Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

System_services to remove a VMS account

 
SOLVED
Go to solution
Toine_1
Regular Advisor

System_services to remove a VMS account

Hi,

I want to write a Fortran program that deletes VMS accounts that are disabled and not used for 180 days.

Is there a system services that can be used.
$REM_ACCOUNT ???

/Toine
8 REPLIES 8
Richard J Maher
Trusted Contributor

Re: System_services to remove a VMS account

Hi Toine,

Just open it as any other RMS file (making sure to specify "allowing all" how ever that is achieved in fortran and then just use an RMS fortran "delete" verb after verifying it is the username you desire.

Don't lock the record as I don't think any other utilities are prepared for a record-lock on a UAF record. Don't worry there's no locking between $getuai and $setuai either

Who's gonna run it? Try $install/priv=noall if you only want /sys/exec logical name use.

Cheers Richard Maher

PS> There is a should of thought that Usernames should never be delete. Prevent the re-use of UICs etc.
Hoff
Honored Contributor
Solution

Re: System_services to remove a VMS account

No such system service exists.

The supported path to this end state is via AUTHORIZE commands. Ugly, yes, but functional.

Traversing the SYSUAF database (wildcard) is available only via RMS calls. And if you're so inclined, yes, you can delete the entry directly out of SYSUAF the same way.

The usual path for aging usernames is to disable the username entry, as deleting the username disconnects the context and ownerships on existing objects. (This can lead to collisions, if entries with matching UICs are added later.) Or you can disable the user in the LDAP databases or such, if you're using external authentication. Or to use account expiration, and move it forward.

I have some user management tools and topics available:

http://labs.hoffmanlabs.com/node/1260
http://labs.hoffmanlabs.com/node/856

Not written in Fortran, though. And no deletions.
Steve Reece_3
Trusted Contributor

Re: System_services to remove a VMS account

There isn't a system service that I'm aware of, though you could write a DCL script in your Fortran code and then use SNDJBC to submit the job to a queue.
Agree on the idea of not reusing accounts due to the risks of reusing UICs and thereby assigning ownership to existing objects. That, of course, depends on what your system model is since it could be that all of the users or groups of users share UICs anyway.

Steve
Robert Gezelter
Honored Contributor

Re: System_services to remove a VMS account

Toine,

Strange. ITRC seems to have not caught my earlier post.

I recommend extreme caution. There are several issues here, some of which Hoff has mentioned in his earlier post.

First, "disabled and and not used for 180 days" is a true statement for an account that is disabled after 180 days the moment it is disabled. Unless there is an unmentioned part of the protocol, this means that a dormant account will be automatically deleted at 180 days.

Second, safely deleting something is more than merely deleting the account. One should ensure that the UIC is not available for re-use, to avoid inadvertently granting access to resources based on stale access control elements. Additionally, what happens to the files directly in that directory tree? What are their preservation requirements?

What about accounts that are only used at certain times of year (e.g., year end) and may be disabled in the interim to avoid accidents? One must carefully walk through all of the possibilities.

If I were faced with this request, I would make sure that I had some written documentation of the implications, and a signature from management taking responsibility for this implementation.

If I were implementing something, I would integrate into a report/auditing mechanism that did a SHOW/FULL of the UAF entry, and archived the account profile and the directory contents to an archive medium. I would automatically invoke AUTHORIZE from a DCL script (as I have done many times) or using SPAWN.

If this is a financial or other organization subject to compliance issues, I would check with BOTH Human Resources and Compliance as to their other requirements.

- Bob Gezelter, http://www.rlgsc.com
Toine_1
Regular Advisor

Re: System_services to remove a VMS account

Thank you Richard, Hoff, Steve and Bob,

I made this program because we had an external audit and the result was that we had some users that were not logged on since 180 days. We got a remark that these uesers should be deleted when the are not used.

But it is good that you all replied with excellent answers.

I will use $SETUAI system service to disable accounts.

I will not delete users for the moment.

P.S.
You tips for OpenVMS usernames are well documented Hoff.

/Toine