Operating System - OpenVMS
1748233 Members
3326 Online
108759 Solutions
New Discussion юеВ

Re: how to find the users who have high privilege

 
SOLVED
Go to solution
Davor_7
Regular Advisor

how to find the users who have high privilege

for example, there are 100 users, some are OPER, some are SYSTEM, and some are others...
some are in same UIC group and some are different.

i want to display all users who only have OPER privilege. how to handle with?
20 REPLIES 20
Bojan Nemec
Honored Contributor

Re: how to find the users who have high privilege

Davor,

I dont know any elegant solution. The fastest is to do:

$ run authorize
UAF> list/full
UAF> exit
$ edit sysuaf.lis

and use editor to find OPER.
The second is:

UAF> show * /page/search=OPER

And scroll the whole listing. Lines with OPER string are highlited .

The first solution is faster and more practical to use.

Bojan
Uwe Zessin
Honored Contributor

Re: how to find the users who have high privilege

Most likely there are some utilities out there, but it can be done with a little manual work, too. For example:

AUTHORIZE> list/full

$ search SYSUAF.LIS "username:","oper"

It will find all usernames and below each username you will see if there is any string "OPER". I admit that is rather primitive, but sometimes it is not possible to find a tool or install it on a system and I beleive that's better than going over the full list.


For UIC groups you can try this:
AUTHORIZE> show /brief [123,*]
.
Uwe Zessin
Honored Contributor

Re: how to find the users who have high privilege

Hm, of course the prompt is "UAF>".
I should have used a larger cup of coffee this morning...
.
Karl Rohwedder
Honored Contributor

Re: how to find the users who have high privilege

I use a little utility SCANUAF for these things:

SAP01_Rohwedder. scanuaf
SCANUAF> priv=oper

===========
Node: LOCAL
===========
Username: xxxxxxxx
Username: xxxxxxxx
Username: DIA$MANAGER
Username: ROHWEDDER
Username: SYSTEM
Username: VET$SERVER
--------------------------------
Records: 132 Matches: 6
--------------------------------

You should find SCANUAF on Hunter Goatley's
fileserv.

regards Kalle
Joseph Huber_1
Honored Contributor

Re: how to find the users who have high privilege

Just to see if somebody has elevated privileges, do
authorize show */brief
and look in the privs column.
You see there normal,devour,system,all .
OPER in the priv list raises to SYSTEM.
For a single user, there is the freeware utility GETUAI (I think in the process.com archive), which lets you get the privilege list like
GETUAI user /priv=privsym/defpriv=defsym
into DCL symbols.
To get a list of all users, create a userlist using AUTHORIZE/LIST/BRIEF * , and loop over the list with GETUAI.
http://www.mpp.mpg.de/~huber
Davor_7
Regular Advisor

Re: how to find the users who have high privilege

Hi Kalle

could you give me the address for "Hunter Goatley's file server"?

or could you send this tool to me ?
Karl Rohwedder
Honored Contributor
Solution

Re: how to find the users who have high privilege

It's here:
http://vms.process.com/scripts/fileserv/fileserv.com?SCANUAF


Since the original version is quite, I have added some new flags. I attach my version to this replay. It is written in FORTRAN.

regards Kalle
Davor_7
Regular Advisor

Re: how to find the users who have high privilege

thanks Kalle

but i donot know how to use it~
i'm a new system manager, even donot know how to install a software on VMS :p
Karl Rohwedder
Honored Contributor

Re: how to find the users who have high privilege

Davor,

I just noticed, that the version is rather old (2000) and misses some of the new flags, so I just added them (PDMIX,VMSAUTH e.g.) and created a new version (see attached).

There is a userguide and releasenotes avaiable, as well as a HELP module for a helplibrary.

You must create a nodelist (template in kit), which tells SCANUAF where to find the SYSUAF files for different nodes (yes: scanuaf works network wide).

Besides addition to new flags, I moved the nodeslist and helpfile to a specific directory (CNC_MANAGER), but you can either define a logical name or change the source accordingly.

regards Kalle