Valid in the AC environment
Use the commands chgrp, chxgrp, editgrp, editxgrp, newgrp, and newxgrp to change the properties of groups, and to create the groups in the CA ControlMinder database if necessary.
These commands all have synonyms, as follows:
These commands are identical in structure, and vary only in their scope, in the following ways:
Note: These commands also exist in the native environment but operate differently there.
Authorization Required
To create a new CA ControlMinder group, at least one of the following conditions must be true:
To add or modify a group, at least one of the following conditions must be true:
{{chgrp|cg}|{chxgrp|cxg}|{editgrp|eg}|{editxgrp|exg}|{newgrp|ng}|{newxgrp|nxg}} groupName ...
[{admin | admin‑}] \
[audit(none|all|success|failure|loginsuccess|loginfail|trace|interactive)|audit-] \
[{auditor | auditor‑}] \
[comment(string)|comment‑] \
[expire[(mm/dd/yy[yy[@hh:mm])]|expire‑] \
[gowner(groupName)] \
[homedir(fullPath|nohomedir)] \
[inactive(numInactiveDays)|inactive‑] \
[maxlogins(maximumNumberOfLogins)|maxlogins‑] \
[mem(groupName)|mem+(groupName)|mem‑(groupName)]\
[name('fullName')] \
[nt[(comment(comment))]
[{operator | operator‑}] \
[owner(userName|groupName)] \
[parent(groupName)|parent‑] \
[password( \
[history(numberStoredPasswords)|history‑] \ [interval(maximumPasswordChangeInterval)|interval‑] \ [min_life(minimumPasswordChangeInterval)|min_life‑] \ [rules( \ [alpha(minimumAlphaCharacters)] \ [alphanum(minimumAlphanumericCharacters)] \ [bidirectional|bidirectional‑] \ [grace(numberOfGraceLogins)] \ [min_len(minimumPasswordLength)] \ [max_len(maximumPasswordLength)] \ [lowercase(minimumLowercaseCharacters)] \ [max_rep(maxRepetitiveCharacters)] \ [namechk|namechk‑] \ [numeric(minimumNumericCharacters)] \ [oldpwchk|oldpwchk‑] \ [special(minimumSpecialCharacters)] \ [uppercase(minimumUppercaseCharacters)] \ [use_dbdict|use_dbdict‑] \ )|rules‑] \ )] \
[pmdb(PolicyModelName)|pmdb‑] \
[{pwmanager | pwmanager‑}] \
[restrictions( \
[days({anyday|weekdays|{[mon] [tue] [wed] \
[thu] [fri] [sat] [sun]}})] \
[time(anytime|startTime:endTime) \
|restrictions‑] \
[resume[(mm/dd/yy[yy][@hh:mm])]|resume‑] \
[{server | server‑}] \
[shellprog(fullPath)] \
[supgroup(superiorGroup)|supgroup-] \
[suspend[(mm/dd/yy[yy][@hh:mm])]|suspend‑] \
[unix[( \
[appl(quotedString)] \ [groupid(groupidNumber)] \ [userlist(userName...)] \
)]] \
To remove any record property where the property is defined by a string, type the property followed immediately by either ‑ (minus sign), or () (empty parenthesis).
Note: Some parameters are relevant only when a group functions as a profile group. A profile group cannot be an enterprise group.
Assigns the ADMIN attribute to the group. A user who is a member of a group with the ADMIN attribute is allowed to issue all selang commands with all parameters except the audit parameter. You must have the ADMIN attribute to use the admin parameter.
Removes the ADMIN attribute from the group. (CA ControlMinder ensures that at least one user has the ADMIN attribute.)
You cannot use this parameter with the new[x]grp command.
Turns on the trace audit for this command. The audit modes are: none, all, success, failure, loginsuccess, loginfail, trace, interactive.
Turns off the trace audit for this command.
Assigns the AUDITOR attribute to the group. A user who is a member of a group with the AUDITOR attribute can audit the use of system resources and is able to control the logging of detected accesses to any CA ControlMinder‑protected resource during CA ControlMinder authorization checking and accesses to the database. See the Endpoint Administration Guide for your OS for more information on the authorities granted to a user with the AUDITOR attribute.
Removes the AUDITOR attribute from the group record.
You cannot use this parameter with the new[x]grp command.
Adds to the group record a comment string of up to 255 alphanumeric characters (single-byte). If the string contains spaces, enclose the entire string in single quotation marks. The string replaces any existing string that you added previously.
Note: In German, only 128 characters are recorded.
Deletes the comment string, if any, from the group record. Use this parameter only with the chgrp or editgrp command.
Sets the date on which the accounts of the group members expire. If you do not specify a date, the user accounts expire immediately, provided the users are not currently logged in. If the users are logged in, the accounts expire when the users log out. This parameter applies only to profile groups.
Specify the expiration date, and optional time, in the following format:
mm/dd/yy [yy][@HH:MM]. Year can be either 2 or 4 digits.
Note: You cannot enable expired user records by specifying the resume parameter with a resume date. Use the expire‑ parameter to enable expired user records.
For the newgrp command, defines user accounts that do not have an expiration date. For the chgrp and editgrp commands, removes the expiration date from the user accounts. This parameter applies only to profile groups.
Assigns a CA ControlMinder user or group as the owner of the group record. When you specify more than one group name, enclose the names in parentheses and separate the group names with a space or a comma. If you add a group to the database and omit this parameter, you are the owner of the group record.
Sets the maximum number of logins that are permitted before the users are suspended. The number of grace logins must be between 0 and 255. After the number of grace logins is reached, the users are denied access to the system and must contact the system administrator to select a new password. If grace is set to zero, the users cannot log in. This parameter applies only to profile groups.
Deletes the grace login setting for the group. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Specifies the name of the group you are creating or whose properties you are changing. For the command new[x]grp, each group name must be unique and must not currently exist in the database. However, a group and a user can share the same name.
Specifies the number of stored passwords. You can eliminate the history file with history‑.
Specifies the full path of the users' home directories. If the path you specify ends with a slash, groupName is concatenated to the specified path. If you specify nohomedir then a home directory is not automatically set.
Specifies the number of days that must pass before the system changes users to inactive status. When the number of days is reached, users cannot log in. This parameter applies only to profile groups.
Enter a positive integer or zero for numInactiveDays. If inactive is set to zero, the effect is the same as using the inactive‑ parameter.
Note: In the user record, inactive users are not marked. To identify inactive users, you must compare the Last Accessed Time value with the Inactive Days value.
Changes the users' status from inactive to active. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Sets the number of days that must pass after the password was set or changed before the system prompts the user for a new password. Enter a positive integer or zero. An interval of zero disables password interval checking for the group so that the password does not expire. The default set by the setoptions command is not used. Set an interval of zero only for users with low security requirements.
When the specified number of days is reached, CA ControlMinder informs the user that the current password has expired. The user can immediately renew the password or continue using the old password until the number of grace logins is reached. After the number of grace logins is reached, the user is denied access to the system and must contact the system administrator to select a new password. This parameter applies only to profile groups.
Cancels the password interval setting for the group. If canceled, any value in the user record is used. Otherwise, the default set by the setoptions command is used. Enter this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Sets the maximum number of terminals users can log in to at the same time. A value of 0 (zero) means that users can log in from any number of terminals concurrently. If this parameter is not specified, any value in the user record is used. Otherwise, the global maximum logins setting is used. This parameter applies only to profile groups.
Note: If maxlogins is set to 1, you cannot run selang. You must shut down CA ControlMinder, change the maxlogins setting to greater than one, and start CA ControlMinder again.
Deletes the group's maximum login setting. If this parameter is not specified, any value in the user record is used. Otherwise, the global maximum logins setting is used. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Adds members groups (or child groups) to the group in CA ControlMinder. The member groups (GroupName) must already be defined in CA ControlMinder. If you are adding more than one member group, separate the group names with a comma. If a group name contains a space, enclose it in quotation marks.
Note: To add users to a internal group, use the join[x] command.
This option applies to internal groups only.
Removes member groups from this group. The member groups (GroupName) must already be defined in CA ControlMinder. If you are removing more than one member group, separate the group names with a comma. If a group name contains a space, enclose it in quotation marks.
Note: To remove users from a internal group, use the join[x]- command.
This option applies to internal groups only.
The minimum number of days that must pass before users are allowed to change the password again. This parameter applies only to profile groups.
Deletes the min_life setting of a group. If this parameter is not specified and the min_life parameter is set in a user record, the value in the user record is used. Otherwise, the global min_life setting is used. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Specifies the full name of the group. Enter an alphanumeric string of up to 47 characters. If the string contains any blanks, enclose the string in single quotation marks.
(Windows only) Adds or changes the group definition in the local Windows system.
Adds a comment string to the native record. If you previously added a comment string to the record, the new string specified here replaces the existing string.
comment is an alphanumeric string of up to 255 characters. If the string contains any blanks, enclose the entire string in single quotation marks.
Assigns the OPERATOR attribute to the group. A user who is a member of a group with the OPERATOR attribute can list all resource records in the database, and has read authority for all CA ControlMinder defined files.
A user who is a member of a group with this attribute can also use all the options of the secons command. See the Reference Guide for more information on the secons utility.
Removes the OPERATOR attribute from a group record.
You cannot use this parameter with the new[x]grp command.
Assigns a CA ControlMinder user or group as the owner of the group record. If you are adding a group to the database and you omit this parameter, you are the owner. See the Endpoint Administration Guide for your OS for more information.
Assigns an existing CA ControlMinder group as the parent group of the group record. See the Endpoint Administration Guide for your OS for more information on parent and child relationships.
Deletes the link between a group and its parent group. Use this parameter only with the chgrp or editgrp command.
Assigns a password to this group.
Deletes the need for a password for this group.
Specifies that when a user in the group changes a password with the utility sepass, the new password is propagated to the specified Policy Model. Enter the fully qualified name of the PMDB.
The password is not sent to the Policy Model defined in the parent_pmd or passwd_pmd token in the [seos] section of seos.ini. This parameter applies only to profile groups.
Removes the PMDB attribute from the group record. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Assigns the PWMANAGER attribute to the group. A user who is a member of a group with this attribute can change the passwords of users in the database. See the Endpoint Administration Guide for your OS for more information.
Removes the PWMANAGER attribute from the group record.
You cannot use this parameter with the new[x]grp command.
Specifies the days of the week and the hours in the day when members of the group are allowed to log in to the system.
CA ControlMinder does not force a user off the system if the login period expires while the user is logged in. Also, the login restrictions do not apply to batch jobs; a user can run a background process at any time. This parameter applies only to profile groups.
If you omit the days argument and specify the time argument, the time restriction applies to any day‑of‑week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the members of the group are allowed to access the system only during the specified time period on the specified days.
Specifies the days on which users can log in to the system. The days argument takes the following sub‑arguments:
Specifies the period during which users can log in to the system. The time argument takes the following sub‑arguments:
Note: CA ControlMinder uses the time zone of the processor. If the user logs in at a terminal in a different time zone from the processor, you must take this into account.
Deletes any restrictions that limit the users' ability to log in to the system from the group record. If this parameter is not specified and the restrictions parameter is set in a user record, the value in the user record is used. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Enables user records that were disabled by specifying the suspend parameter. Enter a date, and optional time, in the following format: mm/dd/yy[@HH:MM].
If you specify both the suspend parameter and the resume parameter, the resume date must fall after the suspend date. If you omit date, the user is enabled immediately on execution of the chgrp command. See the Endpoint Administration Guide for your OS for more information. This parameter applies only to profile groups.
Erases the resume date, and time if used, from the group record. Consequently, the status of the users is changed from active (enabled) to suspended. Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
Specifies rules for the password:
Minimum number of alphabetic characters.
Minimum number of characters.
Specifies whether to use bidirectional password encryption. If bidirectional password encryption is enabled, each new password is encrypted and can be decrypted back to clear text. This encryption gives a wider comparison between new passwords and old passwords (password history). When bidirectional encryption is disabled, one-way password history encryption is activated, and you cannot decrypt old passwords.
Note: You must set history to a value greater than 1 to use this feature.
Note: On UNIX, you must also set the configuration setting passwd_format to NT to use this feature.
Important! If you set the seos.ini file token "passwd_format" ([passwd] section) to "NT", you must use the "native" option (rather than “unix”) when you create a user in selang. For example:
nu uSr_1026 native password(uSr_1026)
Alternatively, make sure that you work in the native environment (rather than the unix one), as follows:
env native chusr usr_1 password(mypassword)
Minimum password length.
Maximum password length.
Minimum number of lowercase characters.
Maximum number of repeated characters.
Check password against name.
Minimum number of numeric characters.
Check password against old password.
Note: Valid only on Unix and Linux operating systems.
Minimum number of special characters.
Minimum number of uppercase characters.
Sets the password dictionary. use_dbdict sets the token to db and compares passwords against words in the CA ControlMinder database. use_dbdict- sets the token to file and checks passwords against a file specified in the seos.ini file for UNIX or Windows registry for Windows.
Sets the SERVER attribute on. If the current user is a member of a group with the SERVER attribute on, it allows a process running on behalf of the current user to ask for authorization for other users. See the Endpoint Administration Guide for your OS for more information.
Sets the SERVER attribute off.
You cannot use this parameter with the new[x]grp command.
Specifies the full path of the initial program or shell that is executed after the user invokes the login or su command. FullPath is a character string.
Specifies a supergroup (or parent group).
Disables user records, but leaves them defined in the database. Enter a date, and optional time, in the following format: mm/dd/yy[@HH:MM].
A user cannot use a suspended user account to log in to the system. If date is specified, the user records are suspended on the specified date. If date is omitted, the user records are suspended immediately upon execution of the chgrp command. This parameter applies only to profile groups.
suspend‑
Erases the suspend date from the user records, changing the status of the users from disabled to active (enabled). Use this parameter only with the chgrp or editgrp command. This parameter applies only to profile groups.
(UNIX only) Sets group attributes on UNIX or creates the group if it does not already exist.
The groupidNumber is a decimal number. You cannot specify a group ID of zero. If you omit the number, CA ControlMinder finds the largest current group ID and sets the ID of the group to this number. CA ControlMinder creates group ID numbers in the same way when adding or modifying more than one group at a time. The token AllowedGidRange in the seos.ini file may define certain unavailable numbers.
Assigns members to the group. UserName is the user name of one or more UNIX users. When assigning more than one user, separate the user names with a comma or a space. For the chgrp and editgrp commands, the member list specified here replaces any member list that is currently defined for the group.
Examples
chxgrp Sales parent(PAYROLL) owner(PAYROLL)
Admin1 has the ADMIN attribute.
chxgrp projectB parent(divisionB) owner(RESEARCH)
Sally is the owner of NewEmployee.
editgrp NewEmployee homedir() shellprog()
Admin1 has the ADMIN attribute.
The default is owner(Admin1).
newgrp ProjectA parent(RESEARCH)
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|