NEWACCT



NEWACCT

     Creates a new account and an associated account manager and
     PUB group.  (CM)

SYNTAX


NEWACCT acctname,mgrname
[;PASS=[password]]
[;FILES=[filespace]]
[;CPU=[cpu]]
[;CONNECT=[connect]]
[;CAP=[capabilitylist]]
[;ACCESS=[(fileaccess)]]
[;MAXPRI=[subqueuename]]
[;LOCATTR=[localattribute]]
[;ONVS=volumesetname]
[;GID=[gid]]
[;UID=[uid]]
[;USERPASS=[{REQ}]] (1)
{OPT}

(1) The USERPASS parameter is only available if the HP Security Monitor has been installed

PARAMETERS


acctname Name to be assigned to the new account. This name
must contain from one to eight alphanumeric
characters, beginning with an alphabetic character.

mgrname Name of the account manager. This is always the
first user created under the account. The manager
receives the following attributes

Account Manager Default Capabilities

ATTRIBUTE DEFAULT
-----------------------------------------------------
password None

capabilitylist Same as the account capability

subqueuename Same as the account max priority

localattribute Same as account local attributes

Home Group PUB

UID A unique identifier

GID A unique identifier

The attributes of an account manager may be changed
with the ALTUSER command after mgrname is defined.
However, in no case is this user granted attributes
greater than those assigned the account.

password Account password, used for verifying logon access
only. This password must contain from one to eight
alphanumeric characters, beginning with an
alphabetic character. Default is that no password
is assigned.

filespace Disk storage limit, in sectors, for the permanent
files of the account. The maximum value you may
define is 2,147,483,647 sectors. Default is
unlimited file space.

cpu Limit on total CPU time, in seconds, for this
account. This limit is checked only when a job or
session is initiated, and so the limit never causes
the job or session to abort. The maximum value you
may define with NEWACCT is 2,147,483,647 seconds.
Default is that no limit is assigned.

connect Limit on total session connect time, in minutes,
allowed the account. This limit is checked at logon,
and when the job or session initiates a new process.
The maximum value you may define is 2,147,483,647
minutes. Default is that no limit is assigned.

capabilitylist The list of capabilities, separated by commas,
permitted this account. Each capability is denoted
by a two letter mnemonic, as follows.

System Manager = SM
Account Manager = AM
Diagnostician = DI
System Supervisor = OP
Network Administrator = NA
Node Manager = NM
Save Files = SF
Access to nonsharable
I/O devices = ND
Use Volumes = UV
Create Volumes = CV
Use Communication
Subsystem = CS
Programmatic Sessions = PS
User Logging = LG
Process Handling = PH
Extra Data Segments = DS
Multiple RINs = MR
Privileged Mode = PM
Interactive Access = IA
Batch Access = BA

Default is AM, SF, ND, IA, BA.

Note that CV capability permits account members
to create and use mountable, nonsystem volumes
automatically.

fileaccess The restriction on file access pertinent to this
account. Default is R,L,A,W,X:AC, where R, L, A, W,
and X specify modes of access by types of users
(ANY, AC, CR) as follows:

R = Read
L = Lock (allows exclusive access)
A = Append (implicitly specifies L)
W = Write (implicitly specifies A)
X = Execute
S = Save

LOCK allows exclusive access to the file.
APPEND implicitly specifies LOCK. WRITE
implicitly specifies APPEND.

The user types are specified as follows

ANY = Any user
AC = Member of this account only
CR = Creating user only

The default is no security restrictions at the
account level. Two or more user types may be
specified if they are separated by commas.

subqueuename The name of the subqueue of highest priority that
can be requested by any process of any job/session
in the account. This parameter is specified as AS,
BS, CS, DS, or ES.

CAUTION


Processes capable of executing in the AS or BS subqueues can deadlock
the system. Assigning nonpriority system and user processes to these
subqueues can prevent critical processes from executing. Exercise
extreme caution when assigning processes to these subqueues.

localattribute The local attribute of the account, as defined at
the installation site. This is a double word bit
map used to further classify accounts. While it is
not part of standard MPE/iX security provisions,
programmers may define local attributes (which will
be checked by the WHO intrinsic) to enhance their
software's security. Default is double word 0 .

ONVS Specifies a particular volume set on which the
account is to be built. It must be a volume set
already defined and recognized by the system. A
NEWACCT must be specified twice, once without the
;ONVS parameter, and once with it. The first
NEWACCT will build the account on the system volume
set (from which the account is accessed). The
second will build it on the volume set where files
in this account will exist.

If you specify ONVS, the only other parameter that
will work with it is ;FILES.

volumesetname For MPE/iX, volume set names are no longer
invariably composed of volumesetname.group.account.
Instead, volume set names consist simply of one (1)
to thirty-two (32) characters, beginning with an
alphabetic character. The remaining characters may
be alphabetic, numeric, the underscore, and periods.

If you specify a volsetname, you must specify the
full name of the volume set. MPE V/E permitted you
to use part of the volume set name and rely upon the
default characteristics of the system to search out
the remainder of the name. MPE/iX does not permit
this. If you wish, you may use the older MPE V/E
conventions when assigning a name to a volume set.
If you do, you are then obliged to refer to that
volume set by its full (fully qualified) name. The
MPE/iX naming convention gives you greater freedom
in creating names, and so its use is encouraged.

Refer to the VSxxxxxx commands.

gid Group ID to be added to the group database. The
gid must be an unique positive (non-zero) 32-bit
integer. Default is for MPE to create a value.

uid User ID to be created for the account manager in
the user database. The uid must be an unique
positive (non-zero) 32-bit integer. Default is
for MPE to create a value.

Req USERPASS=REQ specifies that all users in the
account must have non-blank passwords. If you
require user passwords, MPE/iX assigns the account
manager a blank, expired password. The account
manager must select a new password the first time
the Manager logs on. It is available only if the
HP Security Monitor has been installed.

Opt USERPASS=OPT specifies that the users in this
account may or may not have passwords. If you
do not use the USERPASS parameter, the old value
remains. It is available only if the HP Security
Monitor has been installed.

OPERATION

     The NEWACCT command may be executed only by the system manager.
     The system manager is responsible for establishing the accounting
     structure best suited to the computer installation.

     When a keyword is specified, but its corresponding parameter is
     omitted (as in ;ACCESS= [Return]), the default value for that
     keyword is assigned (in this case, R,L,A,W,X:AC).  The default
     is also assigned when an entire keyword parameter group (such as
     ;ACCESS=fileaccess) is omitted.

     After the system manager creates accounts and their PUB groups,
     and has designated the account managers for those accounts, the
     new account managers may log on and redefine their own attributes
     and those of their PUB groups.  Account Managers can also define
     new users and groups.  The capabilities and attributes the Account
     Managers assign to groups and users cannot exceed those assigned
     to the account itself by the system manager.  For example, if the
     system manager does not assign the account DS capability, no users
     in the account are permitted DS capability (which prohibits them
     from linking programs that use extra data segments).

     The PUB Group is initially assigned the same
     capability class attributes, permanent file space limit, CPU
     limit, and connect time limit as the account, but no password.

     Its initial security allows READ and EXECUTE access to all
     users who successfully log on to the account.
     These access provisions are (R,X:ANY;A,W,L,S).

     This command may be issued from a session, job, program, or in
     BREAK. Pressing [Break] has no effect on this command.  A user
     must have System Manager (SM) capability to execute this command.

NOTE

If you specify volume-related commands or parameters for a volume set
that is not currently mounted, or for an account that does not exist,
MPE/iX will return a corresponding error message.


EXAMPLE(S)

     To create an account with the account name ACI, and the Account
     Manager name MNGR, with all other parameters assigned by default,
     enter

     NEWACCT ACI,MNGR

     To create an account doctor on the system volume set, with the
     manager named who, and on the volume set called time_lord, you must
     create it with two parallel commands

     NEWACCT doctor,who;cap=ia,ba,am
     NEWACCT doctor,who;ONVS=time_lord

     The first command creates the account doctor on the system volume
     set.  The second creates it on the volume set time_lord and
     connects the accounting structures established on the system volume
     and on the volume set.   By default, however, the PUB group of this
     account will be on the system volume set.

     To place the PUB group on the volume set time_lord, you need to
     use the PUB parameter in the first command

     NEWACCT doctor,who;cap=ia,ba,sf,nd,am
     NEWACCT doctor,who;ONVS=time_lord
     ALTGROUP pub.doctor;homevs=time_lord


     To create the account DOCTOR on the system volume set, with the
     manager named WHO, and a UID of 50 and a GID of 20, enter

     NEWACCT doctor,who;uid=50;gid=20;cap=ia,ba,sf,nd,gl,am,al


ADDITIONAL INFORMATION

Commands:   NEWGROUP, NEWUSER, LISTACCT, ALTACCT

Manuals :   Native Mode Spooler Reference Manual (32650-90166)