HP 3000 Manuals HP 3000 Manuals
ALTACCT
Changes the attributes of an existing account.
Syntax
ALTACCT acctname [;PASS=[password]][;FILES=[filespace]]
[;CPU=[cpu]][;CONNECT=[connect]]
[;CAP=[capabilitylist]][;ACCESS=[(fileaccess)]]
[;MAXPRI=[subqueuename]][;LOCATTR=[localattribute]] [;ONVS=volumesetname]
[;USERPASS=[{REQ}]] (1)
[ [{OPT}]]
(1) The USERPASS parameter is only available if the HP Security Monitor
has been installed.
Parameters
acctname The name of the account to be altered.
password The password to be assigned to the account. If you
omit password, any existing password is removed.
If you omit PASS=, any existing password is
unchanged.
filespace Disk storage limit, in sectors, for the permanent
files in the account. The filespace limit cannot
be less than the number of sectors currently in use
for the account.
cpu The limit on cumulative CPU-time, in seconds, for
the account. This limit is checked only when a job
or session is initiated, and, therefore, never
causes the job or session to abort. The maximum
value allowed is 2,147,483,647 seconds. You may
set the counter to zero with the RESETACCT command.
connect The limit on total cumulative session connect-time,
in minutes, allowed the account. This limit is
checked at logon. Every time the process
terminates the counter is updated. The maximum
value allowed is 2,147,483,647 minutes. You may
reset the counter to zero with the RESETACCT
command.
capabilitylist Either 1) a list of capabilities, separated by
commas, permitted the account, or 2) a list of
additions and/or deletions to be applied to the
account's existing set of capabilities. Additions
and deletions are specified by a "+" or "-"
immediately followed by the capability to add or
delete, separated by commas.
If "+"/"-" is to be specified in the list, then the
list must begin with "+" or "-". For example,
CAP=+MR,-PH is legal, but CAP=MR,-PH is not. It is
not necessary to prefix each capability to be added
or deleted with "+" / "-", as the occurrence of "+"
/ "-" indicates an action that remains in
effect until the indicator changes. For
example, CAP=+MR,PH,-PM,DS is equivalent to
CAP=+MR,+PH,-PM,-DS
If a capability is removed at the account level,
users within the account are also denied that
capability. No explicit change to the user's
capabilities is necessary. Similarly, if a
capability is returned to the account, any users
with that capability regain it automatically.
Each capability is denoted by a two letter
mnemonic, as follows:
System Manager = SM
Account Manager = AM
Account Librarian = AL
Group Librarian = GL
Diagnostician = DI
System Supervisor = OP
Network Administrator = NA
Node Manager = NM
Save Files = SF
Access to Nonshareable
I/O Devices = ND
Use Volumes = UV
Use Communication
Subsystem = CS
Programmatic Sessions = PS
User Logging = LG
Process Handling = PH
Extra Data Segments = DS
Multiple RINs = MR
Privileged Mode = PM
Interactive Access = IA
Batch Access = BA
Default is AM, AL, GL, SF, ND, IA, BA, except for
the SYS account. The SYS account has no true
default. It is assigned the maximum account
capabilities when the system is delivered and,
under normal circumstances, should not be altered.
If a capability is taken away from an account, it
is unavailable to users in that account. However,
users are not affected by this change until they
log off and then log back on.
fileaccess The restrictions on file access pertinent to this
account. Default is R,L,A,W,X:AC, entered as
follows:
[{R} ]
[{L} ]
([{A} [,...]:{ANY}] [;...])
[{W} {AC }]
[{X} ]
The R, L, A, W, and/or X specify modes of access by
types of users (ANY and/or AC ) as follows:
R = READ
L = LOCK
A = APPEND
W = WRITE
X = EXECUTE
LOCK allows exclusive access to the file. APPEND
implicitly specifies LOCK. WRITE implicitly
specifies APPEND and LOCK.
The user types are specified as follows.
ANY = Any user
AC = Member of this account only
subqueuename Name of the highest priority subqueue that can be
requested by any process of any job/session in the
account, specified as AS, BS, CS, DS, or ES. When
you specify ;MAXPRI= without a value, subqueuename
defaults to CS.
CAUTION User processes executing in the AS or BS subqueues can deadlock
the system. If you assign these subqueues to nonpriority
processes, other critical system processes may be prevented from
executing. Exercise extreme caution when choosing subqueues.
localattribute Local attribute of the account, as defined at the
installation site. This is a double-word bit map,
of arbitrary meaning, that might be used to further
classify accounts. While it is not involved in
standard MPE/iX security provisions, it is
available to processes through the WHO intrinsic.
Programmers may use localattribute in their own
programs to provide security. Default is double
word 0 (null).
volume- setname The MPE/iX volume set in which the account is to be
altered. This volume set must be already
defined and recognized by the system. When
ONVS=volumesetname is specified, the volume set
directory is assumed. When ONVS= is specified
without volumesetname, the system directory is
assumed.
MPE/iX volume set names consist of from 1 to 32
characters, beginning with an alphabetic character.
The remaining characters may be alphabetic,
numeric, the underscore, or periods.
This parameter only works with the FILES parameter
(all other parameters are ignored).
REQ USERPASS=REQ specifies that all users in the
account must have a non-blank password. It is
available only if the HP Security Monitor has been
installed.
OPT USERPASS=OPT specifies that users in this account
may or may not have passwords. If you do not use
the USERPASS parameter, the old value remains. It
is available only if the HP Security Monitor has
been installed.
Operation Notes
The system manager uses the ALTACCT command to change the attributes of
an existing account. You may enter multiple keywords on a single command
line as shown in "Examples." When you change one capability in a
capabilitylist that contains several nondefault values, you must specify
the entire new %capabilitylist. When you omit an entire keyword
parameter group from the ALTACCT command, that parameter remains
unchanged for the account. When you include a keyword, but omit the
corresponding parameter (for example, PASS= Return), the default value is
assigned. Table 2-2 lists the default values for the ALTACCT command.
Table 2-2. Default Parameters for the ALTACCT Command
--------------------------------------------------------------------------------------------
| | |
| Parameter | Default Values |
| | |
--------------------------------------------------------------------------------------------
| | |
| password | No password |
| | |
| filespace | Unlimited |
| | |
| cpu | Unlimited |
| | |
| connect | Unlimited |
| | |
| capabilitylist | AM, AL, GL, SF, ND, IA, BA (All accounts except SYS) |
| | |
| | SM, AM, AL, GL, DI, OP, SF, ND, PH, DS, MR, PM (SYS account |
| | only) |
| | |
| fileaccess | (R,A,W,L,X:AC) (All accounts except SYS) |
| | |
| | (R,X:ANY;A,W,L:AC) (SYS account only) |
| | |
| subqueuename | CS subqueue |
| | |
| localattribute | 0 (null) |
| | |
--------------------------------------------------------------------------------------------
Any value changed with the ALTACCT command takes effect the next time
MPE/iX is requested to check the value. If an attribute is removed from
an account while users are logged on, they are not affected until they
log off their current job or session and log on again. MPE/iX does not
automatically generate a message informing users of the change; it is
your responsibility to warn account members in advance of any changes.
If you take a capability away from an account, all account members and
groups within the account are denied the capability the next time that
they log onto the account.
You cannot remove system manager (SM) capability from the SYS account or
account manager (AM) capability from any account. From within any
account, you can remove AM capability from all but one (the last) of the
users assigned it. It is possible, however, to remove AM capability from
all users in an account, but only if you do so from another account that
has SM capability.
NOTE If you specify volume-related commands or parameters for a volume
set that is not currently mounted, or for an account that does not
exist, MPE/iX returns an error message.
Use
This command may be issued from a session, job, program, or in BREAK.
Pressing Break has no effect on this command. System manager (SM)
capability is required to use this command.
Examples
To change an account named AC2 so that its password is GLOBALX, and its
filespace is limited to 50,000 sectors, enter:
ALTACCT AC2;PASS=GLOBALX;FILES=50000
To change the password and the file space of an account called MALCHIOR
in the volume set TIME_LORD, you need to issue two commands:
ALTACCT MALCHIOR;PASS=OMSBOROS
ALTACCT MALCHIOR;ONVS=TIME_LORD;FILES=20000
You must specify the changes for the system volume set (the first
command) and for the volume set itself (the second command). Specifying
a volumesetname limits the user to changing only FILES in the second
command.
Related Information
Commands ALTGROUP, ALTUSER, LISTACCT, LISTGROUP, LISTUSER, NEWACCT,
NEWGROUP, NEWUSER, RESETACCT
Manuals Performing System Management Tasks (32650-90004)