- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: secondary group for the user
Operating System - OpenVMS
1753943
Members
9084
Online
108811
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-21-2007 09:21 PM
тАО03-21-2007 09:21 PM
Re: secondary group for the user
the problem is with the identifier
LOGIN
What is the result of
UAF> SHOW/ID/FULL LOGIN
LOGIN
What is the result of
UAF> SHOW/ID/FULL LOGIN
____________________
Purely Personal Opinion
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2007 05:59 AM
тАО03-22-2007 05:59 AM
Re: secondary group for the user
Amit,
As Martin and Ian have hinted, the most likely problem is that LOGIN is an identifier associated with a UIC, and not a general identifier.
In the following, COOKER is a UIC identifer, which normally coorespond to a USERNAME. The value shows up as [grp,mem]. UIC identifiers can't be granted. DEVELOPER is a general identifier, and it can be granted to a UIC. They will have a Value displayed in Hex starting with %
$ uaf s /id cookev
Name Value Attributes
COOKER [000043,100443]
$ uaf s /id developer
Name Value Attributes
DEVELOPER %X800100AC RESOURCE
$
>>>UAF> grant/identifier LOGIN aphadnis
>>>%UAF-W-NOTIDFMT, ID name parameter does not translate to ID format
>>>UAF>
>>>
>>>Now how to translate to ID Format. 'aphadnis' is the id-name.
Is LOGIN the identifier you are going to enable when logins are allowed? If so, it must be a general identifier.
Do you know how the LOGIN identifier was created? If it was created when a user LOGIN was added, then you will need to choose a different ID name.
To create a new general identifier, use a command like command
$ mcr authorize add/id LOGINOK
Authorize will choose the "next" available number and associate it with the identifier name specified (LOGINOK).
Then you would grant LOGINOK to a UIC using either form, i.e. either
UAF> grant/identifier LOGINOK [600,5]
or
UAF> grant/identifier LOGINOK aphadnis
I just looked at the help in Authorize for add/identifier, and there isn't an example showing the simple case.
My guess is that you followed the example given for INVENTORY, which was a UIC. If that is the case, and there is nothing using that identifier, you can delete the identifier and the add it. If you did not create the LOGIN identifier using a command like UAF> add /id LOGIN /value=[2,4], then do not delete it! I am not giving the commands that are used to delete it, because I want you to be sure that is what you want to do before you do it.
Good luck,
Jon
As Martin and Ian have hinted, the most likely problem is that LOGIN is an identifier associated with a UIC, and not a general identifier.
In the following, COOKER is a UIC identifer, which normally coorespond to a USERNAME. The value shows up as [grp,mem]. UIC identifiers can't be granted. DEVELOPER is a general identifier, and it can be granted to a UIC. They will have a Value displayed in Hex starting with %
$ uaf s /id cookev
Name Value Attributes
COOKER [000043,100443]
$ uaf s /id developer
Name Value Attributes
DEVELOPER %X800100AC RESOURCE
$
>>>UAF> grant/identifier LOGIN aphadnis
>>>%UAF-W-NOTIDFMT, ID name parameter does not translate to ID format
>>>UAF>
>>>
>>>Now how to translate to ID Format. 'aphadnis' is the id-name.
Is LOGIN the identifier you are going to enable when logins are allowed? If so, it must be a general identifier.
Do you know how the LOGIN identifier was created? If it was created when a user LOGIN was added, then you will need to choose a different ID name.
To create a new general identifier, use a command like command
$ mcr authorize add/id LOGINOK
Authorize will choose the "next" available number and associate it with the identifier name specified (LOGINOK).
Then you would grant LOGINOK to a UIC using either form, i.e. either
UAF> grant/identifier LOGINOK [600,5]
or
UAF> grant/identifier LOGINOK aphadnis
I just looked at the help in Authorize for add/identifier, and there isn't an example showing the simple case.
My guess is that you followed the example given for INVENTORY, which was a UIC. If that is the case, and there is nothing using that identifier, you can delete the identifier and the add it. If you did not create the LOGIN identifier using a command like UAF> add /id LOGIN /value=[2,4], then do not delete it! I am not giving the commands that are used to delete it, because I want you to be sure that is what you want to do before you do it.
Good luck,
Jon
it depends
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2007 06:13 AM
тАО03-22-2007 06:13 AM
Re: secondary group for the user
Amit,
My last paragraph had the incorrect syntax for adding a uic valued identifier.
The correct syntax would have /value=uic:[2,4]
My point is, always check the help/documentation before blindly following any advice you get here, because we're humans too.
Cheers,
Jon
My last paragraph had the incorrect syntax for adding a uic valued identifier.
The correct syntax would have /value=uic:[2,4]
My point is, always check the help/documentation before blindly following any advice you get here, because we're humans too.
Cheers,
Jon
it depends
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2007 06:44 AM
тАО03-22-2007 06:44 AM
Re: secondary group for the user
@Jon
a few answers back you asked
>>>
Do you have this identifier check in the application (or a sharable image they link agaist)? Do you use the identifier in any ACLs?
<<<
We do this alphanumeric check first thing in the (attempted) application startup.
And yes, ALL files belonging to an applic are so protected.
It is even taken one step further: all these_ACCESS identifiers are created with /ATTRIB=DYNAMIC.
In SYS$SYLOGIN any xxx_ACCESS idents are DISABLED (ttat is why DYNAMIC) upon NETWORK login to prevent access to them without the application logic.
(Of course, specific files that should be NETWORK accessible are NOT subject to such refusal).
hth
Proost.
Have one on me.
jpe
a few answers back you asked
>>>
Do you have this identifier check in the application (or a sharable image they link agaist)? Do you use the identifier in any ACLs?
<<<
We do this alphanumeric check first thing in the (attempted) application startup.
And yes, ALL files belonging to an applic are so protected.
It is even taken one step further: all these
In SYS$SYLOGIN any xxx_ACCESS idents are DISABLED (ttat is why DYNAMIC) upon NETWORK login to prevent access to them without the application logic.
(Of course, specific files that should be NETWORK accessible are NOT subject to such refusal).
hth
Proost.
Have one on me.
jpe
Don't rust yours pelled jacker to fine doll missed aches.
- « Previous
- Next »
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP