1 04/12/91 new_user
2
3 Syntax as a command: new_user
4 or
5 new_user$nu
6 or
7 new_user$nua
8 or
9 new_user$change Person_id item newvalue
10 or
11 new_user$cg Person_id item newvalue
12 or
13 new_user$cga Person_id item newvalue
14
15
16 Function: adds or modifies entries in the URF and PNT. It is called
17 by master.ec to implement the accounting administrator commands that
18 deal with user registration e.g. register change chalias.
19
20
21 Entry points in new_user:
22 List is generated by the help command
23
24
25 :Entry: new_user: 02/26/85 new_user$new_user
26
27
28 Function: This entry point adds a new person. The dialogue exchanged
29 between the command and the user of the command is detailed in the
30 register command.
31
32
33 :Entry: nu: 02/26/85 new_user$nu
34
35
36 Function: This entry point adds a new person but is less verbose in
37 its prompting.
38
39
40 :Entry: nua: 02/26/85 new_user$nua
41
42
43 Function: This entry is similar to the new_user$nu entry point but
44 also allows the system administrator to specify an alias, password
45 flags, and AIM attributes for the user.
46
47
48 The dialogue for new_user, new_user$nu, and new_user$nua obtains and
49 checks the following items for user registration.
50
51 Full name Last First I.: title
52 Mailing address
53 Programmer number
54 Default project
55 Password
56 Card Input Password
57 If new_user$nua is called:
58 Alias
59 Password flags
60 AIM authorization
61 Default AIM authorization
62 Audit flags
63
64
65 The commands attempt to generate a site-unique Person_id from the last
66 name, or the administrator may specify the Person_id.
67
68 The user is then registered in the URF and PNT and the administrator is
69 asked if there are any more users to be added.
70
71 Typing "stop" at any time aborts the registration of the current user.
72
73
74 :Entry: change: 02/26/85 new_user$change
75
76
77 Function: This entry point supports editing of user registration.
78
79
80 :Entry: cg: 02/26/85 new_user$cg
81
82
83 Function: This entry point is similar to new_user$change but is less
84 verbose.
85
86
87 :Entry: cga: 04/12/91 new_user$cga
88
89
90
91 Function: This entry is similar to new_user$cg but also allows the
92 changing of user aliases, password flags, and AIM attributes.
93
94
95 Arguments:
96 For new_user$change, new_user$cg, and new_user_$cga.
97 Person_id
98 is a Person_id of a registered user. If not specified, the command
99 asks for one.
100 item
101 may be any one of the following keywords:
102
103
104 The following items marked with an plus-sign + can only be
105 changed with the new_user$cga entry point.
106 addr
107 User's mailing address
108 + alias
109 User's login alias. An alias can be deleted by using a period
110 . as the new value.
111 + audit
112 AIM audit selectivity flags. This keyword is a character string
113 of the form
114
115 name1name2...namen
116
117
118 where namei is the name of an audit flag. The names and their
119 meanings are listed below.
120 <object_type>=<grant_level>/<deny_level>
121 controls the auditing of specified operations on specified
122 system objects. The values of <object_type> can be one of the
123 following:
124 admin
125 specifies that operations to administrative objects e.g.
126 the PNT are to be audited.
127 fsattr
128 specifies that operations to file system attributes are to
129 be audited.
130 fsobj
131 specifies that operations to file system objects are to be
132 audited.
133
134
135 other
136 specifies that operations to objects e.g. mailboxes
137 controlled by ring 1 security related subsystems are to be
138 audited.
139 rcp
140 specifies that operations to objects controlled by the
141 Resource Control Package are to be audited.
142 special
143 specifies that operations to special objects are to be
144 audited. Currently the only special objects are
145 processes.
146
147
148 The values that can be assigned to <grant_level> and
149 <deny_level> are listed below.
150 M
151 specifies that "modify" operations are to be audited.
152 Operations are audited that attempt to change the object or
153 the attributes of the object. This level of auditing
154 includes the "modify access" operations.
155 MA
156 specifies that"modify access" operations are to be audited.
157 Operations are audited that attempt to change the access
158 attributes of the object.
159 N
160 specifies that no auditing is to take place.
161
162
163 R
164 specifies that "read" operations are to be audited.
165 Operations are audited that return information about the
166 contents of the object or its attributes/properties. This
167 level of auditing includes the "modify" and "modify access"
168 operations.
169
170 The <grant_type>/<deny_type> values are a matched pair.
171 The <grant_type> value specifies auditing of successful
172 operations. The <deny_type> value specifies auditing of
173 unsuccessful operations. For example, the audit flag
174 "fsobj=N/M" specifies that there is to be no monitoring of
175 successful operations on file system objects; however, all
176 unsuccessful modify operations on file system objects will
177 be audited.
178
179
180 Please note that modify access operations cannot be
181 associated with file system objects fsobj. Instead,
182 modify access operations can be specified for file system
183 attributes fsattr.
184
185 Additional information on auditing, including a more
186 detailed description of the operations that are audited on
187 each object type, can be found in the Multics System
188 Administration Procedures manual AK50.
189 admin_op
190 controls auditing of administrative operations performed by
191 the process. This includes such operations as registration of
192 new users or projects. It is recommended that sites
193 interested in auditing should turn this flag on for all
194 processes.
195
196
197 fault
198 controls auditing of illegal procedure and access violation
199 faults that can indicate an attempt to access protected data.
200 moderate_cc
201 controls auditing of covert channel activity that takes place
202 over channels with a potential bandwidth of 10-100 bps.
203 priv_op
204 controls auditing of privileged operations performed by the
205 process. A privileged operation is one performed through use
206 of a privileged gate or under previously set AIM privileges.
207 It is recommended that sites interested in auditing turn this
208 flag on for all processes except perhaps the system daemons.
209 small_cc
210 controls auditing of covert channel activity that takes place
211 over channels with a potential bandwidth of 1-10 bps.
212
213
214 + auth
215 AIM authorization is the authorization to be assigned to
216 Person_id. The value for auth can be a range of values in the
217 format "min_auth:max_auth," in which case the new user is
218 eligible to use any of the authorizations within the specified
219 range. Alternatively, the value for auth can be specified as a
220 single value. In this case, the system interprets the specified
221 value as a maximum authorization value and the minimum
222 authorization value is assumed to be system_low. Use the
223 print_auth_names command for a list of valid authorization
224 values.
225 cpass
226 card input password
227
228
229 + dfauth
230 default AIM authorization
231 + flags
232 The password flags are:
233 password
234 user has a login password
235 card_pw
236 user has a card input password
237 trap
238 attempts to log in will be logged
239 lock
240 attempts to log in will be refused
241
242
243 change
244 user can change passwords, default authorization, and default
245 project
246 must_change
247 user must change login password before logging in
248 generate
249 user must use -generate_password to change password.
250 time_lock=TIME
251 password is locked until TIME.
252 operator
253 user can use the sign_on command to sign on as an operator.
254 + revalidate
255 the user's password is revalidated after having expired
256 following a period of non-use.
257 name
258 full name Last First I.: title
259
260
261 proj
262 default project
263 pass
264 login password
265 progn
266 programmer number
267 newvalue
268 is the new value as a single argument i.e. enclosed in quotes if
269 it contains blanks. This argument can only be given if item is
270 given. If not specified, the command prompts with the old value and
271 waits for a response. If the new value is an empty line, the old
272 value remains unchanged. The argument may not be specified at
273 command level when changing a user's password.
274
275
276 Notes: Changes are made to both the URF and PNT.
277
278 A password may consist of from one through eight ASCII printing
279 characters including backspace, but excluding space and semicolon.
280 "HELP", "help", "quit", and "?" are interpreted uniquely by the
281 password processor and are therefore unacceptable as password
282 specifications for an interactive login. Entering "quit" terminates
283 the login attempt, while "HELP", "help", or "?" results in an
284 explanatory message and repeat of the password prompt.