selang Reference Guide › Classes and Properties › Classes in the AC Environment › XUSER Class

XUSER Class

Each record in the XUSER class defines an enterprise user An enterprise user is a user that is defined in one of the enterprise user stores of the operating system, for example, a user defined in /etc/passwd in UNIX, or in Active Directory in Windows. in the database.

The key of the XUSER record is the name of the user—the name entered by the user when logging into the system.

You can change most of these properties from the CA ControlMinder Endpoint Management or by using the selang command chxusr.

Note: In most cases, and unless otherwise indicated, to change a property using chxusr, you use the property name as the command parameter.

You can view all properties from CA ControlMinder Endpoint Management or by using the selang command showxusr.

APPLIST

Used by eTrust SSO.

APPLIST_TIME

Used by eTrust SSO.

APPLS

(Informational) Displays the list of applications that the accessor is authorized to access. Used by eTrust SSO.

AUDIT_MODE

Defines the activities that CA ControlMinder records in the audit log. You can specify any combination of the following activities:

• No logging
• All activities recorded in the trace file
• Unsuccessful login attempts
• Successful logins
• Failed access attempts to resources protected by CA ControlMinder
• Successful accesses to resources protected by CA ControlMinder
• Interactive logins

Note: This property corresponds to the audit parameter of the ch[x]usr and ch[x]grp commands.

AUTHNMTHD

(Informational) Displays the authentication method or methods to be used with the group record; from method 1 to method 32, or none. Used by eTrust SSO.

BADPASSWD

Used by eTrust SSO.

CALENDAR

Represents a Unicenter TNG calendar object for user, group, and resource restrictions in CA ControlMinder. CA ControlMinder fetches Unicenter TNG active calendars at specified time intervals.

CATEGORY

Defines one or more security categories A security category is the name of record in the CATEGORY class. You can assign a security category to accessors and to resources. An accessor can access a resource only if the accessor is assigned to all of the security categories assigned to the resource. assigned to a user or a resource.

COMMENT

Defines additional information that you want to include in the record. CA ControlMinder does not use this information for authorization.

Limit: 255 characters.

COUNTRY

A string that specifies a country descriptor for a user. This string is part of the X.500 naming scheme. CA ControlMinder does not use it for authorization.

CREATE_TIME

(Informational) Displays the date and time when the record was created.

DAYTIME

Defines the day and time restrictions that govern when an accessor can access a resource.

Use the restrictions parameter with the chres, ch[x]usr, or ch[x]grp commands to modify this property.

The resolution of daytime restrictions is one minute.

EMAIL

Defines the email address of the user, up to 128 characters.

FULLNAME

Defines the full name associated with an accessor. CA ControlMinder uses the full name to identify the accessor in audit log messages, but not for authorization.

FULLNAME is an alphanumeric string. For groups the maximum length is 255 characters. For users the maximum length is 47 characters.

GAPPLS

(Informational) Indicates the list of application groups that the user is authorized to access. Used by eTrust SSO.

GRACELOGIN

Defines the number of grace logins a user has after a password expires. When the number of grace logins is exceeded, the user is denied access to the system and must contact the system administrator for a new password.

The number of grace logins must be between 0 and 255. If this value is 0, the user cannot log in.

A value for the GRACELOGIN property in a USER record overrides a value for NGRACE in a GROUP record. Both override the PASSWDRULES property in the SEOS class record.

Note: This property corresponds to the grace parameter of the ch[x]usr command.

GROUPS

(Informational) Displays the list of user groups that the user belongs to. This property also contains any group authorities, such as group administration authority (GROUP‑ADMIN), assigned to the user for each group the user belongs to.

The group list contained in this property may be different from the one in the native environment GROUPS property.

Note: This property is not modified by the ch[x]usr command. Instead, use the join[-] or joinx[-]command to modify this property.

INACTIVE

Defines the number of days of inactivity that must pass before the system changes the status of a user to inactive. If the account status is inactive, the user cannot log in.

A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.

Note: CA ControlMinder does not store the status; it calculates the status dynamically. To identify inactive users, you must compare the INACTIVE value with the user's LAST_ACC_TIME value.

LAST_ACC_TERM

Displays the terminal from which the last login was performed.

LAST_ACC_TIME

Displays the date and time of the last login.

LOCALAPPS

Used by eTrust SSO.

LOCATION

Defines a user location. CA ControlMinder does not use this information for authorization.

LOGININFO

Defines the information needed to log the user into a specific application and audit data. LOGININFO contains a separate list for each application that the user is authorized to access. Used by eTrust SSO.

LOGSHIFT

Indicates whether a login outside of the shift time frame is permitted. CA ControlMinder writes an audit record in the audit log for this event.

MAXLOGINS

Defines the maximum number of concurrent logins Concurrent logins are multiple sessions initiated by the same user onto a system from more than one terminal at the same time. that a user is allowed. A zero value indicates that the user can have any number of concurrent logins.

A value for the MAXLOGINS property in a user record overrides a value in a group record. Both override the value of MAXLOGINS in the SEOS class record.

MIN_TIME

Defines the minimum time in days allowed between password changes for the user.

A value for the MIN_TIME property in a USER record overrides a value in a GROUP record. Both override the PASSWDRULES property in the SEOS class record.

Note: This property corresponds to the min_life parameter of the ch[x]usr command.

NOTIFY

Defines the user to be notified when a resource or user generates an audit event. CA ControlMinder can email the audit record to the specified user.

Limit: 30 characters.

OBJ_TYPE

Specifies the user authority attributes. Each of these attributes corresponds to the parameter of the same name in the ch[x]usr command. A user can have one or more of the following authority attributes:

ADMIN

Specifies whether the user can perform administrative functions, similar to root in the UNIX environment.

AUDITOR

Specifies whether the user can monitor the system, list information in the database, and set the audit mode for existing records.

IGN_HOL

Specifies whether the user can log in during any period of time defined in a HOLIDAY record.

LOGICAL

Specifies that the user is only for internal CA ControlMinder purposes and cannot be used by a real user to log in.

For example, the user nobody that you can use as the owner of resources to prevent even the resource owner from accessing the resource is a logical user by default. This means that no user can log in using this account.

OPERATOR

Specifies whether the user can list everything in the database and use the secons utility.

PWMANAGER

Specifies whether the user can modify the password settings of other users and can enable a user account that has been disabled by the serevu utility.

SERVER

Specifies whether a process can ask users for authorization and can issue the SEOSROUTE_VerifyCreate API call.

OIDCRDDATA

Used by eTrust SSO.

OLD_PASSWD

Contains an encrypted list of the user's previous passwords. The user cannot choose a new password from this list. The maximum number of passwords saved in OLD_PASSWD is determined by the setoptions command.

ORG_UNIT

A string that stores information on the organizational unit in which the user works. This string is part of the X.500 naming scheme. CA ControlMinder does not use it for authorization.

ORGANIZATION

Defines the organization in which the user works. This string is part of the X.500 naming scheme. CA ControlMinder does not use this for authorization.

PASSWD_A_C_W

Indicates the ADMIN user who last changed the user password for this record.

PASSWD_INT

Defines the maximum time in days between password changes for users.

A value for the PASSWD_INT property in a USER record overrides the value in a GROUP record. Both override the PASSWDRULES property in the SEOS class record.

Note: This property corresponds to the interval parameter of the ch[x]usr command.

PASSWD_L_A_C

Displays the date and time at which an administrator last updated the password.

PASSWD_L_C

Displays the date and time at which a user last updated the password.

PHONE

Defines the user's telephone number. This information is not used for authorization.

PUPM_FLAGS

Specifies the terminal integration attributes. You use terminal integration when you integrate privileged accounts on CA ControlMinder endpoints with SAM. A privileged account can have one or both of the following terminal integration attributes:

use_original_identity

Specifies that CA ControlMinder uses the name of the user who checked out the account, not the name of the privileged account, when it makes authorization decisions. The audit records for the session list the original user in the real user name field and the privileged account in the effective user name field.

required_checkout

Specifies that the account must be checked out in SAM before a user can use the account to log in to the endpoint.

PWD_AUTOGEN

Displays whether the user password is automatically generated. Used by eTrust SSO.

The default is no.

PWD_SYNC

Displays whether the user password is automatically kept identical for all user applications. Used by eTrust SSO.

The default is no.

RESUME_DATE

Defines the date on which a suspended USER account becomes unsuspended.

RESUME_DATE and SUSPEND_DATE work together.

Note: This property corresponds to the resume[-] parameter of the ch[x]usr and ch[x]grp commands.

REVACL

Displays the access control lists of the accessor.

REVOKE_COUNT

Used by eTrust SSO.

SCRIPT_VARS

Used by eTrust SSO, Defines a variables list with the variable values of the application script that are saved per application.

SECLABEL

Defines the security label A security label is the name of a record in the SECLABEL class. A security label bundles together a security level and a set of security categories. Assigning a security label to an accessor or a resource gives the accessor or resource the combined security level and security categories associated with the security label. A security label overrides any specific security level and category assignments in an accessor or resource. of a user or resource.

Note: The SECLABEL property corresponds to the label[-] parameter of the chres and ch[x]usr commands.

SECLEVEL

Defines the security level A security level is an integer between 0 and 255 that you can assign to accessors and resources. An accessor cannot access a resource if the accessor has a security level less than the security level assigned to the resource, even if the user is granted access authority in the resource's access control list. of an accessor or resource.

Note: This property corresponds to the level[-] parameter of the ch[x]usr and chres commands.

SESSION_GROUP

Defines an SSO session group for a user. The SESSION_GROUP property is a string with a maximum length of 16 characters.

In Windows, an administrator can enter a session group new name if the preferred name is not in the drop‑down list.

Used by eTrust SSO.

SHIFT

Used by eTrust SSO.

SUSPEND_DATE

Defines the date on which a user account is suspended and so becomes invalid.

If the suspend date for a record precedes its resume date, the user can work before the suspend date and after the resume date.

If a user has a resume date that is earlier than the suspend date, the record is also invalid before the resume date. The user can work only between the resume and suspend dates.

A value for the SUSPEND_DATE property in a user record overrides the value in a group record.

Note: This property corresponds to the suspend[-] parameter of the ch[x]usr and ch[x]grp commands.

SUSPEND_WHO

Displays the administrator who activated the suspend date.

UALIAS

Displays the aliases of a specific user defined to one or more authentication hosts. Used by eTrust SSO.

UPDATE_TIME

(Informational) Displays the date and time when the record was last modified.

UPDATE_WHO

(Informational) Displays the administrator who performed the update.