Operating System - OpenVMS
1829455 Members
1320 Online
109992 Solutions
New Discussion

Re: about the privilege for AUTHORIZE

 
SOLVED
Go to solution
Davor_7
Regular Advisor

about the privilege for AUTHORIZE

folks

one account need access to UAF via MC AUTHORIZE, but i donot wanna give it more system privilege.

is there any privilege in category for this request ?
15 REPLIES 15
Karl Rohwedder
Honored Contributor

Re: about the privilege for AUTHORIZE

There are good reasons for the fact, that the SYSUAF... files are protected against access by 'normal' users.

What are you trying to acomplish?

regards Kalle
Davor_7
Regular Advisor

Re: about the privilege for AUTHORIZE

my aim is to let the guy have enough privilege to show the user profile. and also, prevent him from doing some harmful command such as shutdown :)
Martin Vorlaender
Honored Contributor

Re: about the privilege for AUTHORIZE

The privilege needed for access to SYSUAF is SYSPRV - but that also grants access to all other files to the user.

The best way would probably be to add an ACL on SYSUAF.DAT that allows the user to read it.

cu,
Martin
Jeroen Hartgers_3
Frequent Advisor

Re: about the privilege for AUTHORIZE

This is always a difficult. If you can diplay the sys uaf you can also change the sysuaf (priv: oper and security).

An other option is to make a special account for this work. Where everything id done true a menu and the account has a captive flag. This way the can never work on the prompt.
Davor_7
Regular Advisor

Re: about the privilege for AUTHORIZE

thanks men~ i know it

another question: where can i check the history password retention value?
UAF>help default
just /pwdlifetime, /pwdminimum, /pwdexpired qualifiers in it.
i want to check and modify the value defined before. how can i do?

i'm a new manager, excuse me :)
Karl Rohwedder
Honored Contributor

Re: about the privilege for AUTHORIZE

The password history lifetime and limit are controlled by the logical names:

System Logical Name Default Min Max Units
SYS$PASSWORD_HISTORY_LIFETIME
365
1
28000
Days
SYS$PASSWORD_HISTORY_LIMIT
60
1
2000
Absolute count

see in the 'Guide to Security'.

regards kalle
Martin Vorlaender
Honored Contributor

Re: about the privilege for AUTHORIZE

>>>
another question: where can i check the history password retention value?
<<<

AFAIK, there's no such thing. The last 60 passwords are recorded, you can only enable or disable the check upon entering of a new password (see UAF flag DISPWDHIS).

cu,
Martin
Davor_7
Regular Advisor

Re: about the privilege for AUTHORIZE

Martin

you mean that we just can enable/disable the password history function. but cannot define the value for system about how many pwd should be recorded ?
Antoniov.
Honored Contributor

Re: about the privilege for AUTHORIZE

Davor,
welcome to vms forum :-)

I'm with Davor. For my user, I create a special user with a menu and Ctrl + Y disabled. They can see sysuaf but they cannot modify nothing.

About default, you can nest into help reading examples
UAF>HELP DEFAULT EXAMPLE

DEFAULT

example

UAF>DEFAULT -
/DEVICE=SYS$USER-
/LGICMD=SYS$MANAGER:SECURELGN -
/PRIVILEGES=(TMPMBX,GRPNAM,GROUP)
%UAF-I-MDFYMSG, user record(s) updated

The command in this example modifies the DEFAULT record,
changing the default device, default login command file, and default privileges.

Antonio Vigliotti
Antonio Maria Vigliotti
Karl Rohwedder
Honored Contributor
Solution

Re: about the privilege for AUTHORIZE

Davor,

pls. see my last message, those limits can be modified with the mentioned logical names.

The lifetime specifies, how long passwords are stored in the history file, the limit defines the number of different passwords a user can use, if he needs more passwords, he will be switched to generated passwords.
That means, if you prolong the lifetime, you must also increase the limit. But this is all descibed in more better words in the 'Guide to system security':
http://h71000.www7.hp.com/doc/732FINAL/aa-rscub-te/aa-rscub-te.HTMl

regards Kalle
Karl Rohwedder
Honored Contributor

Re: about the privilege for AUTHORIZE

Sorry, I clicked the wrong link, the 'Guide to system security'can be found at:
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl

regards Kalle
Martin Vorlaender
Honored Contributor

Re: about the privilege for AUTHORIZE

I stand corrected. Kalle is right (of course ;-).

cu,
Martin
Davor_7
Regular Advisor

Re: about the privilege for AUTHORIZE

thanks all !!

maybe i have a long way to go :)
need your help in the future ^_-
Martin Vorlaender
Honored Contributor

Re: about the privilege for AUTHORIZE

Davor,

if the answers satisfied your needs, you cn show your appreciation of this free support by assigning points.

cu,
Martin
Robert_Boyd
Respected Contributor

Re: about the privilege for AUTHORIZE

Davor,

I think you'll want to check out the GETUAI utility (Freeware).

The reason I say that is this:
the documentation for the SYS$GETUAI service says that a user always has the right to call this service to get information about their own username.

Robert

Here is an excerpt:

Description

The Get User Authorization Information service returns authorization information about a specified user.

The contxt value returned by $GETUAI should never be used as a value to the $SETUAI system service.

You examine for a valid login by checking the bits of UAI$V_PWD_EXPIRED and UAI$V_DISUSER, and by doing a comparison of the UAI$_PWD_DATE item code against the UAI$_PWD_LIFETIME item code.

The UAI$V_PWD_EXPIRED bit is only set by the system when the bit UAI$V_DISFORCE_PWD_CHANGE is set in the user's SYSUAF record and the comparison between the UAI$_PWD_DATE and UAI$_PWD_LIFETIME indicates a password is past its valid life.

During a normal login when the UAI$V_DISFORCE_PWD_CHANGE bit is not set, the system compares VAI$_PWD_DATE against UAI$_PWD_LIFETIME and, if expired, forces the user to change the password. With this configuration, the UAI$V_PWD_EXPIRED bit is not set.

During a normal login when the VAI$V_DISFORCE_PWD_EXPIRED is set, the system compares UAI$_PWD_DATE against UAI$_PWD_LIFETIME and, if expired, sets the UAI$_PWD_EXPIRED bit and notifies the user to change the now-expired password. In this case, the user is not forced to change the password.

Required Access or Privileges

Use the following list to determine the privileges required to use the $GETUAI service:

* BYPASS or SYSPRV---Allows access to any record in the user authorization file (UAF).
* GRPPRV---Allows access to any record in the UAF whose UIC group matches that of the requester.
* No privilege---Allows access to any UAF record whose UIC matches that of the requester.
You need read access to the UAF to look up any information other than your own.

Required Quota

None

Related Services

$SETUAI
Master you were right about 1 thing -- the negotiations were SHORT!