HP 3000 Manuals HP 3000 Manuals
Setting Up Accounts, Groups, and Users Users on HP 3000 computer systems have traditionally been identified by a user.account string such as MANAGER.PAYROLL. The user.account associated with a job or session did not change for the life of the job or session, nor did the user and his or her files reside outside of the account boundary. Users could copy files from another account, but could not rename them across account boundaries. As of Release 4.5, MPE/iX identifies each user by a unique user ID (UID) as well as a user.account string. Users are arranged into groups and are identified by a group ID (GID). Users that share one account will share the same GID. Owners of files on MPE/iX are identified by the file creator field. The data associated with the user is stored in separate user and group databases. This means that on MPE/iX, users with proper security permissions can move outside of account boundaries and work in different directories within the hierarchical file system.
NOTE The term group in this context is distinct from an MPE group and may be independent of the directory structure. To clarify, this chapter refers to groups under accounts as MPE groups.
File Ownership Before Release 4.5, MPE has used the creator name, an unqualified user name, to track file ownership. The system only recorded file creators (not the creators of accounts or groups). As of Release 4.5, files and HFS directories can be created outside the logon account if the user has the appropriate access to do so. Therefore, unqualified user names are no longer sufficient for indicating object ownership. As of Release 4.5, file ownership for all newly created files or renamed files is indicated by a fully qualified user name. The fully qualified user name is called the file owner or the UID. The concept of the file owner is similar to the file creator. Note however that the file creator could never be changed for a file whereas the file owner can be changed. The Group and User Databases Two databases, one for UIDs and one for GIDs, are a required part of any operating system that implements POSIX standards. * The User ID database (UID) maps numerical user IDs to login names in the file called HPUID.PUB.SYS. * The Group ID database (GID) maps numerical group IDs to POSIX.1 group names in the file HPGID.PUB.SYS. The databases are privileged files whose contents are not visible, but you need to be aware of their existence. They are automatically created when you install or update to MPE/iX Release 4.5 or later. Furthermore, they are automatically modified when you add, modify, or purge users, groups, and accounts. When a user logs on, MPE/iX uses the authenticated user.account to query the databases for the UID and GID. If none are found, MPE/iX checks whether the user has SM capability. If the user does not have an ID, the user cannot log on to the system without SM capability. When you add, modify, or purge users, groups, and accounts, the user and group databases are modified accordingly. A utility called PXUTIL exists to provide version information and backdating capabilities. To learn how to use PXUTIL, read the MPE/iX Shell and Utilities Reference Manual (36431-90001). To create accounts To set up an account, use the NEWACCT command and its options. You must specify the account name and identify an account manager. You also have the option of specifying a user ID number and group ID number, or the operating system will assign unique numbers automatically. If you specify user and group ID numbers, you should assign numbers over 100. MPE/iX reserves numbers less than 100 for system-defined IDs. For example, to create a new account called PAYROLL for the payroll department, enter: :NEWACCT PAYROLL,MANAGER;PASS=PAYUS2;UID=150;GID=120; The new account, PAYROLL, contains one user (MANAGER), who is the account manager. The password for the account is PAYUS2. The user ID of 150 identifies the account manager MANAGER.PAYROLL. The group ID of 120 identifies the payroll account. Also, the account automatically contains one group: PUB. If you omit the UID and GID parameters, MPE assigns a unique UID to the account manager, MANAGER, and a unique GID to the account, PAYROLL. If you assign a UID or GID that is already in use, an error message is displayed.
NOTE While you are setting up your account structure, you can get helpful information about any MPE command. * To get help for a particular command, enter HELP followed by a command name at the MPE prompt. For example, to display the syntax for the command NEWACCT, enter: HELP NEWACCT * To display information about the parameters for the same command, enter: HELP NEWACCT PARMS For more information on these commands refer to the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364).
To create MPE groups You can create groups within an account. To do so, use the NEWGROUP command followed by the name of the account or directory and, optionally, the password you want assigned to the group. For example, to create a group SALES in the MKTG account and assign it a password KEEPOUT, enter: :NEWGROUP SALES.MKTG;PASS=KEEPOUT When you are creating or moving files into a group, it is important to know that the following types of files can be located only within MPE groups (and not within HFS directories): * UDC files * Databases * Compatibility mode files (for example, CIR, KSAM, RIO) To create users To add a user to an account, use the NEWUSER command and its options. Only the system manager or the account manager for the account can add new users. You must include a user name. If you do not include an account name, the user is added to the account that you are currently in. For example, to create a user called BANKS in the PAYROLL account with a home group SALES and a user ID of 120, enter: :NEWUSER BANKS.PAYROLL;PASS=ALEX;HOME=SALES;UID=120 To create accounts using a command file MKACCT is a command file that helps you establish user names, groups, accounts, and passwords. MKACCT is interactive, and if you make a mistake, it prompts you for the correct response. You may verify the results of MKACCT with the LISTACCT, LISTGROUP, and LISTUSER commands. You may override anything accomplished by MKACCT with the ALTUSER, ALTGROUP, and ALTACCT commands. For more information on these commands, use online help or read the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364) or the Using Your System - HP 3000 Series 9X7LX (A1707-92002).
NOTE The command PASSWORD allows all users to change their own passwords. For information on the PASSWORD command, use online help or read the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364).