AUTHORIZE ADD — VMS 5.5-2H4
Adds a user record to the SYSUAF and corresponding identifiers to
the rights database.
Format
ADD newusername
Additional information available:
Parameter
newusername Specifies the name of the user record to be included in the SYSUAF. The newusername parameter is a string of 1 through 12 alphanumeric characters and may contain underscores. Although dollar signs are permitted, they are usually reserved for system names.
Qualifiers
Additional information available:
/ACCESS/ACCOUNT/ADD_IDENTIFIER/ALGORITHM/ASTLM
/BATCH/BIOLM/BYTLM/CLI/CLITABLES/CPUTIME
/DEFPRIVILEGES/DEVICE/DIALUP/DIOLM/DIRECTORY
/ENQLM/EXPIRATION/FILLM/FLAGS/GENERATE_PASSWORD
/INTERACTIVE/JTQUOTA/LGICMD/LOCAL/MAXACCTJOBS
/MAXDETACH/MAXJOBS/MODIFY_IDENTIFIER/NETWORK/OWNER
/PASSWORD/PGFLQUOTA/PRCLM/PRIMEDAYS
/PRIORITY/PRIVILEGES/PWDEXPIRED/PWDLIFETIME
/PWDMINIMUM/REMOTE/SHRFILLM/TQELM/UIC/WSDEFAULT
/WSEXTENT/WSQUOTA
/ACCESS
/ACCESS[=(range[,...])]
Specifies hours of access for all modes of access. Syntax for
range specification is:
/[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])
Specify hours as integers from 0 to 23, inclusive. Hours may be
specified as single hours (n), or as ranges of hours (n-m). If
the ending hour of a range is earlier than the starting hour,
the range extends from the starting hour through midnight to the
ending hour. The first set of hours after the keyword PRIMARY
specifies hours on primary days; the second set of hours after
the keyword SECONDARY specifies hours on secondary days. Note that
hours are inclusive; that is, if you grant access during a given
hour, access extends to the end of that hour.
By default, a user has full access everyday. See the DCL command
SET DAY in the VMS DCL Dictionary for information on overriding
the defaults for primary and secondary day types.
/ACCOUNT
/ACCOUNT=account-name
Specifies a 1 through 8 alphanumeric character string that is
the default name for the account (for example, a billing name or
number). By default, no account name is assigned.
/ADD_IDENTIFIER
/ADD_IDENTIFIER (default)
/NOADD_IDENTIFIER
Adds identifiers for the user name and account name to the
rights database. The qualifier is used only with the ADD and COPY
commands.
/ALGORITHM
/ALGORITHM=keyword=type [=value]
Sets the password encryption algorithm for a user. The keyword VMS
refers to the algorithm used in the version of VMS that is running
on your system, whereas a customer algorithm is one that is added
through the $HASH_PASSWORD system service by a customer site, by
a layered product, or by a third party. The customer algorithm
is identified in $HASH_PASSWORD by an integer in the range of
128-255. The customer algorithm number has to correspond with the
number used in the AUTHORIZE command MODIFY/ALGORITHM. By default,
passwords are encrypted with the VMS algorithm for the current
version of the operating system.
Keyword Function
BOTH Set the algorithm for primary and secondary
passwords.
CURRENT Set the algorithm for the primary, secondary, both,
or no passwords depending on account status. Current
is the default value.
PRIMARY Set the algorithm for the primary password only.
SECONDARY Set the algorithm for the secondary password only.
Type Definition
VMS The algorithm used in the version of VMS that is
running on your system.
CUSTOMER A numeric value in the range 128-255 identifies a
customer algorithm.
/ASTLM
/ASTLM=value
Specifies the AST queue limit, which is the total number of
asynchronous system trap (AST) operations and scheduled wake-
up requests that the user can have queued at one time. The default
is 24.
/BATCH
/BATCH[=(range[,...])]
Specifies the hours of access permitted for batch jobs. For a
description of the range specification, see the /ACCESS qualifier.
By default, a user can submit batch jobs any time.
/BIOLM
/BIOLM=value
Specifies a buffered I/O count limit for the BIOLM field of the
UAF record. The buffered I/O count limit is the maximum number
of buffered I/O operations, such as terminal I/O, that can be
outstanding at one time. The default is 18.
/BYTLM
/BYTLM=value
Specifies the buffered I/O byte limit for the BYTLM field of the
UAF record. The buffered I/O byte limit is the maximum number
of bytes of nonpaged system dynamic memory that a user's job
may consume at one time. Nonpaged dynamic memory is used for
operations such as I/O buffering, mailboxes, and file-access
windows. The default is 8192.
/CLI
/CLI=cli-name
Specifies the name of the default command language interpreter
(CLI) for the CLI field of the UAF record. The cli-name is 1
through 12 alphanumeric characters and should be either DCL or
MCR. The default is DCL.
/CLITABLES
/CLITABLES=filespec
Specifies user-defined CLI tables for the account, from 1 to 31
characters. The default is SYS$LIBRARY:DCLTABLES.
/CPUTIME
/CPUTIME=time
Specifies the maximum process CPU time for the CPU field of the
UAF record. The maximum process CPU time is the maximum amount of
CPU time a user's process can take per session. You must specify a
delta-time value. The default is 0, which means an infinite amount
of time.
/DEFPRIVILEGES
/DEFPRIVILEGES=([NO]privname[,...])
Specifies default privileges for the user; that is, those enabled
at login time. A NO prefix removes a privilege from the user.
The keyword [NO]ALL specified with the /DEFPRIVILEGES qualifier
disables or enables all user privileges. The default privileges
are TMPMBX and NETMBX.
/DEVICE
/DEVICE=device-name
Specifies the name of the user's default device at login. The
device-name is a 1 through 31 alphanumeric character string.
If you omit the colon from the device-name value, a colon is
appended. The default device is SYS$SYSDISK.
/DIALUP
/DIALUP[=(range[,...])]
Specifies hours of access permitted for dialup logins. For a
description of the range specification, see the /ACCESS qualifier.
The default is full access.
/DIOLM
/DIOLM=value
Specifies the direct I/O count limit for the DIOLM field of the
UAF record. The direct I/O count limit is the maximum number of
direct I/O operations (usually disk) that can be outstanding at
one time. The default is 18.
/DIRECTORY
/DIRECTORY=directory-name
Specifies the default directory-name for the DIRECTORY field of
the UAF record. The directory-name is 1 through 63 alphanumeric
characters. Brackets are added to the directory name if omitted.
The default directory name is [USER].
/ENQLM
/ENQLM=value
Specifies the lock queue limit for the ENQLM field of the UAF
record. The lock queue limit is the maximum number of locks that
can be queued by the user at one time. The default is 100.
/EXPIRATION
/EXPIRATION=time (default)
/NOEXPIRATION
Specifies the expiration date and time of the account. The
/NOEXPIRATION qualifier removes the expiration date on the account
or resets the expiration time for expired accounts. The default
expiration time period is 90 days for nonprivileged users.
/FILLM
/FILLM=value
Specifies the open file limit for the FILLM field of the UAF
record. The open file limit is the maximum number of files that
can be open at one time, including active network logical links.
The default is 20.
/FLAGS
/FLAGS=([NO]option[,...])
Specifies login flags for the user. A NO in front of the flag
clears the flag. The following are valid options:
AUDIT Enables or disables security auditing for a
specific user. By default, VMS does not
audit the activities of specific users
(NOAUDIT).
AUTOLOGIN Restricts the user to the automatic login
mechanism when logging in to an account.
When set, the flag disables login by any
terminal that requires entry of a user name
and password. The default is to require a
user name and password (NOAUTOLOGIN).
CAPTIVE Prevents the user from changing any defaults
at login, for example, /CLI, /DISK,
/COMMAND, or /LGICMD. It also prevents
the user from escaping the captive login
command procedure and gaining access to
the DCL command level. The CAPTIVE flag
establishes an environment where Ctrl
/Y interrupts are initially turned off;
however, command procedures can still turn
on Ctrl/Y interrupts with the DCL command
SET CONTROL=Y. By default, an account is not
captive (NOCAPTIVE).
DEFCLI Restricts the user to the default command
interpreter by prohibiting the use of the
/CLI qualifier at login; (the MCR command
can still be used). By default, a user can
choose a CLI (NODEFCLI).
DISCTLY Establishes an environment where Ctrl
/Y interrupts are initially turned off
and are invalid until a SET CONTROL_
Y is encountered. This could happen in
SYLOGIN.COM or in a procedure called
by SYLOGIN.COM. Once a SET CONTROL_Y is
executed (which requires no privilege),
a user can enter a Ctrl/Y and reach the
DCL. If the intent of DISCTLY is to force
execution of the login command files, then
SYLOGIN.COM should issue the DCL command SET
CONTROL_Y before exiting to turn on Ctrl/Y
interrupts. By default, Ctrl/Y is enabled
(NODISCTLY).
DISFORCE_PWD_CHANGE Removes the requirement that a user must
change an expired password at login.
By default, a person can use an expired
password only once (NODISFORCE_PWD_CHANGE),
and then he or she is forced to change the
password after logging in. If a new password
is not selected, the user is locked out of
the system.
DISIMAGE Prevents the user from executing the RUN or
the MCR command or from using the foreign
command mechanism in DCL. By default, a user
can execute RUN, MCR, and foreign commands
(NODISIMAGE).
DISMAIL Disables mail delivery to the user.
By default, mail delivery is enabled
(NODISMAIL).
DISNEWMAIL Suppresses announcements of new mail at
login. By default, VMS announces new mail
(NODISNEWMAIL).
DISPWDDIC Disables automatic screening of new
passwords against a system dictionary.
By default, passwords are automatically
screened (NODISPWDDIC).
DISPWDHIS Disables automatic checking of new passwords
against a list of the user's old passwords.
By default, VMS screens new passwords
(NODISPWDHIS).
DISRECONNECT Disables automatic reconnection to an
existing process when a terminal connection
has been interrupted. By default, automatic
reconnection is disabled (DISRECONNECT).
DISREPORT Suppresses reports of the last login time,
login failures, and other security reports.
By default, login information is displayed
(NODISREPORT).
DISUSER Disables the account so the user cannot
log in. For example, the DEFAULT account is
disabled. By default, an account is enabled
(NODISUSER).
DISWELCOME Suppresses the "Welcome to ..." system login
message. By default, a system login message
appears (NODISWELCOME).
GENPWD Restricts the user to generated passwords.
By default, users choose their own passwords
(NOGENPWD).
LOCKPWD Prevents the user from changing the password
for the account. By default, users can
change their passwords (NOLOCKPWD).
PWD_EXPIRED Marks a password as expired. Users cannot
log in if this flag is set. LOGINOUT.EXE
sets the flag when users log in with the
DISFORCE_PWD_CHANGE flag set and their
password is expired. Primarily, a system
manager will only be clearing this flag.
By default, passwords are not expired after
login (NOPWD_EXPIRED).
PWD2_EXPIRED Marks a secondary password as expired.
Users cannot log in if this flag is set.
LOGINOUT.EXE sets the flag if users log in
with the DISFORCE_PWD_CHANGE flag set and
their passwords expire. Primarily, a system
manager will only be clearing this flag.
By default, passwords are not set to expire
after login (NOPWD2_EXPIRED).
RESTRICTED Prevents the user from changing any defaults
at login (for example, specifying /DISK,
/COMMAND, or /LGICMD) and prohibits user
specification of a CLI with the /CLI
qualifier. The RESTRICTED flag establishes
an environment where Ctrl/Y interrupts are
initially turned off; however, command
procedures can still turn on Ctrl/Y
interrupts with the DCL command SET CONTROL_
Y. This flag is typically used to prevent an
applications user from having unrestricted
access to the CLI. By default, a user can
change defaults (NORESTRICTED).
The flag provides compatibility with CAPTIVE
accounts in VMS systems prior to Version
5.2.
/GENERATE_PASSWORD
/GENERATE_PASSWORD[=keyword]
/NOGENERATE_PASSWORD (default)
Invokes the password generator to create user passwords. Generated
passwords can consist of 1 to 10 characters. Specify one of the
following keywords:
BOTH Generate primary and secondary passwords.
CURRENT Do whatever the DEFAULT account does. This could mean
to generate primary, secondary, both, or no passwords.
This is the default keyword.
PRIMARY Generate primary password only.
SECONDARY Generate secondary password only.
Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are
mutually exclusive, and whenever you modify a password, the
original one expires and the new one is valid for only one login.
/INTERACTIVE
/INTERACTIVE[ =(range[,...])]
Specifies the hours of access for interactive logins. For a
description of the range specification, see the /ACCESS qualifier.
By default, there are no access restrictions on interactive
logins.
/JTQUOTA
/JTQUOTA=value
Specifies the initial byte quota with which the job-wide logical
name table is to be created. By default, the value is 1024.
/LGICMD
/LGICMD=filespec
Specifies the name of the default login command file. The file
name defaults to the device specified for /DEVICE, the directory
specified for /DIRECTORY, a file name of LOGIN, and a file type
of COM. If you select the defaults for all these values, the file
name is SYS$SYSTEM:[USER]LOGIN.COM.
/LOCAL
/LOCAL[=(range[,...])]
Specifies hours of access for interactive logins from local
terminals. For a description of the range specification, see the
/ACCESS qualifier. By default, there are no access restrictions on
local logins.
/MAXACCTJOBS
/MAXACCTJOBS=value
Specifies the maximum number of batch, interactive, and detached
processes that may be active at one time for all users of the same
account. By default, a user has a maximum of 0, which represents
an unlimited number.
/MAXDETACH
/MAXDETACH=value
Specifies the maximum number of detached processes with the
cited user name that may be active at one time. The keyword NONE
indicates the user cannot create detached processes. By default, a
user has a value of 0, which represents an unlimited number.
/MAXJOBS
/MAXJOBS=value
Specifies the maximum number of processes (interactive, batch,
detached, and network) with the cited user name that may be active
simultaneously. The first four network jobs are not counted. By
default, a user has a maximum value of 0, which represents an
unlimited number.
/MODIFY_IDENTIFIER
/MODIFY_IDENTIFIER (default)
/NOMODIFY_IDENTIFIER
Specifies whether the identifier associated with the cited user
is to be modified in the rights database. This qualifier only
applies when you modify the UIC or user name in the UAF record. By
default, the associated identifiers are modified.
/NETWORK
/NETWORK[=(range[,...])]
Specifies hours of access for network batch jobs. For a
description of the range specification, see the /ACCESS qualifier.
By default, there are no access restrictions on network logins.
/OWNER
/OWNER=owner-name
Specifies the name of the owner of the account. This name can
be used, for example, for billing purposes. The owner-name is 1
through 31 characters and there is no default.
/PASSWORD
/PASSWORD=(password1[,password2])
/NOPASSWORD
Specifies up to two passwords for login. Passwords can be from
0 to 32 characters in length, and can include alphanumeric
characters, dollar signs, and underscores.
To set only the first password, specify /PASSWORD=password. To set
both the first and second password, specify /PASSWORD=(password1,
password2). To change the first password without affecting the
second, specify /PASSWORD=(password, ""). To change the second
password without affecting the first, specify /PASSWORD=("",
password). To set both passwords to null, specify /NOPASSWORD.
By default, the ADD command assigns a password of 'USER'. When
creating a new UAF record with the COPY or RENAME command, you
must specify a password.
/PGFLQUOTA
/PGFLQUOTA=value
Specifies the paging file limit. This is the maximum number of
pages that the person's process can use in the system paging file.
By default, the value is 10,240.
/PRCLM
/PRCLM=value
Specifies the subprocess creation limit. This is the maximum
number of subprocesses that can exist at one time for the
specified user's process. By default, the value is 2.
/PRIMEDAYS
/PRIMEDAYS=([NO]day[,...])
Defines the primary and secondary days of the week for logging
in. A day prefixed with NO is a secondary day; without a NO it
is a primary day. Specify the days as a list separated by commas
and enclosed in parentheses. Use the primary and secondary day
definitions in conjunction with such qualifiers as /ACCESS,
/INTERACTIVE, and /BATCH. By default, primary days are Monday
through Friday and the secondary days are Saturday and Sunday. Any
days omitted from the list take their default value.
/PRIORITY
/PRIORITY=value
Specifies the default base priority. The value is an integer in
the range of 0 through 31. By default, the value is set to 4 for
timesharing users.
/PRIVILEGES
/PRIVILEGES=([NO]privname[,...])
Specifies which privileges the user is authorized to hold although
these privileges are not necessarily enabled at login. (The
/DEFPRIVILEGES determines which are enabled). A NO prefix removes
the privilege from the user. The keyword NOALL disables all user
privileges. There are many privileges available with varying
degrees of power and potential system impact. Please see the Guide
to VMS System Security for a detailed discussion. By default, a
user holds TMPMBX and NETMBX privileges.
/PWDEXPIRED
/PWDEXPIRED (default)
/NOPWDEXPIRED
Specifies the password is valid for only one login. Users must
change their passwords immediately after login or be locked out of
the system. For a week prior to expiration, the VMS system warns
users of the upcoming password expiration. They can either specify
a new password during the week with the DCL command SET PASSWORD
or wait until expiration and be forced to change. By default, a
user has to change a password when first logging in to an account.
/PWDLIFETIME
/PWDLIFETIME=time (default)
/NOPWDLIFETIME
Specifies the length of time a password is valid. You must specify
a delta-time value, which takes the form [dddd-] [hh:mm:ss.cc].
For example, a lifetime of 120 days, 0 hours, 0 seconds would
be expressed as /PWDLIFETIME="120-", whereas a lifetime of 120
days 12 hours, 30 minutes and 30 seconds would be expressed as
/PWDLIFETIME="120-12:30:30". If a period longer than the specified
time has elapsed when the user logs in, a warning message is
displayed, and the password is marked as expired. A time equal to
NONE means that the password never expires. By default, a password
expires in 90 days.
/PWDMINIMUM
/PWDMINIMUM=value
Specifies the minimum password length in characters. By default, a
password must have at least 6 characters.
/REMOTE
/REMOTE[=(range[,...])]
Specifies hours during which access is permitted for interactive
logins from network remote terminals (with the DCL command SET
HOST). For a description of the range specification, see the
/ACCESS qualifier. By default, remote logins have no access
restrictions.
/SHRFILLM
/SHRFILLM=value
Specifies the maximum number of shared files the user may have
open at one time. By default, VMS assigns a value of 0, which
represents an infinite number.
/TQELM
Specifies the total number of entries in the timer queue plus the number of temporary common event flag clusters that the user can have at one time. By default, a user can have 10.
/UIC
/UIC=value
Specifies the user identification code (UIC). The UIC value is
a group number in the range 1-37776 (octal) and a member number
in the range 0-177776 (octal), which are separated by a comma
and enclosed in brackets. Each user should have a unique UIC. By
default, the UIC value is [200,200].
/WSDEFAULT
/WSDEFAULT=value
Specifies the default working set size. This represents the
initial limit to the number of physical pages the process can
use. The minimum value is 50 pages. By default, a user has 150
pages.
/WSEXTENT
/WSEXTENT=value
Specifies the working set maximum. This represents the maximum
amount of physical memory allowed to the process. The system
provides memory to a process beyond its working set quota only
when it has excess free pages. The additional memory is recalled
by the system if needed. The value is an integer equal to or
greater than WSQUOTA. By default, the value is 512.
/WSQUOTA
/WSQUOTA=value
Specifies the working set quota. This is the maximum amount of
physical memory a user process can lock into its working set. It
also represents the maximum amount of swap space that the system
reserves for this process and the maximum amount of physical
memory that the system allows the process to consume if the
system-wide memory demand is significant. The minimum value is
50 pages. By default, the quota is 256.
Examples
1. UAF> ADD ROBIN /PASSWORD=SP0152/UIC=[014,006] -
_/DEVICE=SYS$USER/DIRECTORY=[ROBIN]/OWNER="JOSEPH ROBIN" /ACCOUNT=INV
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier ROBIN value: [000014,000006] added to
RIGHTSLIST.DAT
%UAF-I-RDBADDMSGU, identifier INV value: [000014,177777] added to
RIGHTSLIST.DAT
This example illustrates the typical ADD command and
qualifiers. The record that results from this command appears
in the description of the SHOW command.
/IDENTIFIER
Adds an identifier to the rights database.
Format
ADD/IDENTIFIER [id-name]
Additional information available:
Parameter
id-name Specifies the name of the identifier to be added to the rights database. If you omit the name, you must specify the /USER qualifier. The identifier name is a string of 1 through 31 alphanumeric characters that may contain underscores and dollar signs. The name must contain at least one nonnumeric character.
Qualifiers
Additional information available:
/ATTRIBUTES
/ATTRIBUTES=(keyword[,...])
Specifies attributes to be associated with the new identifier. The
following are valid keywords:
[NO]RESOURCE Determines whether holders of the identifier may
charge disk space to the identifier. The default is
NORESOURCE.
[NO]DYNAMIC Determines whether unprivileged holders of the
identifier may add or remove the identifier from
the process rights list by using the DCL command SET
RIGHTS_LIST. The default is NODYNAMIC.
/USER
/USER=user-spec
Scans the UAF record for the specified user and creates the
corresponding identifier. Specify user-spec by user name or
UIC. You can use the asterisk wildcard to specify multiple user
names or UICs. Full use of the asterisk and percent wildcards
is permitted for user names; UICs must be in the form [*,*],
[n,*], [*,n], or [n,n]. A wildcard user name specification (*)
creates identifiers alphabetically by user name; a wildcard UIC
specification ([*,*]) creates them in numerical order by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value to be attached to the identifier. The
following are valid formats for the value-specifier:
IDENTIFIER:integer An integer value in the range of 65,536 to
268,435,455. You may also specify the value
in hexadecimal (precede the value with %X) or
octal (precede the value with %O).
The VMS system displays this type of
identifier in hexadecimal. Note that
%X80000000 is added to the value you specify
in order to differentiate general identifiers
from UIC identifiers.
UIC:uic A UIC value in standard UIC format consists
of a member name and, optionally, a group
name enclosed in brackets, for example,
[GROUP1,JONES] or [360,031].
In alphanumeric UICs, the group and member
names can each contain up to 31 alphanumeric
characters, at least one of which is
alphabetic. The names can include the
characters A through Z, dollar signs ($),
underscores (_), and the numbers 0 through 9.
In numeric UICs, the group number is an octal
number in the range of 1 through 37776; the
member number is an octal number in the range
of 0 through 177776. You can omit leading
zeros when you are specifying group and member
numbers.
Regardless of the UIC format you use, the
system translates a UIC to a 32-bit numeric
value.
Typically, system managers add identifiers as UIC values when
representing system users; identifiers in integer format are
applied to system resources.
Examples
1. UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORY
%UAF-I-RDBADDMSGU, identifier INVENTORY value: [000300,000011] added
to RIGHTSLIST.DAT
The command in this example adds an identifier named INVENTORY
to the rights database. By default, the identifier is not
marked as a resource.
/PROXY
Adds user entries to the network proxy authorization file.
Format
ADD/PROXY node::remote-user local-user[,...]
Additional information available:
ParametersPositional QualifierExamples
Parameters
node Specifies a node name (1 through 6 alphanumeric characters). If you specify an asterisk (*), the specified remote user on all nodes is served by the account specified as local-user. remote-user Specifies the user name of a user at a remote node. If you specify an asterisk, all users at the specified node are served by the local user. For non-VMS systems that implement DECnet Phase IV+, specifies the UIC of a user at a remote node. You can specify a wildcard asterisk in the group and member fields of the UIC. local-user Specifies the user names of from 1 to 16 users on the local node. If you specify an asterisk, a local-user name equal to remote-user name will be used.
Positional Qualifier
Additional information available:
/DEFAULT
Establishes the specified user name as the default proxy account. The remote user can request proxy access to an authorized account other than the default proxy account by specifying the name of the proxy account in the access control string of the network operation.
Examples
1. UAF> ADD/PROXY MISHA::* MARCO/DEFAULT, OSCAR
%UAF-I-NAFADDMSG, record successfully added to NETPROXY.DAT
The command in this example specifies that any user on the
remote node MISHA can, by default, use the MARCO account on the
local node for DECnet tasks such as remote file access. Remote
users can also access the OSCAR proxy account by specifying the
user name OSCAR in the access control string when remote node
access is attempted.