Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

How to get Username from UIC

dule_b
Occasional Visitor

How to get Username from UIC

I have request to create report that will show some UAF values of all accounts that hold specific rights. No problem collect all UICs that holds right, but convert it to Username... is little bit tricky.

 

Do anyone knows any solution other than opening SYSUAF.DAT and doing indexed read?

 

Best regards,

 

Dusan

3 REPLIES
Hoff
Honored Contributor

Re: How to get Username from UIC

UICs can and variously do map to more than one username entry; this isn't a one-to-one mapping, it's potentially one-to-many.

 

UICs don't hold rights, either, so there may be some confusion around the OpenVMS security model lurking here.

 

The usual path for implementing these auditing report requests is a wildcard pass through all entries in SYSUAF either (and more commonly) via the username key or (less commonly) via the UIC key, and to then determine the identifiers and privileges associated with each entry located from there.  The username entry is the top of the hierarchy here, and not the UIC values.

 

OpenVMS does not provide a documented or supported means to scan all usernames, so folks open up the file, adapt to the keys, and scan using (documented) RMS calls and the UAF data structure definitions.  There's no wildcard $getuai.  My preference is to get the minimal available information via the direct RMS means, then switch over to $getuai call(s) for the rest of the information.  (See below for some code.)

 

Each username has one UIC associated; this is a one-to-one mapping.

 

I'm sure that something similar to this that this report auditing has been implemented somewhere, so spend some time rummaging around the OpenVMS Freeware archives.   There are (or were) products in this area, too.  If you cannot locate a complete and existing solution, then Hein van den Heuvel has posted code for scanning SYSUAF username entries from DCL code in various places, and I have posted C code that scans SYSUAF entries here.  There are innumerable other examples posted around, too.  The John The Ripper (JTR) tool "unuaf" might be interesting to you here, for instance.

John Gillings
Honored Contributor

Re: How to get Username from UIC

Dusan,

 

   Hoff is correct that there can be multiple usernames sharing the same UIC. I'd argue that in most circumstances, it's worth your while assuring that UIC to Username is strictly a 1:1 mapping in both directions. When that is the case, you should also ensure there is always a UIC identifier which matches the username with that UIC.

 

I'd also recommend that UIC identifiers are never deleted, and never reused.

 

So, if you can verify there are no duplicate UICs in your UAF, and that UIC identifiers are defined for all users, the mapping from UIC to username can be done very easily with F$IDENTIFIER NUMBER_TO_NAME. For example, suppose you have group and member numbers for the UIC you're interested in:

 

$ WRITE SYS$OUTPUT F$IDENTIFIER(group*%X10000+member,"NUMBER_TO_NAME")

 

That said, there seems to be a misunderstanding in your request. Rights are granted to IDENTIFIERS not "accounts". So, you can find the list of rights granted to a specific UIC identifier by reading RIGHTSLIST (or, rather, using the system service API to RIGHTSLIST). You can then list the usernames sharing the UIC - that will require reading SYSUAF, since that's where the relationship is defined. 

A crucible of informative mistakes
Hoff
Honored Contributor

Re: How to get Username from UIC

>So, if you can verify there are no duplicate UICs in your UAF, and that UIC identifiers are defined for all users,...

 

...and the text identifier string is configured to match the username...

 

>...the mapping from UIC to username can be done very easily with F$IDENTIFIER NUMBER_TO_NAME.

 

This match between the UIC text string and the username is the default, but it's not required.

 

And there are more than a few cases around where there is no text string associated with the UIC at all.