Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Configuration
Safeguard Administrator’s Manual—523317-013
9-8
Configuring Password Control
To change any of these values, issue the ALTER SAFEGUARD command from
SAFECOM. For example, to maintain a history of the last 10 passwords for each user
(and not allow reuse of these passwords):
=ALTER SAFEGUARD, PASSWORD-HISTORY 10
To grant users a 15-day grace period during which they can change their expired
passwords during logon:
=ALTER SAFEGUARD, PASSWORD-EXPIRY-GRACE 15 DAYS
You can change more than one attribute with a single command. To require a minimum
password length of six characters and to have passwords encrypted:
=ALTER SAFEGUARD, PASSWORD-MINIMUM-LENGTH 6, &
=PASSWORD-ENCRYPT ON
Consider this example with the attributes set as:
PASSWORD-MUST-CHANGE EVERY = 20 DAYS
PASSWORD-MAY-CHANGE = 5 DAYS
On July 1, the owner of the user authentication record changes the user's password.
These dates are calculated:
PASSWORD-MAY-CHANGE = * NONE *
PASSWORD-EXPIRES = 21JULY1993
The user must change the password in the next 20 days because the password
expires on July 21.
On July 21, the user changes the password. These new dates are calculated:
PASSWORD-MAY-CHANGE = 17JULY1993
PASSWORD-EXPIRES = 22JULY1993
The user cannot change the password until July 17. The user then has only five days
to change the password before it expires. If someone learns the user's password
Note. Each time a user’s password is changed or the user’s PASSWORD-MUST-CHANGE
period is changed, the Safeguard software uses the PASSWORD-MAY-CHANGE value to
calculate the new date on which that user’s password can be changed. It also calculates a
PASSWORD-EXPIRES date for the user based on the PASSWORD-MUST-CHANGE period
defined in the user authentication record. A user can change the password anytime between
the PASSWORD-MAY-CHANGE date and the PASSWORD-EXPIRES date. These dates are
calculated differently depending on who changes the password.
If the user changes the password, the PASSWORD-EXPIRES date is calculated by adding the
PASSWORD-MUST-CHANGE period to the current date. The PASSWORD-MAY-CHANGE
date is calculated by subtracting the PASSWORD-MAY-CHANGE period from the
PASSWORD-EXPIRES date.
If the owner of the user authentication record changes the password, the PASSWORD-MAY-
CHANGE date is set to *NONE* so that the user can change the password immediately. In this
instance, the PASSWORD-EXPIRES date is calculated by adding the PASSWORD-MUST-
CHANGE period to the current date.