selang Reference Guide › selang Commands › selang Commands Reference › ch[x]usr Command—Change User Properties

ch[x]usr Command—Change User Properties

Valid in the AC environment

Use the commands chusr, chxusr, editusr, editxusr, newusr, and newxusr to change the properties of users, and to define the user records in the CA ControlMinder database if necessary.

These commands all have synonyms, as follows:

• chusr—cu
• chxusr—cxu
• editusr—eu
• editxusr—exu
• newusr—nu
• newxusr—nxu

This means, for example, that the command cu is identical to the command chusr.

All these commands are identical in structure, and vary only in their scope. Use these commands as follows:

• Use the chusr, editusr, and newusr commands for internal users. The differences between these commands are as follows:
  • The chusr command modifies one or more USER records.
  • The editusr command creates or modifies one or more USER records.
  • The newusr command creates one or more USER records.

  Note: These commands also exist in the native environment but operate differently there.

• Use the chxusr, editxusr and newxusr commands for enterprise users. The differences between these commands are as follows:
  • The chxusr command modifies one or more XUSER records.
  • The editxusr command creates or modifies one or more XUSER records.
  • The newxusr command creates one or more XUSER records.

The USER and XUSER class records are identical for all properties, except that where properties are defined in the enterprise user stores, the XUSER records do not redefine them.

When you execute these commands, the changes that you make modify the user record immediately, even if the user is currently logged in to the system.

Authorization Required

To create a CA ControlMinder user, at least one of the following conditions must be true:

• You have the ADMIN attribute.
• You are assigned the CREATE authority in the access control list of the USER or XUSER record in the ADMIN class.

To add or modify a user, at least one of the following conditions must be true:

• You have the ADMIN attribute.
• The user record is within the scope of a group in which you have the GROUP‑ADMIN attribute and you have the same authority as the owner of the record.
• The user record is within the scope of a group in which you have the GROUP‑AUDITOR attribute, and you want to specify the audit parameter.
• You are the owner of the group.
• You are assigned the MODIFY (for ch[x]usr) or CREATE (for edit[x]usr) authority in the access control list of the USER or XUSER record in the ADMIN class.

  {{chusr|cu}|chxusr|cxu}|{editusr|eu}|{editxusr|eu}|{newusr|nu}| {newxusr|nxu}} \
  

  {userName|(userName [,userName...])} \
  [{admin | admin‑}] \
  [audit({none | all | {[success][failure][loginsuccess]|[loginfail]|[trace]|[interactive]}})] \
  [{auditor | auditor‑}] \
  [{category(categoryName) | category‑(categoryName)}] \
  [{comment(string) | comment‑}] \
  [country(string)] \
  [email(emailAddress)] \
  [enable] \
  epwasown(password) \
  [{expire[(date)] | expire‑}] \
  [fullname (fullName)]
  [{gowner(groupName)] \
  [{grace(nLogins) | grace‑}] \
  [{ign_hol | ign_hol‑}] \
  [{inactive(nDays) | inactive‑}] \
  [{interval(nDays) | interval‑}] \
  [{label(labelName) | label‑}] \
  [{level(number) | level‑}] \
  [location(string)] \
  [{logical|logical-}] \
  [{maxlogins(nLogins) | maxlogins‑}] \
  [{min_life(nDays) | min_life‑}] \
  [{notify(mailAddress) | notify‑}] \
  [{operator | operator‑}] \
  [organization(string)] \
  [org_unit(string) \
  [owner({userName | groupName})] \
  [password(string)] \
  [phone(string)] \
  [{pmdb(pmdbName) | pmdb‑}] \
  [{profile(groupName) | profile‑}] \
  [pwasown(string)] \
  [{pwmanager | pwmanager‑}] \
  [regular] \
  [{restrictions( \
  

  [days({anyday|weekdays|[mon] [tue] [wed] [thu] [fri] [sat] [sun]})] \
  [time({anytime|startTime:endTime})]
  ) |restrictions‑}] \
  

  [{resume[(date)] | resume‑}] \
  [{server | server‑}] \
  [{suspend[(date)] | suspend‑}] \
  [nt|nt( ] \
  

  [admin|admin-] \
  [comment('comment')|comment- ] \
  [country('country-name')] \
  [expire|expire(mm/dd/yy[@hh:mm])|expire-] \
  [flags({account-flags)|-account-flags})] \
  [homedir(any-string)] \
  [homedrive(home-drive)] \
  [location(any-string)] \
  [logonserver(server-name)] \
  [name(full_name)] \
  [organization(name)] \
  [org_unit(name)] \
  [password(user's temporary password)] \
  [pgroup(primary-group)] \
  [phone(any-string)] \
  [privileges(privilege-list)] \
  [restrictions(days(day-data) time(hhmm:hhmm|anytime) )] \
  [script(logon-script-path)] \
  [workstations(workstations-list)] )] \
  

  [unix({ [gecos(string)] \
  

  [homedir(path)] \
  [pgroup(groupName)] \
  [shellprog(fileName)] \
  [userid(number)]}]
  

admin

Assigns the ADMIN attribute to the user. A user with the ADMIN attribute is allowed to issue all selang commands with all parameters except the audit parameter. You must have the ADMIN attribute to use the admin parameter.

admin‑

Removes the ADMIN attribute from the user. (CA ControlMinder verifies that at least one user has the ADMIN attribute.)

You cannot use this parameter with the new[x]usr command.

audit

Specifies which user activities on resources protected by CA ControlMinder are logged to the audit log. To specify more than one event type, separate the event type names with a space or a comma. The audit attributes are as follows:

• all—CA ControlMinder logs all user activities. The monitored activities are: failure, loginfail, loginsuccess, success, interactive and trace.
• failure—CA ControlMinder logs failed access attempts.
• loginfail—CA ControlMinder logs failed login attempts.
• loginsuccess—CA ControlMinder logs successful logins.
• none—CA ControlMinder does not log any user activities.
• success—CA ControlMinder logs successful accesses.
• interactive—CA ControlMinder logs interactive sessions.
• trace—CA ControlMinder logs every message that appears in the trace file because of this user's actions.

auditor

Assigns the AUDITOR attribute to the user. A user with the AUDITOR attribute can audit the use of system resources and is able to control the logging of detected accesses to any CA ControlMinder‑protected resource during CA ControlMinder authorization checking and accesses to the database. See the Endpoint Administration Guide for your OS for more information about the authorities granted to a user with the AUDITOR attribute.

auditor‑

Removes the AUDITOR attribute from the user record.

You cannot use this parameter with the new[x]usr command.

auth_type

Specifies the authentication method.

Used only by SSO.

You cannot use this parameter for enterprise users.

category(categoryName[, categoryName...])

Assigns one or more security categories A security category is the name of record in the CATEGORY class. You can assign a security category to accessors and to resources. An accessor can access a resource only if the accessor is assigned to all of the security categories assigned to the resource. to the user.

category‑(categoryName[, categoryName...])

Removes one or more security categories from the user record.

You cannot use this parameter with the new[x]usr command.

comment(commentString )

Assigns a comment to the user record.

commentString

Specifies the comment. commentString is an alphanumeric string of up to 255 characters. If commentString contains blanks, enclose it in single quotation marks.

comment‑

Deletes the comment from the user record.

You cannot use this parameter with the new[x]usr command.

country(countryName)

Specifies the country where the user is located. The country is not used during the authorization process.

countryName

Defines the country. This parameter is an alphanumeric string of up to 19 characters. If the string contains blanks, enclose the entire string in single quotation marks.

email(emailAddress)

Defines the email address of the user.

emailAddress

Defines the email address of the user.

Limits: Up to 128 characters

enable

Enables the login of a user that has for any reason been disabled.

You cannot use this parameter with the new[x]usr command.

epwasown(password)

Changes the user password as if the user changes their own password. This password change is not an administrative change and so does not automatically expire the password.

Note: This command is for internal use only. This command sets password in plain text as specified as an argument to /etc/shadow or the passwd file.

expire(dateTime)

Sets the date when the user account expires. If a date is not specified, the account expires immediately, or if the user is logged in, when the user logs out.

If the user record has a value for this property, that value overrides the value in the GROUP record.

Note: Use the expire‑ parameter to enable expired user records; you do not use the resume parameter to do this.

dateTime

Defines the date, and optionally the time. It has the following format:
mm/dd/[yy]yy[@HH:MM]

You can use either two digits or four digits to specify the year.

expire‑

For the new[x]usr command, defines a user account that does not have an expiration date.

For the ch[x]usr and edit[x]usr commands, removes an expiration date from a user account.

flags(accountFlags|-accountFlags)

Specifies particular attributes of a user's account. See the appendix “Windows Values” for a list of valid flag values.

To remove flags from the user record, precede accountFlags with a minus (-).

fullname(fullName)

Specifies the full name of the user.

fullName

Defines the full name. It is an alphanumeric string of up to 255 characters. If fullName contains blanks, enclose the entire string in single quotation marks.

gecos(string)

Specifies a comment string for the user. Enclose the string in single quotation marks.

gowner(groupName)

Assigns a CA ControlMinder group as the owner of the user record. The group owner of the user record has unrestricted access to it, provided the group owner's security level and security category authorities are sufficient. The group owner of the user record is always permitted to update and delete the user record.

grace(nLogins)

Defines the number of grace logins the user is allowed.

After the number of grace logins is reached, the user cannot access the system and must contact the system administrator to select a new password. If grace is set to zero, the user cannot log in.

If the user record has a value for this parameter, that value overrides the value in the GROUP record.

If this parameter is not specified and the user has a profile group that contains a value for this parameter, the value in the GROUP record is used. If neither the USER nor GROUP record contains a value, the CA ControlMinder global grace login setting is used.

nLogins

Defines the number of grace logins. Enter an integer between 0 and 255.

Note: The user should change the password before the grace value reaches 0. Contact the system administrator to select a new password if the grace login value is reached.

grace‑

Deletes the user's grace login setting. The CA ControlMinder global grace login setting is used instead.

You cannot use this parameter with the newusr command.

homedir(path)

Specifies the full path of the user's home directory. If path ends with a slash, CA ControlMinder concatenates userName to the path.

homedrive(drive)

Specifies the drive of the user's home directory.

ign_hol

Assigns the IGN_HOL attribute to the user. A user with the IGN_HOL attribute can log in during any period defined in a holiday record.

ign_hol‑

Removes IGN_HOL attribute from the user.

inactive(nDays)

Specifies the number of days that must pass before the system changes the user to inactive. When the number of days is reached, the user cannot log in.

Note: Inactive users are not marked in the user record. To identify inactive users, you must compare the Last Accessed Time value with the Inactive Days value.

nDays

Defines the number of days. nDays is zero or a positive integer. If nDays is zero, the effect is the same as using the inactive‑ parameter.

inactive‑

Changes the user's status from inactive to active.

You cannot use this parameter with the newusr command.

interval(nDays)

Defines the number of days that must pass after the password was set or changed before the system prompts the user for a new password. Enter zero or a positive integer. If nDays is zero CA ControlMinder disables password interval checking and the password does not expire. This means the default set by the setoptions command is not used. Set nDays to zero only for users with low security requirements.

When nDays is reached, CA ControlMinder informs the user that the password has expired. The user can continue to use the password until the number of grace logins is reached. After the number of grace logins is reached, the user is denied access to the system and must contact the system administrator to be given a new password.

interval‑

Cancels a user's password interval setting. If the user has a profile group with a value for this parameter, that value is used. Otherwise, the default set by the setoptions command is used.

You cannot use this parameter with the new[x]usr command.

label(labelName)

Assigns a security label A security label is the name of a record in the SECLABEL class. A security label bundles together a security level and a set of security categories. Assigning a security label to an accessor or a resource gives the accessor or resource the combined security level and security categories associated with the security label. A security label overrides any specific security level and category assignments in an accessor or resource. to the user.

label‑

Deletes the security label from the user record.

You cannot use this parameter with the new[x]usr command.

level(levelNumber)

Assigns a security level A security level is an integer between 0 and 255 that you can assign to accessors and resources. An accessor cannot access a resource if the accessor has a security level less than the security level assigned to the resource, even if the user is granted access authority in the resource's access control list. to the user record.

levelNumber is an integer between 0 and 255.

level‑

Deletes the security level from the user record,

You cannot use this parameter with the newusr command.

localapps

Used by eTrust SSO.

location(locationString)

Specifies the user's location. The location is not used during the authorization process.

locationString

Defines the location. locationString is an alphanumeric string of up to 47 characters. If locationString contains blanks, enclose it in single quotation marks.

logical

Assigns the LOGICAL attribute to the user. A user with the LOGICAL attribute cannot log in and is used for internal CA ControlMinder purposes only.

For example, the user nobody that you can use as the owner of resources to prevent even the resource owner from accessing the resource is a logical user by default. This means that no user can log in using this account.

logical‑

Removes the LOGICAL attribute from the user.

logonserver(server-name)

Specifies the server that verifies the login information for the user. When the user logs in to the domain workstation, CA ControlMinder transfers the login information to the server, which gives the workstation permission for the user to work.

maxlogins(nLogins)

Sets the maximum number of concurrent logins Concurrent logins are multiple sessions initiated by the same user onto a system from more than one terminal at the same time. for the user. A value of 0 (zero) means that the user can log in from any number of terminals concurrently. If this parameter is not specified, the global maximum logins setting is used.

Note: If maxlogins is set to 1, you cannot run selang. You must shut down CA ControlMinder, change the maxlogins setting to greater than one, for example by using setpropadm utility, and start CA ControlMinder again.

maxlogins‑

Deletes the user's maximum login setting. The global setting is used instead.

You cannot use this parameter with the new[x]usr command.

min_life(nDays)

The minimum number of days that must pass before the user is allowed to change the password again. Enter a positive integer.

min_life‑

Deletes the user's min_life setting. If the user has a profile group with a value for this parameter, that value is used. Otherwise, the default set by the setoptions command is used.

You cannot use this parameter with the new[x]usr command.

nochngpass

Specifies that the user is not allowed to change passwords for another user.

notify(notifyAddress)

Sends an email to notifyAddress every time the user logs in. The recipient of the notify messages should log in frequently to respond to the unauthorized access attempts described in each message.

When CA ControlMinder sends a notification message, it writes an audit record in the audit log.

notifyAddress

Defines a user name or an email address.

Limit: 30 characters.

notify‑

Specifies that no one is notified when the user logs in.

You cannot use this parameter with the new[x]usr command.

nt

For the chusr and editusr commands, this parameter changes the user's definition in the local Windows system.

For the newusr command, this parameter adds the user to the local Windows system.

If more than one argument is specified, separate the arguments with a space.

See the environment command, for more information about how to operate on the local Windows system from within CA ControlMinder.

The nt option, and sub-options under the nt option, are not valid for enterprise users.

operator

Assigns the OPERATOR attribute to the user. A user with the OPERATOR attribute can list all resource records in the database, and has read authority for all CA ControlMinder defined files.

A user with this attribute can also use all the options of the secons command. See the Reference Guide for more information about the secons utility.

operator‑

Removes the OPERATOR attribute from a user record.

You cannot use this parameter with the newusr command.

organization(organizationString)

Specifies the user's organization. The organization is not used during the authorization process.

organizationString

Defines the organization. organizationString is an alphanumeric string of up to 255 characters. If organizationString contains blanks, enclose it in single quotation marks.

org_unit(org_unitString)

Specifies the user's organization unit. The organization unit is not used during the authorization process.

org_unitString

Defines the organization unit. org_unitString is an alphanumeric string of up to 255 characters. If organizationString contains blanks, enclose it in single quotation marks.

owner(Name)

Assigns a CA ControlMinder user or group as the owner of the user record. See the Endpoint Administration Guide for your OS for more information.

password(string)

Assigns a password to a user. Specify any character except a space or a comma. If password checking is enabled, the password is valid for one login only. When the user next logs in to the system, a new password must be set.

To change your own password, you need to set selang options using setoptions cng_ownpwd or use sepass.

pgroup(groupName)

Sets the user's primary group ID. groupName is the name of a UNIX group.

phone(phoneString)

Defines the user's telephone number. The telephone number is not used during the authorization process.

phoneString

Defines the telephone number. phoneString is an alphanumeric string of up to 19 characters. If phoneString contains blanks, enclose it in single quotation marks.

pmdb(pmdbName)

Specifies that when a user changes a password with the sepass utility, the new password is propagated to the specified PMDB A policy model database (PMDB) is a stand‑alone CA ControlMinder database, which contains the same types of rules as a CA ControlMinder database associated with a specific host system. When rules are applied to the master PMDB, these rules are propagated to all of the subscribed databases that were defined for the master.. Enter the fully qualified name of the PMDB. The password is not sent to the Policy Model defined in the parent_pmd or passwd_pmd tokens in the [seos] section of seos.ini.

This option cannot be used for enterprise users.

pmdb‑

Removes the PMDB attribute from the user record.

You cannot use this parameter with the new[x]usr command.

privileges(privilege-list)

Adds specific rights to the Windows user record or, when privList is preceded by a minus sign (-), removes the specified rights.

You cannot use this parameter with the newusr command.

profile(groupName)

Assigns a user to a profile group A profile group is a group defined in the CA ControlMinder database that contains default values for user properties. When you assign a user to a profile group, the profile group provides those values to the user unless they have already been set for the user.. The following values can be taken from the profile group:

• audit
• auth_type
• expire
• grace
• inactive
• interval
• maxlogins
• min_life
• password rules
• pmdb
• pwd_autogen
• pwd_policy
• pwd_sync
• restrictions (days, time)
• resume
• suspend
• unix (homedir, shellprog)

profile‑

Removes a user from the profile group.

You cannot use this parameter with the new[x]usr command.

pwmanager

Assigns the PWMANAGER attribute to the user. A user with this attribute can change the passwords of users in the database. See the Endpoint Administration Guide for your OS for more information.

pwmanager‑

Removes the PWMANAGER attribute from the user record.

You cannot use this parameter with the new[x]usr command.

pwasown(string)

Replaces a password as if changed by the user. Specifying this parameter updates the time and date of the last change in the database. Grace logins are terminated.

regular

Resets the OBJ_TYPE property of the record, and so removes authority attributes from the user.

restrictions([Days] [Time])

Specifies the days of the week and the times in the day when users can be logged in. The restrictions are stored in the DAYTIME property of the [X]USER record.

If you omit Days and specify Time, the time restriction applies to any day‑of‑week restriction that is already defined in the record.

If you omit Time and specify Days, the Days restriction applies to any time restriction already defined in the record.

If you specify both Days and Time, the users can access the system only during the specified time period on the specified days.

Days

Specifies the days on which users can be logged in. You can use the following keywords when you specify Days:

• anyday—Allow users access to the file on any day.
• weekdays—Allow users access to the resource only on weekdays-Monday through Friday.
• Mon, Tue, Wed, Thu, Fri, Sat, Sun—Allow users access to the resource only on the specified days. You can specify the days in any order. If you specify more than one day, separate the days with a space or a comma.

Time

Specifies the period during which users can be logged in. The time argument takes the following sub‑arguments:

• anytime—Allow users access to the resource at any time of the day.
• startTime:endTime—Allow access to the resource only during the specified period.

  The format of startTime and endTime is hhmm, where hh is the hour (00 through 23) and mm is the minutes (00 through 59). Note that 2400 is not a valid time value; use 0000 instead.

  startTime must be less than endTime.

  Note: CA ControlMinder uses the time zone of the processor. If the user logs in at a terminal in a different time zone from the processor, you must take this into account.

restrictions‑([days] [time])

Deletes any restrictions that limit the users' ability to be logged in.

resume([dateTime])

Enables a user record that was disabled by specifying the suspend parameter. If you specify both the suspend parameter and the resume parameter, the resume date must fall after the suspend date. If you omit dateTime, the user record is resumed immediately upon execution of the chusr command. See the Endpoint Administration Guide for your OS for more information.

Enter dateTime in the format [m]m/[d]d/yy[@HH:MM].

resume‑

Erases the resume date, and time if used, from the user record. Consequently, the status of the user is changed from active (enabled) to suspended.

You cannot use this parameter with the new[x]usr command.

script(logon-script-path)

Specifies the location of a file that runs automatically when the user logs in. This parameter is optional. Typically, this login script configures the working environment. You can also use the profile parameter to set up the user's working environment.

server

Sets the SERVER attribute on. This attribute allows a process running on behalf of the current user to ask for authorization for other users. See the Endpoint Administration Guide for your OS for more information.

server‑

Sets the SERVER attribute off.

You cannot use this parameter with the new[x]usr command.

shellprog(fileName)

Specifies the full path of the initial program or shell that is executed after the user invokes the login or su command. fileName is a character string.

This option cannot be used for enterprise users.

suspend([dateTime])

Disables a user record, but leaves it defined in the database. A user cannot use a disabled user account to log in to the system.

If dateTime is specified, the user record is disabled on the specified date. If dateTime is omitted, the user record is disabled immediately upon execution of the ch[x]usr command.

Enter dateTime in the format mm/dd/yy[@HH:MM].

suspend‑

Erases the suspend date from the user record, changing the status of the user from disabled to enabled (active).

You cannot use this parameter with the new[x]usr command.

unix

For the chusr and editusr commands, this parameter changes the user's definition in the local UNIX system.

For the newusr command, this parameter adds the user to the local UNIX system.

If more than one argument is specified, separate the arguments with a space.

See the environment command in this chapter for more information about how to operate on the local UNIX system from within CA ControlMinder.

The unix option, and sub-options under the unix option are not valid for enterprise users.

userid(number)

Sets the user's unique numeric ID (UID), used for unique discretionary access control. number is a decimal number. By default, numbers less than 100 are not accepted. See the AllowedGidRange token in the appendix Reference Guide for more information about excluded numbers.

userName|(userName [,userName...])

Defines the name or names of the user or users. Each user name must be unique.

When using the newusr command, userName identifies a new user to CA ControlMinder. If you are using the newusr command and the user is already defined to the native environment, this username will be used by CA ControlMinder as the USER record that corresponds to that user. Typically, however, you should take advantage of the CA ControlMinder ability to use enterprise users, and not use newusr to create a USER record for a username that already exists in the native environment. Instead, use the chgxusr command to change the CA ControlMinder properties of that user.

Sometimes you may want a CA ControlMinder user name that is not a native login name. In that case, the login command could not put that user to work, but another command such as sesu could.

Note: ON UNIX, where a user name includes a blackslash, use two backslashes when specifying userName.

Examples

• The user Bob wants to add the FINANCIAL category to Jim's record, change Jim's security level to 155, and restrict Jim's access to the system to weekdays between 8:00 a.m. and 8:00 p.m.
  • The user Bob has the ADMIN attribute.
  • The user Jim is defined to CA ControlMinder.
  • The FINANCIAL category is defined to CA ControlMinder.

    chuxsr Jim category(FINANCIAL) level(155) restrictions \
    (days(weekdays)time(0800:2000))
    

• The user “admin” wants to suspend the user Joel, who will be on vacation for three weeks, starting on August 5, 1995.
  • The user admin has the ADMIN attribute.
  • The user Joel is defined to CA ControlMinder.
  • Today's date is August 3, 1994.

    chxusr Joel suspend(8/5/95) resume(8/26/95)
    

• The user Security2 wants to remove the AUDITOR attribute from the user Bill and wants to audit all activity by Bill.
  • The user Security2 has the ADMIN and AUDITOR attributes.
  • The user Bill is defined to CA ControlMinder.

    chxusr Bill auditor audit(all)
    

• The user Rob wants to change the comment stored in the record of the user Mary.
  • The user Rob is the owner of Mary's user record.

    chxusr Mary comment ('Administrator of the SALES group')
    

• The admin user Sally wants to remove the country name and the location properties stored in the record of the user Jared.
  • The user Sally is the owner of Jared's user record.

    chxusr Jared country() location()
    

• The user Bob wants to define the users Peter and Joe to CA ControlMinder.
  • The user Bob has the ADMIN attribute.
  • The users Peter and Joe are not defined to CA ControlMinder.
  • The following defaults apply:
    • owner(Bob)
    • audit(failure,loginfailure)

      newusr (Peter Joe)
      

• The user Bob wants to define the user Jane to CA ControlMinder and assign “payroll” as the owning group.
  • The user Bob has the ADMIN attribute.
  • The user Jane is not defined to CA ControlMinder.
  • The full name of the user Jane is JG Harris.
  • audit(failure,loginfailure)

    newusr Jane owner(payroll) name('J.G. Harris')
    

• The user Bob wants to define the user JohnD to CA ControlMinder with the security category NewEmployee and a security level of three. JohnD is to be allowed to use the system only on weekdays between the hours of 8:00 a.m. and 6:00 p.m.
  • The user Bob has the ADMIN attribute.
  • The NewEmployee category is defined to CA ControlMinder.
  • The new user's full name is John Doe.
  • The following defaults apply:
    • owner(Bob)
    • audit(failure)

      newusr JohnD name('John Doe') category(NewEmployee) level(3) \
      restrictions(days(weekdays) time(0800:1800))