Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Safeguard System Security
Security Management Guide522283-008
3-7
Adding Users to a System
Adding Users to a System
When the Safeguard software is installed on a system with an existing user community,
it takes over the existing user ID file. The next time each user logs on, the user record
is expanded to include Safeguard attributes.
Add new users with the ADD USER command. Always specify passwords when
adding users. Be sure to tell users to change their passwords immediately after logging
on for the first time. You can set a Safeguard configuration attribute to require users to
change their passwords at regular intervals.
In addition, by using the PASSWORD-EXPIRES attribute, you can add a user with a
password that is already expired. You can then grant the user a grace period during
which to change the expired password.
User Expiration
Use the USER-EXPIRES attribute for contractors and temporary employees. For
example, if you hire a contract programmer whose contract expires on October 19,
1996, issue a command similar to this when adding the user ID:
3> SAFECOM ADD USER prog.donna, 10,200, PASSWORD vroom, &
3> USER-EXPIRES Oct 19 1996
Requiring Password Changes
You can use the PASSWORD-MUST-CHANGE attribute to require users to change
their passwords periodically. You can specify different periods for each user. The
following SAFECOM command specifies a password period for PROG.DONNA:
=ALTER USER prog.donna, PASSWORD-MUST-CHANGE 30 DAYS
The PASSWORD-MUST-CHANGE attribute interacts with the global PASSWORD-
MAY-CHANGE attribute. The PASSWORD-MAY-CHANGE attribute specifies the
number of days prior to expiration that users can change their passwords. For more
information about the interaction between these two attributes, see the Safeguard
Administrators Manual.
Default Protection
Consider DEFAULT-PROTECTION for a user’s Guardian disk files. It guarantees that
Safeguard authorization records are created for any files the user creates in the
Guardian environment. The DEFAULT-PROTECTION attribute allows you to specify a
default access control list for a user’s files. Specify more restrictive access control lists
for some users than for others, depending on what type of files they manipulate.
After you determine what type of default access control list you want for a user’s files,
decide whether you want the user to own the authorization records for the files. If the
users own their own records, they can change the security attributes, including the
access control list. Sometimes only the user can determine appropriate security for a