AUTHORIZE COPY — VMS 5.5-2H4
Creates a new SYSUAF record that duplicates an existing UAF
record.
Format
COPY oldusername newusername
Additional information available:
Parameters
oldusername Name of an existing user record to serve as a template for the new record. newusername Name for the new user record. The user name is a string of 1 through 12 alphanumeric characters.
Qualifiers
Additional information available:
/ACCESS/ACCOUNT/ADD_IDENTIFIER/ALGORITHM/ASTLM
/BATCH/BIOLM/BYTLM/CLI/CLITABLES/CPUTIME
/DEFPRIVILEGES/DEVICE/DIALUP/DIOLM/DIRECTORY
/ENQLM/EXPIRATION/FILLM/FLAGS/GENERATE_PASSWORD
/INTERACTIVE/JTQUOTA/LGICMD/LOCAL/MAXACCTJOBS
/MAXDETACH/MAXJOBS/MODIFY_IDENTIFIER/NETWORK/OWNER
/PASSWORD/PGFLQUOTA/PRCLM/PRIMEDAYS
/PRIORITY/PRIVILEGES/PWDEXPIRED/PWDLIFETIME
/PWDMINIMUM/REMOTE/SHRFILLM/TQELM/UIC/WSDEFAULT
/WSEXTENT/WSQUOTA
/ACCESS
/ACCESS[=(range[,...])]
Specifies hours of access for all modes of access. Syntax for
range specification is:
/[NO]ACCESS=([PRIMARY], [n-m], [n], [,...],[SECONDARY], [n-m], [n], [,...])
Specify hours as integers from 0 to 23, inclusive. Hours may be
specified as single hours (n), or as ranges of hours (n-m). If
the ending hour of a range is earlier than the starting hour,
the range extends from the starting hour through midnight to the
ending hour. The first set of hours after the keyword PRIMARY
specifies hours on primary days; the second set of hours after
the keyword SECONDARY specifies hours on secondary days. Note that
hours are inclusive; that is, if you grant access during a given
hour, access extends to the end of that hour.
By default, a user has full access everyday. See the DCL command
SET DAY in the VMS DCL Dictionary for information on overriding
the defaults for primary and secondary day types.
/ACCOUNT
/ACCOUNT=account-name
Specifies a 1 through 8 alphanumeric character string that is
the default name for the account (for example, a billing name or
number). By default, no account name is assigned.
/ADD_IDENTIFIER
/ADD_IDENTIFIER (default)
/NOADD_IDENTIFIER
Adds identifiers for the user name and account name to the
rights database. The qualifier is used only with the ADD and COPY
commands.
/ALGORITHM
/ALGORITHM=keyword=type [=value]
Sets the password encryption algorithm for a user. The keyword VMS
refers to the algorithm used in the version of VMS that is running
on your system, whereas a customer algorithm is one that is added
through the $HASH_PASSWORD system service by a customer site, by
a layered product, or by a third party. The customer algorithm
is identified in $HASH_PASSWORD by an integer in the range of
128-255. The customer algorithm number has to correspond with the
number used in the AUTHORIZE command MODIFY/ALGORITHM. By default,
passwords are encrypted with the VMS algorithm for the current
version of he operating system.
Keyword Function
BOTH Set the algorithm for primary and secondary
passwords.
CURRENT Set the algorithm for the primary, secondary, both,
or no passwords depending on account status. Current
is the default value.
PRIMARY Set the algorithm for the primary password only.
SECONDARY Set the algorithm for the secondary password only.
Type Definition
VMS The algorithm used in the version of VMS that is
running on your system.
CUSTOMER A numeric value in the range 128-255 identifies a
customer algorithm.
/ASTLM
/ASTLM=value
Specifies the AST queue limit, which is the total number of
asynchronous system trap (AST) operations and scheduled wake-
up requests that the user can have queued at one time. The default
is 24.
/BATCH
/BATCH[=(range[,...])]
Specifies the hours of access permitted for batch jobs. For a
description of the range specification, see the /ACCESS qualifier.
By default, a user can submit batch jobs any time.
/BIOLM
/BIOLM=value
Specifies a buffered I/O count limit for the BIOLM field of the
UAF record. The buffered I/O count limit is the maximum number
of buffered I/O operations, such as terminal I/O, that can be
outstanding at one time. The default is 18.
/BYTLM
/BYTLM=value
Specifies the buffered I/O byte limit for the BYTLM field of the
UAF record. The buffered I/O byte limit is the maximum number
of bytes of nonpaged system dynamic memory that a user's job
may consume at one time. Nonpaged dynamic memory is used for
operations such as I/O buffering, mailboxes, and file-access
windows. The default is 8192.
/CLI
/CLI=cli-name
Specifies the name of the default command language interpreter
(CLI) for the CLI field of the UAF record. The cli-name is 1
through 12 alphanumeric characters and should be either DCL or
MCR. The default is DCL.
/CLITABLES
/CLITABLES=filespec
Specifies user-defined CLI tables for the account, from 1 to 31
characters. The default is SYS$LIBRARY:DCLTABLES.
/CPUTIME
/CPUTIME=time
Specifies the maximum process CPU time for the CPU field of the
UAF record. The maximum process CPU time is the maximum amount of
CPU time a user's process can take per session. You must specify a
delta-time value. The default is 0, which means an infinite amount
of time.
/DEFPRIVILEGES
/DEFPRIVILEGES=([NO]privname[,...])
Specifies default privileges for the user; that is, those enabled
at login time. A NO prefix removes a privilege from the user.
The keyword [NO]ALL specified with the /DEFPRIVILEGES qualifier
disables or enables all user privileges. The default privileges
are TMPMBX and NETMBX.
/DEVICE
/DEVICE=device-name
Specifies the name of the user's default device at login. The
device-name is a 1 through 31 alphanumeric character string.
If you omit the colon from the device-name value, a colon is
appended. The default device is SYS$SYSDISK.
/DIALUP
/DIALUP[=(range[,...])]
Specifies hours of access permitted for dial-up logins. For a
description of the range specification, see the /ACCESS qualifier.
The default is full access.
/DIOLM
/DIOLM=value
Specifies the direct I/O count limit for the DIOLM field of the
UAF record. The direct I/O count limit is the maximum number of
direct I/O operations (usually disk) that can be outstanding at
one time. The default is 18.
/DIRECTORY
/DIRECTORY=directory-name
Specifies the default directory-name for the DIRECTORY field of
the UAF record. The directory-name is 1 through 63 alphanumeric
characters. Brackets are added to the directory name if omitted.
The default directory name is [USER].
/ENQLM
/ENQLM=value
Specifies the lock queue limit for the ENQLM field of the UAF
record. The lock queue limit is the maximum number of locks that
can be queued by the user at one time. The default is 100.
/EXPIRATION
/EXPIRATION=time (default)
/NOEXPIRATION
Specifies the expiration date and time of the account. The
/NOEXPIRATION qualifier removes the expiration date on the account
or resets the expiration time for expired accounts. The default
expiration time period is 90 days for nonprivileged users.
/FILLM
/FILLM=value
Specifies the open file limit for the FILLM field of the UAF
record. The open file limit is the maximum number of files that
can be open at one time, including active network logical links.
The default is 20.
/FLAGS
/FLAGS=([NO]option[,...])
Specifies login flags for the user. A NO in front of the flag
clears the flag. The following are valid options:
AUDIT Enables or disables security auditing for a
specific user. By default, VMS does not
audit the activities of specific users
(NOAUDIT).
AUTOLOGIN Restricts the user to the automatic login
mechanism when logging in to an account.
When set, the flag disables login by any
terminal that requires entry of a user name
and password. The default is to require a
user name and password (NOAUTOLOGIN).
CAPTIVE Prevents the user from changing any defaults
at login, for example, /CLI, /DISK,
/COMMAND, or /LGICMD. It also prevents
the user from escaping the captive login
command procedure and gaining access to
the DCL command level. The CAPTIVE flag
establishes an environment where Ctrl
/Y interrupts are initially turned off;
however, command procedures can still turn
on Ctrl/Y interrupts with the DCL command
SET CONTROL=Y. By default, an account is not
captive (NOCAPTIVE).
DEFCLI Restricts the user to the default command
interpreter by prohibiting the use of the
/CLI qualifier at login; (the MCR command
can still be used). By default, a user can
choose a CLI (NODEFCLI).
DISCTLY Establishes an environment where Ctrl
/Y interrupts are initially turned off
and are invalid until a SET CONTROL_
Y is encountered. This could happen in
SYLOGIN.COM or in a procedure called
by SYLOGIN.COM. Once a SET CONTROL_Y is
executed (which requires no privilege),
a user can enter a Ctrl/Y and reach the
DCL. If the intent of DISCTLY is to force
execution of the login command files, then
SYLOGIN.COM should issue the DCL command SET
CONTROL_Y before exiting to turn on Ctrl/Y
interrupts. By default, Ctrl/Y is enabled
(NODISCTLY).
DISFORCE_PWD_CHANGE Removes the requirement that a user must
change an expired password at login.
By default, a person can use an expired
password only once (NODISFORCE_PWD_CHANGE),
and then he or she is forced to change the
password after logging in. If a new password
is not selected, the user is locked out of
the system.
DISIMAGE Prevents the user from executing the RUN or
the MCR command or from using the foreign
command mechanism in DCL. By default, a user
can execute RUN, MCR, and foreign commands
(NODISIMAGE).
DISMAIL Disables mail delivery to the user.
By default, mail delivery is enabled
(NODISMAIL).
DISNEWMAIL Suppresses announcements of new mail at
login. By default, VMS announces new mail
(NODISNEWMAIL).
DISPWDDIC Disables automatic screening of new
passwords against a system dictionary.
By default, passwords are automatically
screened (NODISPWDDIC).
DISPWDHIS Disables automatic checking of new passwords
against a list of the user's old passwords.
By default, VMS screens new passwords
(NODISPWDHIS).
DISRECONNECT Disables automatic reconnection to an
existing process when a terminal connection
has been interrupted. By default, automatic
reconnection is disabled (DISRECONNECT).
DISREPORT Suppresses reports of the last login time,
login failures, and other security reports.
By default, login information is displayed
(NODISREPORT).
DISUSER Disables the account so the user cannot
log in. For example, the DEFAULT account is
disabled. By default, an account is enabled
(NODISUSER).
DISWELCOME Suppresses the "Welcome to ..." system login
message. By default, a system login message
appears (NODISWELCOME).
GENPWD Restricts the user to generated passwords.
By default, users choose their own passwords
(NOGENPWD).
LOCKPWD Prevents the user from changing the password
for the account. By default, users can
change their passwords (NOLOCKPWD).
PWD_EXPIRED Marks a password as expired. Users cannot
log in if this flag is set. LOGINOUT.EXE
sets the flag when users log in with the
DISFORCE_PWD_CHANGE flag set and their
password is expired. Primarily, a system
manager will only be clearing this flag.
By default, passwords are not expired after
login (NOPWD_EXPIRED).
PWD2_EXPIRED Marks a secondary password as expired.
Users cannot log in if this flag is set.
LOGINOUT.EXE sets the flag if users log in
with the DISFORCE_PWD_CHANGE flag set and
their passwords expire. Primarily, a system
manager will only be clearing this flag.
By default, passwords are not set to expire
after login (NOPWD2_EXPIRED).
RESTRICTED Prevents the user from changing any defaults
at login (for example, specifying /DISK,
/COMMAND, or /LGICMD) and prohibits user
specification of a CLI with the /CLI
qualifier. The RESTRICTED flag establishes
an environment where Ctrl/Y interrupts are
initially turned off; however, command
procedures can still turn on Ctrl/Y
interrupts with the DCL command SET CONTROL_
Y. This flag is typically used to prevent an
applications user from having unrestricted
access to the CLI. By default, a user can
change defaults (NORESTRICTED).
The flag provides compatibility with CAPTIVE
accounts in VMS systems prior to Version
5.2.
/GENERATE_PASSWORD
/GENERATE_PASSWORD[=keyword]
/NOGENERATE_PASSWORD (default)
Invokes the password generator to create user passwords. Generated
passwords can consist of 1 to 10 characters. Specify one of the
following keywords:
BOTH Generate primary and secondary passwords.
CURRENT Do whatever the DEFAULT account does. This could mean
to generate primary, secondary, both, or no passwords.
This is the default keyword.
PRIMARY Generate primary password only.
SECONDARY Generate secondary password only.
Note that the /GENERATE_PASSWORD and /PASSWORD qualifiers are
mutually exclusive, and whenever you modify a password, the
original one expires and the new one is valid for only one login.
/INTERACTIVE
/INTERACTIVE[ =(range[,...])]
Specifies the hours of access for interactive logins. For a
description of the range specification, see the /ACCESS qualifier.
By default, there are no access restrictions on interactive
logins.
/JTQUOTA
/JTQUOTA=value
Specifies the initial byte quota with which the job-wide logical
name table is to be created. By default, the value is 1024.
/LGICMD
/LGICMD=filespec
Specifies the name of the default login command file. The file
name defaults to the device specified for /DEVICE, the directory
specified for /DIRECTORY, a file name of LOGIN, and a file type
of COM. If you select the defaults for all these values, the file
name is SYS$SYSTEM:[USER]LOGIN.COM.
/LOCAL
/LOCAL[=(range[,...])]
Specifies hours of access for interactive logins from local
terminals. For a description of the range specification, see the
/ACCESS qualifier. By default, there are no access restrictions on
local logins.
/MAXACCTJOBS
/MAXACCTJOBS=value
Specifies the maximum number of batch, interactive, and detached
processes that may be active at one time for all users of the same
account. By default, a user has a maximum of 0, which represents
an unlimited number.
/MAXDETACH
/MAXDETACH=value
Specifies the maximum number of detached processes with the
cited user name that may be active at one time. The keyword NONE
indicates the user cannot create detached processes. By default, a
user has a value of 0, which represents an unlimited number.
/MAXJOBS
/MAXJOBS=value
Specifies the maximum number of processes (interactive, batch,
detached, and network) with the cited user name that may be active
simultaneously. The first four network jobs are not counted. By
default, a user has a maximum value of 0, which represents an
unlimited number.
/MODIFY_IDENTIFIER
/MODIFY_IDENTIFIER (default)
/NOMODIFY_IDENTIFIER
Specifies whether the identifier associated with the cited user
is to be modified in the rights database. This qualifier only
applies when you modify the UIC or user name in the UAF record. By
default, the associated identifiers are modified.
/NETWORK
/NETWORK[=(range[,...])]
Specifies hours of access for network batch jobs. For a
description of the range specification, see the /ACCESS qualifier.
By default, there are no access restrictions on network logins.
/OWNER
/OWNER=owner-name
Specifies the name of the owner of the account. This name can
be used, for example, for billing purposes. The owner-name is 1
through 31 characters and there is no default.
/PASSWORD
/PASSWORD=(password1[,password2])
/NOPASSWORD
Specifies up to two passwords for login. Passwords can be from
0 to 32 characters in length, and can include alphanumeric
characters, dollar signs, and underscores.
To set only the first password, specify /PASSWORD=password. To set
both the first and second password, specify /PASSWORD=(password1,
password2). To change the first password without affecting the
second, specify /PASSWORD=(password, ""). To change the second
password without affecting the first, specify /PASSWORD=("",
password). To set both passwords to null, specify /NOPASSWORD.
By default, the ADD command assigns a password of 'USER'. When
creating a new UAF record with the COPY or RENAME command, you
must specify a password.
/PGFLQUOTA
/PGFLQUOTA=value
Specifies the paging file limit. This is the maximum number of
pages that the person's process can use in the system paging file.
By default, the value is 10,240.
/PRCLM
/PRCLM=value
Specifies the subprocess creation limit. This is the maximum
number of subprocesses that can exist at one time for the
specified user's process. By default, the value is 2.
/PRIMEDAYS
/PRIMEDAYS=([NO]day[,...])
Defines the primary and secondary days of the week for logging
in. A day prefixed with NO is a secondary day; without a NO it
is a primary day. Specify the days as a list separated by commas
and enclosed in parentheses. Use the primary and secondary day
definitions in conjunction with such qualifiers as /ACCESS,
/INTERACTIVE, and /BATCH. By default, primary days are Monday
through Friday and the secondary days are Saturday and Sunday. Any
days omitted from the list take their default value.
/PRIORITY
/PRIORITY=value
Specifies the default base priority. The value is an integer in
the range of 0 through 31. By default, the value is set to 4 for
timesharing users.
/PRIVILEGES
/PRIVILEGES=([NO]privname[,...])
Specifies which privileges the user is authorized to hold although
these privileges are not necessarily enabled at login. (The
/DEFPRIVILEGES determines which are enabled). A NO prefix removes
the privilege from the user. The keyword NOALL disables all user
privileges. There are many privileges available with varying
degrees of power and potential system impact. Please see the Guide
to VMS System Security for a detailed discussion. By default, a
user holds TMPMBX and NETMBX privileges.
/PWDEXPIRED
/PWDEXPIRED (default)
/NOPWDEXPIRED
Specifies the password is valid for only one login. Users must
change their passwords immediately after login or be locked out of
the system. For a week prior to expiration, the VMS system warns
users of the upcoming password expiration. They can either specify
a new password during the week with the DCL command SET PASSWORD
or wait until expiration and be forced to change. By default, a
user has to change a password when first logging in to an account.
/PWDLIFETIME
/PWDLIFETIME=time (default)
/NOPWDLIFETIME
Specifies the length of time a password is valid. You must specify
a delta-time value, which takes the form [dddd-] [hh:mm:ss.cc].
For example, a lifetime of 120 days, 0 hours, 0 seconds would
be expressed as /PWDLIFETIME="120-", whereas a lifetime of 120
days 12 hours, 30 minutes and 30 seconds would be expressed as
/PWDLIFETIME="120-12:30:30". If a period longer than the specified
time has elapsed when the user logs in, a warning message is
displayed, and the password is marked as expired. A time equal to
NONE means that the password never expires. By default, a password
expires in 90 days.
/PWDMINIMUM
/PWDMINIMUM=value
Specifies the minimum password length in characters. By default, a
password must have at least 6 characters.
/REMOTE
/REMOTE[=(range[,...])]
Specifies hours during which access is permitted for interactive
logins from network remote terminals (with the DCL command SET
HOST). For a description of the range specification, see the
/ACCESS qualifier. By default, remote logins have no access
restrictions.
/SHRFILLM
/SHRFILLM=value
Specifies the maximum number of shared files the user may have
open at one time. By default, VMS assigns a value of 0, which
represents an infinite number.
/TQELM
Specifies the total number of entries in the timer queue plus the number of temporary common event flag clusters that the user can have at one time. By default, a user can have 10.
/UIC
/UIC=value
Specifies the user identification code (UIC). The UIC value is
a group number in the range 1-37776 (octal) and a member number
in the range 0-177776 (octal), which are separated by a comma
and enclosed in brackets. Each user should have a unique UIC. By
default, the UIC value is [200,200].
/WSDEFAULT
/WSDEFAULT=value
Specifies the default working set size. This represents the
initial limit to the number of physical pages the process can
use. The minimum value is 50 pages. By default, a user has 150
pages.
/WSEXTENT
/WSEXTENT=value
Specifies the working set maximum. This represents the maximum
amount of physical memory allowed to the process. The system
provides memory to a process beyond its working set quota only
when it has excess free pages. The additional memory is recalled
by the system if needed. The value is an integer equal to or
greater than WSQUOTA. By default, the value is 512.
/WSQUOTA
/WSQUOTA=value
Specifies the working set quota. This is the maximum amount of
physical memory a user process can lock into its working set. It
also represents the maximum amount of swap space that the system
reserves for this process and the maximum amount of physical
memory that the system allows the process to consume if the
system-wide memory demand is significant. The minimum value is
50 pages. By default, the quota is 256.
Examples
1. UAF> COPY ROBIN SPARROW /PASSWORD=SP0152
%UAF-I-COPMSG, user record copied
%UAF-E-RDBADDERRU, unable to add SPARROW value: [000014,00006] to
RIGHTSLIST.DAT -SYSTEM-F-DUPIDENT, duplicate identifier
The command in this example adds a record for Thomas Sparrow
that is identical, except for the password, to that of Joseph
Robin. Note that since there is no change in the UIC value,
no identifier is added to RIGHTSLIST.DAT. AUTHORIZE issues a
"duplicate identifier" error message.