HP 3000 Manuals HP 3000 Manuals
Account Manager Tasks
This section describes an account manager's account and security
responsibilities. It includes instructions for:
* Creating and maintaining groups
* Creating and maintaining users
* Establishing account-level UDCs
Account managers have two important roles. You protect the information
stored in files within your account, and control the level at which
account users access the system. You protect files by assigning adequate
security provisions at the group level. You control how users access the
system by assigning group and user capabilities.
A system manager can perform all account manager tasks.
Creating and Maintaining Groups
The account manager is responsible for creating and maintaining the
groups within his account. System managers and account managers for an
account have access to the commands for creating, modifying, and removing
groups in that account.
Creating a New Group With the NEWGROUP Command. Groups are created with
the NEWGROUP command. Each new group must be given a unique name.
Optionally, you can give the group a password, disk storage limit, CPU-
time limit, connect-time limit, capabilities, file security provisions,
and volume set.
NEWGROUP Syntax
NEWGROUP groupname[.acctname]
[;PASS=[password]][;FILES=[filespace]]
[;CPU=[cpu]][;CONNECT=[connect]]
[;CAP=[capabilitylist]][;ACCESS=[fileaccess]]
[;ONVS=volumesetname][;HOMEVS=volumesetname]
Table 2-8 describes NEWGROUP parameters.
Table 2-8. NEWGROUP Parameters
--------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
--------------------------------------------------------------------------------------------
| | |
| groupname. [accountname] | The fully qualified group name. If you are logged on |
| | to the account, you can omit .accountname. You must |
| | be a system manager to create groups in an account |
| | other than your logon account. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;PASS=[password] | The group password. Default: none |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;FILES=[filespace] | The disk storage limit, in sectors, for the group. |
| | Default: unlimited |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CPU=[cpu] | The CPU-time limit, in seconds, for the group. |
| | Default: unlimited |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CONNECT= [connect] | The connect-time limit, in minutes, for the group. |
| | Default: unlimited |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CAP=[capabilitylist] | Lists the capabilities permitted to the group. |
| | Separate capabilities in your capabilitylist with |
| | commas. Default: IA, BA, provided the account has |
| | these capabilities. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;ACCESS= [fileaccess] | Lists the file access restrictions for the group. |
| | Default: All groups except PUB:R,A,W,L,X,S:GU of PUB |
| | group: R,X:ANY;A,W,L,S:AL,GU |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;ONVS= volumesetname | Specifies a particular volume set on which the group |
| | is to be built. Default: system volume set. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;HOMEVS= volumesetname | Changes the home volume set from current set to the |
| | set specified by volumesetname. Default: system |
| | volume set |
| | |
--------------------------------------------------------------------------------------------
For example, to create a new group, named RESEARCH, enter:
NEWGROUP RESEARCH,PASS=BEAKER
The new group has the name RESEARCH, the password BEAKER, unlimited disk
storage, CPU time, and connect time, default capabilities and file
security provisions, and is not associated with a volume set or class.
As account manager, you must be logged on to an account in order to add
groups to it. A system manager can create a new group in any account by
including the account name (TECHNLGY) in the NEWGROUP command. For
example:
NEWGROUP RESEARCH.TECHNLGY;PASS=BEAKER
Account managers may find it useful to create their own, private group.
By default, the system assigns the PUB group as the home group. In the
PUB group, however, any user has READ and EXECUTE access to files.
Account managers who intend to create and use private files, should
create a private group for themselves. After the new group is created,
use the ALTUSER command to change the home group to the new group. Refer
to "Creating and Maintaining Users" in this chapter.
Figure 3-6 contains a sample New Group Checklist that can be used when
planning new groups. In order to enhance the security of the system and
protect the files within the group, be sure to give the group the correct
capabilities and file access restrictions. Ask your system manager for
guidelines.
![[]](../../pic3k/M010198/L270303c50.gif)
Figure 2-6. New Group Checklist
Modifying a Group With the ALTGROUP Command. Use the ALTGROUP command to
change any of the attributes of a group. Enter the command, the group
name, and any of the group parameters that are to be modified.
You must be the account manager for the group's account or the system
manager in order to change any of the attributes of the group.
ALTGROUP Syntax
ALTGROUP groupname[.acctname]
[;PASS=[password]][;CAP=[capabilitylist]]
[;FILES=[filespace]][;CPU=[cpu]]
[;CONNECT=[connect]][;ACCESS=[(fileaccess)]]
[;ONVS=volumesetname][;HOMEVS=volumesetname]
Table 2-9 describes ALTGROUP parameters.
Table 2-9. ALTGROUP Parameters
--------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
--------------------------------------------------------------------------------------------
| | |
| groupname[.accountname] | The fully qualified group name. If you are logged on |
| | to the account, .accountname can be omitted. Only |
| | system managers can modify groups in an account other |
| | than their own logon account. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;PASS=[ password ] | The group password. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;FILES=[ filespace] | The disk storage limit, in sectors, for the group. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CPU=[cpu] | The CPU-time limit, in seconds, for the group. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CONNECT=[connect ] | The connect-time limit, in minutes, for the group. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CAP=[ capabilitylist ] | Lists the capabilities permitted to the group. |
| | Separate capabilities in your capabilitylist with |
| | commas. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;ACCESS=[fileaccess] | Lists the file access restrictions for the group. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;ONVS=volumesetname | Specifies the particular volume set in which the |
| | group will be altered. Default: system volume set |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;HOMEVS=volumesetname | Changes the home volume set from current set to the |
| | set specified by volumesetname. Default: system |
| | volume set |
| | |
--------------------------------------------------------------------------------------------
For example, the following command changes the RESEARCH group's password
to BUNSEN:
ALTGROUP RESEARCH;PASS=BUNSEN
Switching Groups With the CHGROUP Command. Use the CHGROUP command to
switch from the current group to any other group within the logon account
to which the user has legal access. Enter the command, the group name to
which the user wants to switch, and the password for that group.
CHGROUP Syntax
CHGROUP [ [groupname] [/grouppass] ]
Table 2-10 lists and defines the CHGROUP parameters.
Table 2-10. CHGROUP Parameters
---------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
---------------------------------------------------------------------------------------------
| | |
| [groupname] | The name of the group to which the user will be switched. |
| | If the parameter is omitted, the user is switched back to |
| | the home group. |
| | |
---------------------------------------------------------------------------------------------
| | |
| [/grouppass] | The password of the group to which the user intends to |
| | switch. |
| | |
---------------------------------------------------------------------------------------------
For example, the following command switches the user from the current
group to the group called NEWGROUP with the password PRIVATE.
CHGROUP NEWGROUP/PRIVATE
Typing the CHGROUP command without any parameter switches the user from
the current group to the user's home group:
CHGROUP
In this case, a password is not required.
Removing a Group With the PURGEGROUP Command. Use the PURGEGROUP command
to remove a group from the system. You must have account manager (AM) or
system manager (SM) capability to execute this command. PURGEGROUP
removes the group and all files belonging to it from your system or
optionally from a particular volume set. It is a good practice to store
the files in a group before you purge it. Refer to MPE XL Commands
Reference Manual (32650-90003) for more information. Storing files gives
you a backup copy of the group should you ever need to restore it to the
system.
PURGEGROUP Syntax
PURGEGROUP groupname[accountname][;ONVS=volumesetname]
Table 2-11. PURGEGROUP Parameters
--------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
--------------------------------------------------------------------------------------------
| | |
| groupname[.accountname] | The fully qualified group name. If you are logged on |
| | to the account, you can omit .accountname. You must |
| | be a system manager to purge groups in an account |
| | other than their own logon account. |
| | |
--------------------------------------------------------------------------------------------
| | |
| [;ONVS=volumesetname] | Removes the group from the specified volume set |
| | directory. Specify a volume set in the form: |
| | |
| | MPEXL_SYSTEM_VOLUME_SET |
| | |
| | where MPEXL is the defined volume set. The volume |
| | set you specify must be mounted. |
| | |
--------------------------------------------------------------------------------------------
To purge a group from the system, enter the PURGEGROUP command and the
group name. For example, to purge the RESEARCH group, enter:
PURGEGROUP RESEARCH
To purge a group from a particular volume set, include the volume set
name within your PURGEGROUP command. For example:
PURGEGROUP OLDGROUP;ONVS=MPEXL_SYSTEM_VOLUME_SET
If anyone is logged on to the group when it is purged, the system purges
the files in the group, but does not purge the group itself.
If files are in use when a group is purged, the system does not purge the
active files or the group.
Creating and Maintaining Users
Like groups, users belong to accounts. As account manager, you are
responsible for creating users and assigning them capabilities, modifying
user attributes, and removing users from the system.
Creating a New User With the NEWUSER Command. You create new users with
the NEWUSER command. Give each user within an account a unique name.
Optionally, you can give the user a password, capabilities, priority,
local attributes, and a home group. While many users share account and
group passwords, user passwords belong to a single person. Users can
choose their own user passwords with the PASSWORD command. Refer to
"General User Tasks" for instructions.
NEWUSER Syntax
NEWUSER username[.acctname]
[;PASS=[password]][;CAP=[capabilitylist]]
[;MAXPRI=[subqueuename]][;LOCATTR=[localattribute]]
[;HOME=[homegroupname]]
Table 2-12 describes NEWUSER parameters and their default values.
Table 2-12. NEWUSER Parameters
--------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
--------------------------------------------------------------------------------------------
| | |
| username. [accountname] | The fully qualified user name. If you are logged on |
| | to the account, .accountname can be omitted. Only |
| | system managers can create users in an account other |
| | than their own logon account. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;PASS=[ password ] | The user password. Default: none |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CAP=[ capabilitylist ] | Lists the capabilities permitted to the user. |
| | Separate capabilities in your capabilitylist with |
| | commas. Default: SF, ND, IA, BA (Provided the |
| | account has these capabilities) |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;MAXPRI=[subqueuename] | Names the highest priority subqueue the user can use. |
| | Default: CS |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;LOCATTR=[localattribute] | Assigns a local attribute to the user. Default: |
| | none |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;HOME=[homegroupname] | Assigns the user to a home group. If the user logs |
| | on without specifying a group name, the system logs |
| | the user onto the home group. Default: PUB for the |
| | account manager; none for others. |
| | |
--------------------------------------------------------------------------------------------
When a parameter is not included within the NEWUSER command, its default
values take effect. For example, to create a new user named BETTY with
the default capabilities and priority, with the home group RESEARCH, and
the password TEMP enter:
NEWUSER BETTY; PASS=TEMP;HOME=RESEARCH
System managers can create new users in any account by including the
account name in the NEWUSER command. For example:
NEWUSER BETTY.TECHNLGY;PASS=TEMP;HOME=RESEARCH
Figure 2-7 contains a sample New User Checklist that can help plan new
users. Keep the checklists in a file as a record of the users in your
account.
![[]](../../pic3k/M010198/L270343c50.gif)
Figure 2-7. New User Checklist
Modifying User Attributes With the ALTUSER Command. Any attributes of a
user can be changed with the ALTUSER command.
NEWUSER Syntax
NEWUSER username[.acctname]
[;PASS=[password]][;CAP=[capabilitylist]]
[;MAXPRI=[subqueuename]][;LOCATTR=[localattribute]]
[;HOME=[homegroupname]]
Table 2-13 shows ALTUSER parameters.
Table 2-13. ALTUSER Parameters
--------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
--------------------------------------------------------------------------------------------
| | |
| username.accountname | The fully qualified user name. If you are logged on |
| | to the account, .accountname can be omitted. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;PASS=[ password ] | The user password. Default: none |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;CAP=[ capabilitylist] | Lists the capabilities permitted to the user. |
| | Separate capabilities in your capabilitylist with |
| | commas. Default: SF, ND, IA, BA (Provided the |
| | account has these capabilities) |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;MAXPRI=[subqueuename] | Names the highest priority subqueue the user can use. |
| | Default: CS |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;LOCATTR=[localattribute] | Assigns a local attribute to the user. Default: |
| | none |
| | |
--------------------------------------------------------------------------------------------
| | |
| ;HOME=[homegroupname] | Assigns the user to a home group. If the user logs |
| | on without specifying a group name, the system logs |
| | the user into the home group. Default: PUB for the |
| | account manager; none for others |
| | |
--------------------------------------------------------------------------------------------
For example, to give BETTY additional capabilities, you might issue the
following command:
ALTUSER BETTY;CAP=IA,BA,ND,SF,AM,NA
In addition to the standard user capabilities (interactive access (IA),
batch access (BA), nonshareable devices (ND), and permanent files (SF),
the preceding command gives BETTY account manager (AM) and network
administrator (NA) capabilities. Notice that you must list all of the
capabilities you want BETTY to have.
Removing Users With the PURGEUSER Command. Use the PURGEUSER command to
remove a user from an account. This command may be issued from a
session, job, program, or in BREAK. You must have account (AM) or system
manager capability to execute this command.
An attempt to purge a user who is currently logged on to the system will
fail, and an explanatory message will be displayed. That user will not
be purged until the next logon. An attempt to purge MANAGER.SYS will
always fail, since this user can never be purged.
If files created by a purged user remain after the user is purged from
the system, the system manager can remove them with the PURGEACCT
command, or the account manager can eliminate them by executing
PURGEGROUP.
PURGEUSER Syntax
PURGEUSER username[.acctname]
Table 2-14. PURGEUSER Command
---------------------------------------------------------------------------------------------
| | |
| Parameter | Description |
| | |
---------------------------------------------------------------------------------------------
| | |
| username | The fully qualified user name. |
| | |
---------------------------------------------------------------------------------------------
| | |
| acctname | The fully qualified account name. If you are logged on |
| | to the account from which you want to purge the user, |
| | acctname can be omitted. |
| | |
---------------------------------------------------------------------------------------------
To purge a user named HISTORY from the current account, enter:
PURGEUSER HISTORY
USER HISTORY TO BE PURGED? YES
You are asked to verify the command only when it is executed during a
session and not from a job. To do so, enter YES or NO to the prompt.
To purge a user named HISTORY on the MATH account, enter:
PURGEUSER HISTORY.MATH