ALTUSER



ALTUSER

     Changes the attributes currently defined for a user.  (CM)

SYNTAX

     ALTUSER username[.acctname]

[;PASS=[password] ]
[;CAP=[capabilitylist] ]
[;MAXPRI=[subqueuename] ]
[;LOCATTR=[localattribute]]
[;HOME=[homegroupname] ]
[;UID=[uid]]
[;USERPASS=[{REQ}][,EXPIRED]] (1)
{OPT}

(1) The USERPASS parameter is only available if the
HP Security Monitor has been installed

PARAMETERS

username            The name assigned to the user within a logon
account.

acctname Specifies the account in which the user is to
reside. This parameter is available only to those
users who have System Manager (SM) capability.

password The password to be assigned to the user. If
password is omitted, any existing password is
removed. If ;PASS is omitted entirely, the
password is unchanged.

capabilitylist Either 1) a list of capabilities, separated by
commas, permitted to this user, or 2) a list of
additions and/or deletions to be applied to the
user's existing set of capabilities. Additions
and deletions are specified by a "+" or "-"
immediately followed by the capability to add
or delete, separated by commas.

If you plan to specify "+" or "-" in the list, then
you must begin the list with "+" or "-". For
example, CAP=+MR,-PH is legal, but CAP=MR,-PH is
not.

It is not necessary to prefix each capability you
are adding or deleting with "+" or "-"; the
occurrence of "+" or "-" indicates an action that
remains in effect until the indicator changes. For
example, CAP=+MR,PH,-PM,DS is equivalent to
CAP=+MR,+PH,-PM,-DS.

The capabilities that a user may exercise are
limited by the capabilities assigned to the
account. For example, suppose both the user and
account are assigned DS capability (allowing extra
data segments). If DS capability is subsequently
removed from the account, the user is denied DS
capability even if that capability is not
explicitly removed from the user.

Each capability is denoted by a two letter mnemonic
as follows:

System Manager = SM
Account Manager = AM
Account Librarian = AL
Group Librarian = GL
Diagnostician = DI
System Supervisor = OP
Network Administrator = NA
Node Manager = NM
Save Files = SF
Access to nonsharable
I/O devices = ND
Use Volumes = UV
Create Volumes = CV
Use Communication
Subsystem = CS
Programmatic Sessions = PS
User Logging = LG
Process Handling = PH
Extra Data Segments = DS
Multiple RINs = MR
Privileged Mode = PM
Interactive Access = IA
Batch Access = BA
Programmatic Sessions = PS

Default is SF, ND, IA, and BA. Note that CV
automatically gives the user UV capability.

subqueuename The name of the highest priority subqueue that may
be requested by any process of any job/session
initiated by the user. This parameter is specified
as AS, BS, CS, DS, or ES, but cannot be greater than
that specified with the NEWACCT or ALTACCT
commands. The subqueuename defined for the user is
checked against the subqueuename defined for the
account at logon, and the lower priority of the two
is used as the maximum priority restricting all
processes of the job/session. Also, the priority
requested by the user at logon is checked against
the subqueuename defined for the user, and the user
is granted the lower of these two values. Default
is CS.

CAUTION

Processes capable of executing in the AS or BS subqueues can deadlock
the system. By assigning non-priority processes to these subqueues,
you may prevent critical system processes from executing. Exercise
extreme care when assigning processes to the AS or BS subqueue.

localattribute Defined at the installation site, this arbitrary
double word bit map is used to further classify
users. While it is not part of standard MPE/iX
security provisions, programmers may define it
(through the WHO intrinsic) to enhance the security
of their own programs. The bit map for the user
local attributes must be a subset of the bit map for
the account local attributes. The ALTUSER command
checks the local attributes of the user with those
of the account. Default is double word 0 (null).

homegroupname The name of an existing group to be assigned as the
home group for this user. The first user
established when an account is created will, by
default, have PUB assigned as the home group.
Subsequent new users will by default have no home
group assigned. If no home group is assigned, the
user must always specify an existing group when
logging on.

uid User ID to be altered for the account manager in
the user database. The uid must be an unique
positive (non zero) 32-bit integer.

Req USERPASS=REQ specifies that the user must have a
non-blank password. It is available only if the HP
Security Monitor has been installed.

Opt USERPASS=OPT specifies that this user may or may
not have a password. It is available only if the
HP Security Monitor has been installed.

Expired The password expires immediately. The user cannot
logon without selecting a new password. It is only
available if the HP Security Monitor has been installed.

OPERATION

     The ALTUSER command allows the account manager to change
the password, capabilities, processing subqueue, security
checking, and home group currently defined for a user. More
than one of these attributes may be changed at a time, by
entering multiple keyword parameters on a single command
line, using the semicolon (;) delimiter.

To change an attribute, enter the keyword and its new value.
When an entire keyword parameter group is omitted from the
ALTUSER command, the corresponding value for the user
remains unchanged. When a keyword is included, but the
corresponding parameter is omitted (as in ;PASS=[Return]), a
default value is assigned as follows.

This command may be issued from a session, job, program, or
in BREAK. Pressing [Break] has no effect on this command. You
user must have account manager (AM) capability to use this
command. You must have System Manager (SM) capability to use
specify a user in an account other than your own.

Default Parameters for ALTUSER

PARAMETER DEFAULT VALUES

password NULL password

capabilitylist SF, ND, IA, and BA (provided these
capabilities have been specified for the
account)

subqueuename CS

localattribute 0 (null)

homegroupname The first user established when the account is
created has PUB assigned as home group.
Subsequent users have no group assigned as
home. If a user has no home group assigned,
an existing group must be specified when
initiating a job or a session.

When a parameter is modified with the ALTUSER command, it
is immediately registered in the directory. However, it
will not affect users who are currently logged on to the
system. They will be affected the next time they log on to
the same user name and account. For this reason, you should
warn users in advance of the intended changes.

You should avoid changing the capabilitylist or
homegroupname of the user MANAGER.SYS. SM capability cannot
be taken away from MANAGER.SYS.

ALTUSER will not allow a user with AM capability to remove AM
from their own capability list. However, a user with AM can
remove AM from the capability list of another AM user inside
the same account.

EXAMPLE(S)

     Suppose an account's capabilities are AM, AL, GL, SF, ND,
PH, DS, MR, IA, and BA. To change the capabilitylist of the
user JONES from IA, BA, SF, PH, DS to include Multiple RIN
capability (MR), enter

ALTUSER JONES;CAP=IA,BA,SF,PH,DS,MR

To alter two attributes, password and subqueuename, for user
JONES enter

ALTUSER JONES;PASS=JJ;MAXPRI=DS

ADDITIONAL INFORMATION

Commands:  ALTACCT, ALTGROUP, LISTUSER, NEWACCT, NEWUSER

Manuals :  Performing System Management Tasks (32650-90004)
           Performing System Operation Tasks (32650-90137)