account manager in the user database. The uid must be an unique positive (non zero) 32-bit integer. Req USERPASS=REQ specifies that the user must have a non-blank password. It is available only if the HP Security Monitor has been installed. Opt USERPASS=OPT specifies that this user may or may not have a password. It is available only if the HP Security Monitor has been installed. Expired The password expires immediately. The user cannot logon without selecting a new password. It is only available if the HP Security Monitor has been installed.
The ALTUSER command allows the account manager to change the password, capabilities, processing subqueue, security checking, and home group currently defined for a user. More than one of these attributes may be changed at a time, by entering multiple keyword parameters on a single command line, using the semicolon (;) delimiter. To change an attribute, enter the keyword and its new value. When an entire keyword parameter group is omitted from the ALTUSER command, the corresponding value for the user remains unchanged. When a keyword is included, but the corresponding parameter is omitted (as in ;PASS=[Return]), a default value is assigned as follows. This command may be issued from a session, job, program, or in BREAK. Pressing [Break] has no effect on this command. You user must have account manager (AM) capability to use this command. You must have System Manager (SM) capability to use specify a user in an account other than your own. Default Parameters for ALTUSER PARAMETER DEFAULT VALUES password NULL password capabilitylist SF, ND, IA, and BA (provided these capabilities have been specified for the account) subqueuename CS localattribute 0 (null) homegroupname The first user established when the account is created has PUB assigned as home group. Subsequent users have no group assigned as home. If a user has no home group assigned, an existing group must be specified when initiating a job or a session. When a parameter is modified with the ALTUSER command, it is immediately registered in the directory. However, it will not affect users who are currently logged on to the system. They will be affected the next time they log on to the same user name and account. For this reason, you should warn users in advance of the intended changes. You should avoid changing the capabilitylist or homegroupname of the user MANAGER.SYS. SM capability cannot be taken away from MANAGER.SYS. ALTUSER will not allow a user with AM capability to remove AM from their own capability list. However, a user with AM can remove AM from the capability list of another AM user inside the same account.
Suppose an account's capabilities are AM, AL, GL, SF, ND, PH, DS, MR, IA, and BA. To change the capabilitylist of the user JONES from IA, BA, SF, PH, DS to include Multiple RIN capability (MR), enter ALTUSER JONES;CAP=IA,BA,SF,PH,DS,MR To alter two attributes, password and subqueuename, for user JONES enter ALTUSER JONES;PASS=JJ;MAXPRI=DS
Commands: ALTACCT, ALTGROUP, LISTUSER, NEWACCT, NEWUSER Manuals : Performing System Management Tasks (32650-90004) Performing System Operation Tasks (32650-90137) Back to Main Index