Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Controlling User Access
Safeguard Administrator’s Manual—523317-013
2-19
Requiring Users to Change Their Passwords
The ALTER user command can also be used to remove an expiration date. For
example, if SOFTWARE.GEORGE is hired as a permanent employee, the manager of
the SOFTWARE group removes his USER-EXPIRES date with this command:
=ALTER USER software.george, USER-EXPIRES
Specifying a USER-EXPIRES attribute without a date has the effect of removing any
existing USER-EXPIRES date.
Requiring Users to Change Their Passwords
The Safeguard password control mechanism protects a system against unauthorized
access. Passwords are more effective when users change them periodically. You can
use the PASSWORD-MUST-CHANGE attribute to require a user to change the
password within a specified period.
As with most other attributes of a user authentication record, the value of
PASSWORD-MUST-CHANGE can be set when a user is added to the system with
ADD USER, and the owner of the user authentication record can later change the
value with ALTER USER.
For example, SECURITY.SUSAN establishes a PASSWORD-MUST-CHANGE period
for ADMIN.BOB with the ALTER USER command:
=ALTER USER admin.bob, PASSWORD-MUST-CHANGE EVERY 30 DAYS
Then she checks the user record with the GENERAL option of the INFO USER
command:
=INFO USER admin.bob, GENERAL
The INFO USER report now shows that ADMIN.BOB must change his password at
least once every 30 days or his password expires. The LAST-MODIFIED field shows
that SECURITY.SUSAN changed Bob’s authentication record on June 28, 2005. The
Safeguard software calculated a PASSWORD-EXPIRES date by adding the
PASSWORD-MUST-CHANGE period to the current date (June 28). At this point,
ADMIN.BOB has until July 28, 2005, to change his password.
GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS WARNING-MODE
ADMIN.BOB 1,0 200,1 28JUN05, 14:09 28JUN05, 7:48 THAWED OFF
UID = 256
USER-EXPIRES = * NONE *
PASSWORD-EXPIRES = 28JUL05, 0:00
PASSWORD-MAY-CHANGE = * NONE *
PASSWORD-MUST-CHANGE EVERY = 30 DAYS
PASSWORD-EXPIRY-GRACE = * NONE *
LAST-LOGON = 28JUN05, 7:48
LAST-UNSUCESSFUL-ATTEMPT = * NONE *
LAST-MODIFIED = 28JUN05, 14:09
FROZEN/THAWED = THAWED
STATIC FAILED LOGON COUNT = 0
GUARDIAN DEFAULT SECURITY = OOOO
GUARDIAN DEFAULT VOLUME = $SYSTEM.NOSUBVOL