HP 3000 Manuals HP 3000 Manuals
Assigning capabilities
Capabilities are privileges that can be assigned to users, accounts,
groups, and programs. Capabilities specify what users can do on the
system by implementing four types of control: user control, file
control, program control, and resource control. These categories of
control are not mutually exclusive. For example, DI is a capability to
run certain diagnostic programs on the system. Although classified as a
user-control capability, it also deals with program control.
The system manager or account manager has the capability to assign these
privileges or to take them away. The system manager can assign any
privileges to anyone on the system. The account manager (the person
accessing an account with account manager (AM) capability), can assign
capabilities, not exceeding their own, to anyone in the account.
The table below summarizes capabilities. The A, G, U, and P columns in
indicate capabilities that can be allowed to the account (A), group (G),
user (U), and program (P) entities.
Table 8-2. Capabilities
-------------------------------------------------------------------------------------------
| |
| Capability Type of Control AGUP Description |
| |
-------------------------------------------------------------------------------------------
| |
| AL User x x Account librarian allows access to files within the |
| user's account. |
| |
| AM User x x Account manager allows access to all files, groups, |
| and user information within the account. |
| |
| BA User/ Program xxxxBatch access allows logon with the JOB command. |
| |
| CS File/ Device x x Communications subsystems allows exclusive access |
| to a communications device. |
| |
| CV File/ Device x x Create volumes is needed to create, alter, and |
| delete mountable volume sets. |
| |
| DI User x x Diagnostician allows a user to run certain device |
| and CPU diagnostics or verification programs. |
| |
| DS Program xxxxData segments lets users and programs create and |
| manage extra data segments. |
| |
| GL User x x Group librarian allows access to all files within |
| the user's group. |
| |
| IA User/ Program xxxxInteractive access allows a user to log on with |
| HELLO. |
| |
| LG User x x User logging allows enabling of the logging |
| facility. |
| |
| UV File/Device x x Use volumes allows access to nonsystem domain |
| volumes. |
| |
| MR Program xxxxMultiple RINs lets a user or program acquire more |
| than one resource identification number (RIN) for a |
| single process. |
| |
| NA User x x Network administrator allows use of NMMGR.PUB.SYS |
| to configure NS and LAN and to administer the |
| resulting network. |
| |
-------------------------------------------------------------------------------------------
Capabilities (continued)
-------------------------------------------------------------------------------------------
| |
| Capability Type of Control AGUP Description |
| |
-------------------------------------------------------------------------------------------
| |
| ND File/ device x x Nonshareable devices allows use of nonshareable |
| devices such as the tape drive. |
| |
| NM User x x Node manager allows the use of NMMGR.PUB.SYS to |
| configure and manage nodes in a LAN. |
| |
| OP User x x Operator allows access to files, groups, user |
| information, and support functions and commands. |
| |
| PH Program xxxxProcess handling allows direct creation of other |
| processes by executing the user process, so that a |
| program can have a number of concurrently running |
| processes. |
| |
| PM User/ Program xxxxPrivileged mode gives a user or program access to |
| all resources. |
| |
| PS User/ Program x x Programmatic sessions allows use of the STARTSESS |
| command and the STARTSESS intrinsic. |
| |
| SF File/ device x x Save files allows users to save files permanently. |
| |
| SM User x x System manager allows complete access to the |
| system. |
| |
-------------------------------------------------------------------------------------------
When you create accounts, groups, and users, they each receive certain
default capabilities:
* Accounts are assigned AL, AM, BA, GL, IA, ND, SF capability
* Groups and programs are assigned BA and IA capability
* Users are assigned BA, IA, ND and SF capability
You may assign accounts and users all of the capabilities, but you can
assign groups and programs only BA, DS, IA, MR, PH, and PM capability.
To assign capabilities
To assign capabilities to accounts, groups, users, and programs, use the
NEWACCT, NEWGROUP, and NEWUSER commands. For example, if you are the
system manager or the account manager of the PAYROLL account, enter the
following to assign capabilities to a new user named GEORGE:
NEWUSER GEORGE.PAYROLL;CAP=IA,BA,ND,SF,
To alter capabilities
Alter capabilities for existing accounts, groups, and users with the
ALTACCT, ALTGROUP, and ALTUSER commands.
For example, to add the group librarian (GL) and account manager (AM)
capabilities to your new user named GEORGE in the PAYROLL account, enter:
ALTUSER GEORGE.PAYROLL;CAP=IA,BA,ND,SF,GL,AM,OP,PM,DI
Or, you can add the GL and AM capabilities to his account by entering the
command this way:
ALTUSER GEORGE.PAYROLL;CAP= +GL
To limit accounts and groups
The NEWACCT, ALTACCT, NEWGROUP, and ALTGROUP commands have parameters
that offer additional control over system resources.
The following list defines the parameters for these commands:
--------------------------------------------------------------------------------------------
| | |
| Parameter | Definition |
| | |
--------------------------------------------------------------------------------------------
| | |
| FILES | Sets a limit on disk space. The space is expressed in sectors. |
| | (One sector = 256 bytes.) |
| | |
--------------------------------------------------------------------------------------------
| | |
| CPU | Limits the number of CPU seconds allowed to any particular group |
| | and account. |
| | |
--------------------------------------------------------------------------------------------
| | |
| CONNECT | Limits the connect time in CPU minutes. This parameter is usually |
| | put into job streams. |
| | |
--------------------------------------------------------------------------------------------
| | |
| ACCESS | Changes the security matrix for groups or accounts. |
| | |
--------------------------------------------------------------------------------------------
For example, to limit the disk space the PAYROLL account can use, enter
ALTACCT PAYROLL;FILES=50000
NOTE You should never limit accounts or groups used by the operating
system such as the SYS account or any group in the SYS account.
To keep track of user events
You can have MPE/iX keep track of user events in a log file. A new log
file begins automatically every time you reboot, but you can also start a
new log file as necessary.
To keep a certain type of log, you use the LOG configurator in SYSGEN to
change its status to "ON". For more information, read chapter 5 of this
manual.