Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Controlling User Access
Safeguard Administrator’s Manual—523317-013
2-22
Granting a Grace Period for Changing an Expired
Password
Granting a Grace Period for Changing an Expired Password
You can use the PASSWORD-EXPIRY-GRACE attribute to specify a grace period
during which a user can change his or her expired password. The
PASSWORD-EXPIRY-GRACE attribute can be specified either in the user
authentication record for an individual user or in the Safeguard configuration record for
all users. If the grace period is specified in both records, the value in the user
authentication record takes precedence.
For example, assume that SECURITY.SUSAN wants to grant ADMIN.BOB a grace
period of 10 days during which he can change his password if he allows it to expire.
She enters this ALTER USER command:
ALTER USER admin.bob, PASSWORD-EXPIRY-GRACE 10 DAYS
She then displays the user record to verify the results of the command:
INFO USER admin.bob, GENERAL
The general INFO USER report shows that ADMIN.BOB now has a grace period of
10 days in which to change an expired password. If ADMIN.BOB allows his password
to expire, he can change it during the grace period. To change his expired password,
ADMIN.BOB must log on during the grace period. He cannot use the PASSWORD
program during this period because he cannot log on until the expired password is
changed. For more information on logon dialog, see the Safeguard User’s Guide.
Forcing Immediate Expiration of a User’s Password
You can use the PASSWORD-EXPIRES attribute to cause the immediate expiration of
a user’s password. This feature can be particularly useful when you want a new user to
change his or her password during their first logon attempt. To accomplish this, add the
user with an expired password and grant a grace period during which the user can
change the password.
GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS WARNING-MODE
ADMIN.BOB 1,0 200,1 29JUL05, 8:56 27JUL05, 8:02 THAWED OFF
UID = 256
USER-EXPIRES = * NONE *
PASSWORD-EXPIRES = 28AUG05, 0:00
PASSWORD-MAY-CHANGE = * NONE *
PASSWORD-MUST-CHANGE EVERY = 30 DAYS
PASSWORD-EXPIRY-GRACE = 10 DAYS
LAST-LOGON = 27JUL05, 8:02
LAST-UNSUCESSFUL-ATTEMPT = * NONE *
LAST-MODIFIED = 29JUL05, 8:56
FROZEN/THAWED = THAWED
STATIC FAILED LOGON COUNT = 0
GUARDIAN DEFAULT SECURITY = OOOO
GUARDIAN DEFAULT VOLUME = $SYSTEM.NOSUBVOL