HPE Community
Operating System - OpenVMS
1753943 Members
9084 Online
108811 Solutions
New Discussion юеВ

Re: secondary group for the user

 
SOLVED
Go to solution
Ian Miller.
Honored Contributor

тАО03-21-2007 09:21 PM

тАО03-21-2007 09:21 PM

Re: secondary group for the user

the problem is with the identifier
LOGIN

What is the result of
UAF> SHOW/ID/FULL LOGIN
____________________
Purely Personal Opinion
0 Kudos
Reply
Jon Pinkley
Honored Contributor

тАО03-22-2007 05:59 AM

тАО03-22-2007 05:59 AM

Re: secondary group for the user

Amit,

As Martin and Ian have hinted, the most likely problem is that LOGIN is an identifier associated with a UIC, and not a general identifier.

In the following, COOKER is a UIC identifer, which normally coorespond to a USERNAME. The value shows up as [grp,mem]. UIC identifiers can't be granted. DEVELOPER is a general identifier, and it can be granted to a UIC. They will have a Value displayed in Hex starting with %

$ uaf s /id cookev
Name Value Attributes
COOKER [000043,100443]
$ uaf s /id developer
Name Value Attributes
DEVELOPER %X800100AC RESOURCE
$

>>>UAF> grant/identifier LOGIN aphadnis
>>>%UAF-W-NOTIDFMT, ID name parameter does not translate to ID format
>>>UAF>
>>>
>>>Now how to translate to ID Format. 'aphadnis' is the id-name.

Is LOGIN the identifier you are going to enable when logins are allowed? If so, it must be a general identifier.

Do you know how the LOGIN identifier was created? If it was created when a user LOGIN was added, then you will need to choose a different ID name.

To create a new general identifier, use a command like command

$ mcr authorize add/id LOGINOK

Authorize will choose the "next" available number and associate it with the identifier name specified (LOGINOK).

Then you would grant LOGINOK to a UIC using either form, i.e. either

UAF> grant/identifier LOGINOK [600,5]

or

UAF> grant/identifier LOGINOK aphadnis

I just looked at the help in Authorize for add/identifier, and there isn't an example showing the simple case.

My guess is that you followed the example given for INVENTORY, which was a UIC. If that is the case, and there is nothing using that identifier, you can delete the identifier and the add it. If you did not create the LOGIN identifier using a command like UAF> add /id LOGIN /value=[2,4], then do not delete it! I am not giving the commands that are used to delete it, because I want you to be sure that is what you want to do before you do it.

Good luck,

Jon
it depends
0 Kudos
Reply
Jon Pinkley
Honored Contributor

тАО03-22-2007 06:13 AM

тАО03-22-2007 06:13 AM

Re: secondary group for the user

Amit,

My last paragraph had the incorrect syntax for adding a uic valued identifier.

The correct syntax would have /value=uic:[2,4]

My point is, always check the help/documentation before blindly following any advice you get here, because we're humans too.

Cheers,

Jon
it depends
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО03-22-2007 06:44 AM

тАО03-22-2007 06:44 AM

Re: secondary group for the user

@Jon

a few answers back you asked

>>>
Do you have this identifier check in the application (or a sharable image they link agaist)? Do you use the identifier in any ACLs?
<<<

We do this alphanumeric check first thing in the (attempted) application startup.
And yes, ALL files belonging to an applic are so protected.
It is even taken one step further: all these _ACCESS identifiers are created with /ATTRIB=DYNAMIC.
In SYS$SYLOGIN any xxx_ACCESS idents are DISABLED (ttat is why DYNAMIC) upon NETWORK login to prevent access to them without the application logic.
(Of course, specific files that should be NETWORK accessible are NOT subject to such refusal).

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.