ALTACCT



ALTACCT

     Changes the attributes of an existing account.  You must
have System Manager (SM) capability to use this command.
(CM)

SYNTAX

     ALTACCT acctname
[;PASS=[password]]
[;FILES=[filespace]]
[;CPU=[cpu]]
[;CONNECT=[connect]]
[;CAP=[capabilitylist]]
[;ACCESS=[(fileaccess)]]
[;MAXPRI=[subqueuename]]
[;LOCATTR=[localattribute]]
[;ONVS=volumesetname]
[;USERPASS=[{REQ}]] (1)
{OPT}
(1) The USERPASS parameter is only available if the
HP Security Monitor has been installed

PARAMETERS

acctname            The name of the account to be altered.

password Account password (used only for verifying logon
access). If ;PASS is omitted, no change is made.
If you omit password, the existing password is removed.

filespace Disk storage limit, in sectors, for the permanent
files in the account. The filespace limit cannot be
less than the number of sectors currently in use for
the account. Default is unlimited file space, which
may be specified by omitting the ;FILES parameter,
or by specifying ;FILES=[Return].

cpu The limit on cumulative CPU time, in seconds, for
the account. This limit is checked only when a job
or session is initiated, and, therefore, never
causes the job or session to abort. The maximum
value allowed is 2,147,483,647 seconds. Default is
unlimited CPU time. The counter may be set to zero
with the RESETACCT command.

connect The limit on total cumulative session connect
time, in minutes, allowed the account. This limit
is checked at logon and every time the process
terminates the counter is updated. The maximum
value allowed is 2,147,483,647 minutes. Default is
unlimited connect time. The counter may be set to
zero with the RESETACCT command.

capabilitylist Either 1) a list of capabilities, separated by
commas, permitted the account, or 2) a list of
additions and/or deletions to be applied to the
account's existing set of capabilities.
Additions and deletions are specified by a "+" or
"-" immediately followed by the capability to add
or delete, separated by commas.

If "+"/"-" is to be specified in the list, then
the list must begin with "+" or "-". For example,
CAP=+MR,-PH is legal, but CAP=MR,-PH is not.

It is not necessary to prefix each capability to
be added or deleted with "+" or "-", as the
occurrence of "+" or "-" indicates an action that
remains in effect until the indicator changes.
For example, CAP=+MR,PH,-PM,DS is equivalent to
CAP=+MR,+PH,-PM,-DS.

When you remove capabilities from an account,
member users and groups are no longer allowed those
capabilities, even if they are not explicitly
removed from the user or group. Likewise, when you
reinstate a capability at the account level that you
did not explicitly remove at the user or group
level, the member user or group may once again
exercise that capability.

Each capability is denoted by
a two letter mnemonic, as follows

System Manager = SM
Account Manager = AM
Account Librarian = AL
Group Librarian = GL
Diagnostician = DI
System Supervisor = OP
Network Administrator = NA
Node Manager = NM
Save Files = SF
Access to nonsharable
I/O devices = ND
Use Volumes = UV

Use Communication
Subsystem = CS
Programmatic Sessions = PS
User Logging = LG
Process Handling = PH
Extra Data Segments = DS
Multiple RINs = MR
Privileged Mode = PM
Interactive Access = IA
Batch Access = BA

Default is AM,AL,GL,SF,ND,IA,BA, except for
the SYS account. The SYS account has no true
default. It is assigned the maximum account
capabilities when the system is delivered and,
under normal circumstances, should not be
altered. Note that CV capability, which
permits account members to create mountable,
nonsystem volumes, automatically gives the
account UV capability, allowing account
members to use mountable, nonsystem volumes.

If a capability is taken away from an account,
it will become unavailable to any user in that
account. However, the user will not be
affected by this change until the user logs
off and logs back on.

fileaccess The restrictions on file access pertinent to this
account. Default is R,A,L,W,X:AC, entered as follows:

{R}
{L} {ANY}
([{A}[,...]: ][;...])
{W} {AC }
{X}

where R , L , A , W , and/or X specify modes of
access by types of users (ANY and/or AC ) as
follows

R = READ
L = LOCK (allows exclusive access to file)
A = APPEND (implicitly specifies L also)
W = WRITE (specifies A and L also)
X = EXECUTE

The user types are specified as follows.

ANY = Any user
AC = Member of this account only

subqueuename Name of the highest priority subqueue that can
be requested by any process of any job/session
in the account, specified as AS, BS, CS, DS,
or ES. Default is CS.

CAUTION

Exercise extreme caution when choosing subqueues.  User processes
executing in the AS or BS subqueues can deadlock the system. If you
assign these subqueues to non-priority processes, other critical system
processes may be prevented from executing.

localattribute Local attribute of the account, as defined at the
installation site. This is a double word bit map, of
arbitrary meaning, that might be used to further
classify accounts. While it is not involved in
standard MPE/iX security provisions, it is available
to processes through the WHO intrinsic. Programmers
may use localattribute in their own programs to
provide security. Default is double word 0 (null).

volumesetname The MPE/iX volume set in which the account will be
altered. This volume set must be already defined
and recognized by the system. If you do not specify
this parameter, the default is the system volume
set.

For MPE/iX, volume set names are no longer
invariably composed of volumesetname.group.account.
Instead, volume set names consist simply of one (1)
to thirty-two (32) characters, beginning with an
alphabet character. The remaining characters
may be alphabetic, numeric, the underscore,
and periods.

If you specify this parameter, only the ;FILES
keyword is valid; all other parameters are ignored.

Refer to any of the VSxxxxxx commands or to
the Volume Management Reference Manual
(32650-90045).

Req USERPASS=REQ specifies that all users in the
account must have a non-blank password. It is
available only if the HP Security Monitor
has been installed.

Opt USERPASS=OPT specifies that the users in this
account may or may not have passwords. If you
do not use the USERPASS parameter, the old value
remains. It is available only if the HP Security
Monitor has been installed.

OPERATION

     The system manager uses ALTACCT to change the attributes of
an existing account. Multiple keywords may be entered on a
single command line as shown in "EXAMPLE". When you change
one capability in a capabilitylist that contains several
nondefault values, you must specify the entire new
capabilitylist. When an entire keyword parameter group is
omitted from the ALTACCT command, that parameter remains
unchanged for the account. When a keyword is included, but
the corresponding parameter is omitted (as in ;PASS=
[Return]), the default value is assigned.

This command may be issued from a session, job, program, or in
BREAK. Pressing [Break] has no effect on this command.

Default Parameters for ALTACCT

PARAMETER DEFAULT VALUES

password No password

filespace Unlimited

cpu Unlimited

connect Unlimited

capabilitylist AM, AL, GL, SF, ND, IA, BA (All accounts except SYS)

SM, AM, AL, GL, DI, OP, SF, ND, PH, DS, MR, PM (SYS
account only)

fileaccess (R,A,W,L,X:AC) (All accounts except SYS)

(R,X:ANY;A,W,L:AC) (SYS account only)

subqueuename CS subqueue

localattribute 0 (null)

Any value changed with ALTACCT will take effect the next
time MPE/iX is requested to check the value. If an
attribute is removed from an account while users are logged
on, they will not be affected until they end the job or
session and log on again. MPE does not automatically
generate a message informing users of the change; it is your
responsibility to warn account members in advance of any
changes. If you take a capability away from an account, all
account members and groups within the account are denied the
capability.

You cannot remove System Manager (SM) capability from the
SYS account. You also cannot take AM capability away from
any account. From within and account, you can remove AM
capability from all but one (the last) of the users assigned
it. It is possible, however, to remove AM capability from
all users in an account, but only if you do so from another
account that has SM capability.

NOTE

If you specify volume-related commands or parameters for a volume set
that is not currently mounted, or for an account that does not exist,
MPE/iX will return a corresponding error message.

EXAMPLE(S)

     To change an account named AC2 so that its password is
GLOBALX, and its filespace is limited to 50,000 sectors,
enter

ALTACCT AC2;PASS=GLOBALX;FILES=50000

To change the password and the file space of an account
called MALCHIOR in the volume set time_lord, you will need
to issue two commands

ALTACCT malchior;pass=omsboros
ALTACCT malchior;onvs=time_lord;files=20000

You must specify the changes for the system volume set (the
first command) and for the volume set itself (the second
command). Specifying a volumesetname limits the user to
changing only ;FILES in the second command.

ADDITIONAL INFORMATION

Commands:   ALTGROUP, ALTUSER, LISTACCT, LISTGROUP, LISTUSER,
NEWACCT, NEWGROUP,NEWUSER Manuals : Performing System Management Tasks (32650-90004) Performing System Operation Tasks (32650-90137)