Valid in the AC environment
Use the commands chusr, chxusr, editusr, editxusr, newusr, and newxusr to change the properties of users, and to define the user records in the CA ControlMinder database if necessary.
These commands all have synonyms, as follows:
This means, for example, that the command cu is identical to the command chusr.
All these commands are identical in structure, and vary only in their scope. Use these commands as follows:
Note: These commands also exist in the native environment but operate differently there.
The USER and XUSER class records are identical for all properties, except that where properties are defined in the enterprise user stores, the XUSER records do not redefine them.
When you execute these commands, the changes that you make modify the user record immediately, even if the user is currently logged in to the system.
Authorization Required
To create a CA ControlMinder user, at least one of the following conditions must be true:
To add or modify a user, at least one of the following conditions must be true:
{{chusr|cu}|chxusr|cxu}|{editusr|eu}|{editxusr|eu}|{newusr|nu}| {newxusr|nxu}} \
{userName|(userName [,userName...])} \ [{admin | admin‑}] \ [audit({none | all | {[success][failure][loginsuccess]|[loginfail]|[trace]|[interactive]}})] \ [{auditor | auditor‑}] \ [{category(categoryName) | category‑(categoryName)}] \ [{comment(string) | comment‑}] \ [country(string)] \ [email(emailAddress)] \ [enable] \ epwasown(password) \ [{expire[(date)] | expire‑}] \ [fullname (fullName)] [{gowner(groupName)] \ [{grace(nLogins) | grace‑}] \ [{ign_hol | ign_hol‑}] \ [{inactive(nDays) | inactive‑}] \ [{interval(nDays) | interval‑}] \ [{label(labelName) | label‑}] \ [{level(number) | level‑}] \ [location(string)] \ [{logical|logical-}] \ [{maxlogins(nLogins) | maxlogins‑}] \ [{min_life(nDays) | min_life‑}] \ [{notify(mailAddress) | notify‑}] \ [{operator | operator‑}] \ [organization(string)] \ [org_unit(string) \ [owner({userName | groupName})] \ [password(string)] \ [phone(string)] \ [{pmdb(pmdbName) | pmdb‑}] \ [{profile(groupName) | profile‑}] \ [pwasown(string)] \ [{pwmanager | pwmanager‑}] \ [regular] \ [{restrictions( \
[days({anyday|weekdays|[mon] [tue] [wed] [thu] [fri] [sat] [sun]})] \ [time({anytime|startTime:endTime})] ) |restrictions‑}] \
[{resume[(date)] | resume‑}] \ [{server | server‑}] \ [{suspend[(date)] | suspend‑}] \ [nt|nt( ] \
[admin|admin-] \ [comment('comment')|comment- ] \ [country('country-name')] \ [expire|expire(mm/dd/yy[@hh:mm])|expire-] \ [flags({account-flags)|-account-flags})] \ [homedir(any-string)] \ [homedrive(home-drive)] \ [location(any-string)] \ [logonserver(server-name)] \ [name(full_name)] \ [organization(name)] \ [org_unit(name)] \ [password(user's temporary password)] \ [pgroup(primary-group)] \ [phone(any-string)] \ [privileges(privilege-list)] \ [restrictions(days(day-data) time(hhmm:hhmm|anytime) )] \ [script(logon-script-path)] \ [workstations(workstations-list)] )] \
[unix({ [gecos(string)] \
[homedir(path)] \ [pgroup(groupName)] \ [shellprog(fileName)] \ [userid(number)]}]
Assigns the ADMIN attribute to the user. A user with the ADMIN attribute is allowed to issue all selang commands with all parameters except the audit parameter. You must have the ADMIN attribute to use the admin parameter.
Removes the ADMIN attribute from the user. (CA ControlMinder verifies that at least one user has the ADMIN attribute.)
You cannot use this parameter with the new[x]usr command.
Specifies which user activities on resources protected by CA ControlMinder are logged to the audit log. To specify more than one event type, separate the event type names with a space or a comma. The audit attributes are as follows:
Assigns the AUDITOR attribute to the user. A user with the AUDITOR attribute can audit the use of system resources and is able to control the logging of detected accesses to any CA ControlMinder‑protected resource during CA ControlMinder authorization checking and accesses to the database. See the Endpoint Administration Guide for your OS for more information about the authorities granted to a user with the AUDITOR attribute.
Removes the AUDITOR attribute from the user record.
You cannot use this parameter with the new[x]usr command.
Specifies the authentication method.
Used only by SSO.
You cannot use this parameter for enterprise users.
Assigns one or more security categories to the user.
Removes one or more security categories from the user record.
You cannot use this parameter with the new[x]usr command.
Assigns a comment to the user record.
Specifies the comment. commentString is an alphanumeric string of up to 255 characters. If commentString contains blanks, enclose it in single quotation marks.
Deletes the comment from the user record.
You cannot use this parameter with the new[x]usr command.
Specifies the country where the user is located. The country is not used during the authorization process.
Defines the country. This parameter is an alphanumeric string of up to 19 characters. If the string contains blanks, enclose the entire string in single quotation marks.
Defines the email address of the user.
Defines the email address of the user.
Limits: Up to 128 characters
Enables the login of a user that has for any reason been disabled.
You cannot use this parameter with the new[x]usr command.
Changes the user password as if the user changes their own password. This password change is not an administrative change and so does not automatically expire the password.
Note: This command is for internal use only. This command sets password in plain text as specified as an argument to /etc/shadow or the passwd file.
Sets the date when the user account expires. If a date is not specified, the account expires immediately, or if the user is logged in, when the user logs out.
If the user record has a value for this property, that value overrides the value in the GROUP record.
Note: Use the expire‑ parameter to enable expired user records; you do not use the resume parameter to do this.
Defines the date, and optionally the time. It has the following format:
mm/dd/[yy]yy[@HH:MM]
You can use either two digits or four digits to specify the year.
For the new[x]usr command, defines a user account that does not have an expiration date.
For the ch[x]usr and edit[x]usr commands, removes an expiration date from a user account.
Specifies particular attributes of a user's account. See the appendix “Windows Values” for a list of valid flag values.
To remove flags from the user record, precede accountFlags with a minus (-).
Specifies the full name of the user.
Defines the full name. It is an alphanumeric string of up to 255 characters. If fullName contains blanks, enclose the entire string in single quotation marks.
Specifies a comment string for the user. Enclose the string in single quotation marks.
Assigns a CA ControlMinder group as the owner of the user record. The group owner of the user record has unrestricted access to it, provided the group owner's security level and security category authorities are sufficient. The group owner of the user record is always permitted to update and delete the user record.
Defines the number of grace logins the user is allowed.
After the number of grace logins is reached, the user cannot access the system and must contact the system administrator to select a new password. If grace is set to zero, the user cannot log in.
If the user record has a value for this parameter, that value overrides the value in the GROUP record.
If this parameter is not specified and the user has a profile group that contains a value for this parameter, the value in the GROUP record is used. If neither the USER nor GROUP record contains a value, the CA ControlMinder global grace login setting is used.
Defines the number of grace logins. Enter an integer between 0 and 255.
Note: The user should change the password before the grace value reaches 0. Contact the system administrator to select a new password if the grace login value is reached.
Deletes the user's grace login setting. The CA ControlMinder global grace login setting is used instead.
You cannot use this parameter with the newusr command.
Specifies the full path of the user's home directory. If path ends with a slash, CA ControlMinder concatenates userName to the path.
Specifies the drive of the user's home directory.
Assigns the IGN_HOL attribute to the user. A user with the IGN_HOL attribute can log in during any period defined in a holiday record.
Removes IGN_HOL attribute from the user.
Specifies the number of days that must pass before the system changes the user to inactive. When the number of days is reached, the user cannot log in.
Note: Inactive users are not marked in the user record. To identify inactive users, you must compare the Last Accessed Time value with the Inactive Days value.
Defines the number of days. nDays is zero or a positive integer. If nDays is zero, the effect is the same as using the inactive‑ parameter.
Changes the user's status from inactive to active.
You cannot use this parameter with the newusr command.
Defines the number of days that must pass after the password was set or changed before the system prompts the user for a new password. Enter zero or a positive integer. If nDays is zero CA ControlMinder disables password interval checking and the password does not expire. This means the default set by the setoptions command is not used. Set nDays to zero only for users with low security requirements.
When nDays is reached, CA ControlMinder informs the user that the password has expired. The user can continue to use the password until the number of grace logins is reached. After the number of grace logins is reached, the user is denied access to the system and must contact the system administrator to be given a new password.
Cancels a user's password interval setting. If the user has a profile group with a value for this parameter, that value is used. Otherwise, the default set by the setoptions command is used.
You cannot use this parameter with the new[x]usr command.
Assigns a security label to the user.
Deletes the security label from the user record.
You cannot use this parameter with the new[x]usr command.
Assigns a security level to the user record.
levelNumber is an integer between 0 and 255.
Deletes the security level from the user record,
You cannot use this parameter with the newusr command.
Used by eTrust SSO.
Specifies the user's location. The location is not used during the authorization process.
Defines the location. locationString is an alphanumeric string of up to 47 characters. If locationString contains blanks, enclose it in single quotation marks.
Assigns the LOGICAL attribute to the user. A user with the LOGICAL attribute cannot log in and is used for internal CA ControlMinder purposes only.
For example, the user nobody that you can use as the owner of resources to prevent even the resource owner from accessing the resource is a logical user by default. This means that no user can log in using this account.
Removes the LOGICAL attribute from the user.
Specifies the server that verifies the login information for the user. When the user logs in to the domain workstation, CA ControlMinder transfers the login information to the server, which gives the workstation permission for the user to work.
Sets the maximum number of concurrent logins for the user. A value of 0 (zero) means that the user can log in from any number of terminals concurrently. If this parameter is not specified, the global maximum logins setting is used.
Note: If maxlogins is set to 1, you cannot run selang. You must shut down CA ControlMinder, change the maxlogins setting to greater than one, for example by using setpropadm utility, and start CA ControlMinder again.
Deletes the user's maximum login setting. The global setting is used instead.
You cannot use this parameter with the new[x]usr command.
The minimum number of days that must pass before the user is allowed to change the password again. Enter a positive integer.
Deletes the user's min_life setting. If the user has a profile group with a value for this parameter, that value is used. Otherwise, the default set by the setoptions command is used.
You cannot use this parameter with the new[x]usr command.
Specifies that the user is not allowed to change passwords for another user.
Sends an email to notifyAddress every time the user logs in. The recipient of the notify messages should log in frequently to respond to the unauthorized access attempts described in each message.
When CA ControlMinder sends a notification message, it writes an audit record in the audit log.
Defines a user name or an email address.
Limit: 30 characters.
Specifies that no one is notified when the user logs in.
You cannot use this parameter with the new[x]usr command.
For the chusr and editusr commands, this parameter changes the user's definition in the local Windows system.
For the newusr command, this parameter adds the user to the local Windows system.
If more than one argument is specified, separate the arguments with a space.
See the environment command, for more information about how to operate on the local Windows system from within CA ControlMinder.
The nt option, and sub-options under the nt option, are not valid for enterprise users.
Assigns the OPERATOR attribute to the user. A user with the OPERATOR attribute can list all resource records in the database, and has read authority for all CA ControlMinder defined files.
A user with this attribute can also use all the options of the secons command. See the Reference Guide for more information about the secons utility.
Removes the OPERATOR attribute from a user record.
You cannot use this parameter with the newusr command.
Specifies the user's organization. The organization is not used during the authorization process.
Defines the organization. organizationString is an alphanumeric string of up to 255 characters. If organizationString contains blanks, enclose it in single quotation marks.
Specifies the user's organization unit. The organization unit is not used during the authorization process.
Defines the organization unit. org_unitString is an alphanumeric string of up to 255 characters. If organizationString contains blanks, enclose it in single quotation marks.
Assigns a CA ControlMinder user or group as the owner of the user record. See the Endpoint Administration Guide for your OS for more information.
Assigns a password to a user. Specify any character except a space or a comma. If password checking is enabled, the password is valid for one login only. When the user next logs in to the system, a new password must be set.
To change your own password, you need to set selang options using setoptions cng_ownpwd or use sepass.
Sets the user's primary group ID. groupName is the name of a UNIX group.
Defines the user's telephone number. The telephone number is not used during the authorization process.
Defines the telephone number. phoneString is an alphanumeric string of up to 19 characters. If phoneString contains blanks, enclose it in single quotation marks.
Specifies that when a user changes a password with the sepass utility, the new password is propagated to the specified PMDB . Enter the fully qualified name of the PMDB. The password is not sent to the Policy Model defined in the parent_pmd or passwd_pmd tokens in the [seos] section of seos.ini.
This option cannot be used for enterprise users.
Removes the PMDB attribute from the user record.
You cannot use this parameter with the new[x]usr command.
Adds specific rights to the Windows user record or, when privList is preceded by a minus sign (-), removes the specified rights.
You cannot use this parameter with the newusr command.
Assigns a user to a profile group . The following values can be taken from the profile group:
Removes a user from the profile group.
You cannot use this parameter with the new[x]usr command.
Assigns the PWMANAGER attribute to the user. A user with this attribute can change the passwords of users in the database. See the Endpoint Administration Guide for your OS for more information.
Removes the PWMANAGER attribute from the user record.
You cannot use this parameter with the new[x]usr command.
Replaces a password as if changed by the user. Specifying this parameter updates the time and date of the last change in the database. Grace logins are terminated.
Resets the OBJ_TYPE property of the record, and so removes authority attributes from the user.
Specifies the days of the week and the times in the day when users can be logged in. The restrictions are stored in the DAYTIME property of the [X]USER record.
If you omit Days and specify Time, the time restriction applies to any day‑of‑week restriction that is already defined in the record.
If you omit Time and specify Days, the Days restriction applies to any time restriction already defined in the record.
If you specify both Days and Time, the users can access the system only during the specified time period on the specified days.
Specifies the days on which users can be logged in. You can use the following keywords when you specify Days:
Specifies the period during which users can be logged in. The time argument takes the following sub‑arguments:
The format of startTime and endTime is hhmm, where hh is the hour (00 through 23) and mm is the minutes (00 through 59). Note that 2400 is not a valid time value; use 0000 instead.
startTime must be less than endTime.
Note: CA ControlMinder uses the time zone of the processor. If the user logs in at a terminal in a different time zone from the processor, you must take this into account.
Deletes any restrictions that limit the users' ability to be logged in.
Enables a user record that was disabled by specifying the suspend parameter. If you specify both the suspend parameter and the resume parameter, the resume date must fall after the suspend date. If you omit dateTime, the user record is resumed immediately upon execution of the chusr command. See the Endpoint Administration Guide for your OS for more information.
Enter dateTime in the format [m]m/[d]d/yy[@HH:MM].
Erases the resume date, and time if used, from the user record. Consequently, the status of the user is changed from active (enabled) to suspended.
You cannot use this parameter with the new[x]usr command.
Specifies the location of a file that runs automatically when the user logs in. This parameter is optional. Typically, this login script configures the working environment. You can also use the profile parameter to set up the user's working environment.
Sets the SERVER attribute on. This attribute allows a process running on behalf of the current user to ask for authorization for other users. See the Endpoint Administration Guide for your OS for more information.
Sets the SERVER attribute off.
You cannot use this parameter with the new[x]usr command.
Specifies the full path of the initial program or shell that is executed after the user invokes the login or su command. fileName is a character string.
This option cannot be used for enterprise users.
Disables a user record, but leaves it defined in the database. A user cannot use a disabled user account to log in to the system.
If dateTime is specified, the user record is disabled on the specified date. If dateTime is omitted, the user record is disabled immediately upon execution of the ch[x]usr command.
Enter dateTime in the format mm/dd/yy[@HH:MM].
Erases the suspend date from the user record, changing the status of the user from disabled to enabled (active).
You cannot use this parameter with the new[x]usr command.
For the chusr and editusr commands, this parameter changes the user's definition in the local UNIX system.
For the newusr command, this parameter adds the user to the local UNIX system.
If more than one argument is specified, separate the arguments with a space.
See the environment command in this chapter for more information about how to operate on the local UNIX system from within CA ControlMinder.
The unix option, and sub-options under the unix option are not valid for enterprise users.
Sets the user's unique numeric ID (UID), used for unique discretionary access control. number is a decimal number. By default, numbers less than 100 are not accepted. See the AllowedGidRange token in the appendix Reference Guide for more information about excluded numbers.
Defines the name or names of the user or users. Each user name must be unique.
When using the newusr command, userName identifies a new user to CA ControlMinder. If you are using the newusr command and the user is already defined to the native environment, this username will be used by CA ControlMinder as the USER record that corresponds to that user. Typically, however, you should take advantage of the CA ControlMinder ability to use enterprise users, and not use newusr to create a USER record for a username that already exists in the native environment. Instead, use the chgxusr command to change the CA ControlMinder properties of that user.
Sometimes you may want a CA ControlMinder user name that is not a native login name. In that case, the login command could not put that user to work, but another command such as sesu could.
Note: ON UNIX, where a user name includes a blackslash, use two backslashes when specifying userName.
Examples
chuxsr Jim category(FINANCIAL) level(155) restrictions \ (days(weekdays)time(0800:2000))
chxusr Joel suspend(8/5/95) resume(8/26/95)
chxusr Bill auditor audit(all)
chxusr Mary comment ('Administrator of the SALES group')
chxusr Jared country() location()
newusr (Peter Joe)
newusr Jane owner(payroll) name('J.G. Harris')
newusr JohnD name('John Doe') category(NewEmployee) level(3) \ restrictions(days(weekdays) time(0800:1800))
Copyright © 2013 CA Technologies.
All rights reserved.
|
|