USER Class

Each record in the USER class defines a user in the  database.
capamsc141
Each record in the USER class defines a user in the 
PAM Server Control
database.
The key of the USER record is the name of the user entered by the user when logging in to the system.
You can change most of the USER properties from the 
PAM Server Control
Endpoint Management, or by using the selang command chusr. Properties that you cannot change using chusr are labeled
informational.
Usually, and unless otherwise indicated, to change a property using chusr, you use the property name as the command parameter.
You can view all properties from the 
PAM Server Control
Endpoint Management or by using the selang command showusr.
  • APPLIST
    Used by CA SSO
  • APPLIST_TIME
    Used by CA SSO
  • APPLS
    (Informational) Displays the list of applications that the accessor is authorized to access. Used by CA SSO.
  • AUDIT_MODE
    Defines the activities that 
    PAM Server Control
    records in the audit log. You can specify any combination of the following activities:
    • No logging
    • All activities recorded in the trace file
    • Unsuccessful login attempts
    • Successful logins
    • Failed access attempts to resources protected by
      PAM Server Control
    • Successful accesses to resources protected by
      PAM Server Control
    • Interactive logins
    This property corresponds to the audit parameter of the ch[x]usr and ch[x]grp commands.
  • AUTHNMTHD
    (Informational) Displays the authentication method or methods to be used with the group record; from method 1 to method 32, or none. Used by CA SSO.
  • BADPASSWD
    Used by CA SSO
  • CATEGORY
    Defines one or more security categories assigned to a user or a resource.
  • COMMENT
    Defines additional information that you want to include in the record. 
    PAM Server Control
    does not use this information for authorization.
    Limit:
    255 characters.
  • COUNTRY
    A string that specifies a country descriptor for a user. This string is part of the X.500 naming scheme. 
    PAM Server Control
    does not use it for authorization.
  • CREATE_TIME
    (Informational) Displays the date and time when the record was created.
  • DAYTIME
    Defines the day and time restrictions that govern when an accessor can access a resource.
    Use the restrictions parameter with the chres, ch[x]usr, or ch[x]grp commands to modify this property.
    The resolution of daytime restrictions is one minute.
  • EMAIL
    Defines the email address of the user, up to 128 characters.
  • EXPIRE_DATE
    Defines the date on which an accessor becomes invalid. A value for the EXPIRE_DATE property in a user record overrides a value in a group record.
    Note:
    This property corresponds to the expire[-] parameter of the ch[x]usr and ch[x]grp commands.
  • FULLNAME
    Defines the full name associated with an accessor. 
    PAM Server Control
    uses the full name to identify the accessor in audit log messages, but not for authorization.
    FULLNAME is an alphanumeric string. The maximum length for groups and users is 255 characters.
  • GAPPLS
    (Informational) Indicates the list of application groups that the user is authorized to access. Used by CA SSO.
  • GRACELOGIN
    Defines the number of grace logins a user has after a password expires.When the number of grace logins is exceeded, the user is denied access to the system and must contact the system administrator for a new password.
    The number of grace logins must be from 0 through 255. If this value is 0, the user cannot log in.
    A value for the GRACELOGIN property in a USER record overrides a value for NGRACE in a GROUP record.Both override the PASSWDRULES property in the SEOS class record.
    This property corresponds to the grace parameter of the ch[x]usr command.
  • GROUPS
    (Informational) Displays the list of user groups that the user belongs to. This property also contains any group authorities, such as group administration authority (GROUP-ADMIN), assigned to the user for each group the user belongs to.
    The group list that is contained in this property can be different from the one in the native environment GROUPS property.
    Note:
    The ch[x]usr command does not modify this property. Instead, use the join[-] or joinx[-]command to modify this property.
  • HOMEDIR
    (UNIX only) Defines the home directory of the user. Used by CA SSO.
  • INACTIVE
    Defines the number of days of inactivity that must pass before the system changes the status of a user to inactive. If the account status is inactive, the user cannot log in.
    A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.
    PAM Server Control
    does not store the status; it calculates the status dynamically. To identify inactive users, you must compare the INACTIVE value with the LAST_ACC_TIME value of the user.
  • LAST_ACC_TERM
    Displays the terminal from which the last login was performed.
  • LAST_ACC_TIME
    Displays the date and time of the last login.
  • LOCALAPPS
    Used by CA SSO
  • LOCATION
    Defines a user location.
    PAM Server Control
    does not use this information for authorization.
  • LOGININFO
    Defines the information to log the user in to a specific application and audit data. LOGININFO contains a separate list for each application that the user is authorized to access. Used by CA SSO.
  • LOGSHIFT
    Indicates whether a login outside of the shift time frame is permitted. 
    PAM Server Control
    writes an audit record in the audit log for this event.
  • MAXLOGINS
    Defines the maximum number of concurrent logins that a user is allowed. A zero value indicates that the user can have any number of concurrent logins.
    A value for the MAXLOGINS property in a user record overrides a value in a group record. Both override the value of MAXLOGINS in the SEOS class record.
  • MIN_TIME
    Defines the minimum time in days allowed between password changes for the user.
    A value for the MIN_TIME property in a USER record overrides a value in a GROUP record. Both override the PASSWDRULES property in the SEOS class record.
    Note:
    This property corresponds to the min_life parameter of the ch[x]usr command.
  • NOTIFY
    Defines the user to be notified when a resource or user generates an audit event. 
    PAM Server Control
    can email the audit record to the specified user
    .
    Limit:
    30 characters
  • OBJ_TYPE
    Specifies the user authority attributes. Each of these attributes corresponds to the parameter of the same name in the ch[x]usr command. A user can have one or more of the following authority attributes:
    • ADMIN
      Specifies whether the user can perform administrative functions, similar to root in the UNIX environment.
    • AUDITOR
      Specifies whether the user can monitor the system, list information in the database, and can set the audit mode for existing records.
    • IGN_HOL
      Specifies whether the user can log in during any timeframe defined in a HOLIDAY record.
    • LOGICAL
      Specifies that the user is only for internal
      PAM Server Control
      purposes and cannot be used by a real user to log in.
      For example, the user nobody that you can use as the owner of resources to prevent even the resource owner from accessing the resource is a logical user by default. This means that no user can log in using this account.
    • OPERATOR
      Specifies whether the user can list everything in the database and can use the secons utility.
    • PWMANAGER
      Specifies whether the user can modify the password settings of other users and can enable a user account that the serevu utility has disabled.
    • SERVER
      Specifies whether a process can ask users for authorization and can issue the SEOSROUTE_VerifyCreate API call.
  • OIDCRDDATA
    Used by CA SSO
  • OLD_PASSWD
    Contains an encrypted list of the previous passwords of the user. The user cannot choose a new password from this list. The maximum number of passwords that are saved in OLD_PASSWD is determined by the setoptions command.
  • ORG_UNIT
    A string that stores information about the organizational unit in which the user works. This string is part of the X.500 naming scheme. 
    PAM Server Control
    does not use it for authorization.
  • ORGANIZATION
    Defines the organization in which the user works. This string is part of the X.500 naming scheme.
    PAM Server Control
    does not use this string for authorization.
  • OWNER
    Defines the user or group that owns the record.
  • PASSWD_A_C_W
    Indicates the ADMIN user who last changed the user password for this record.
  • PASSWD_INT
    Defines the maximum time in days between password changes for users.
    A value for the PASSWD_INT property in a USER record overrides the value in a GROUP record. Both override the PASSWDRULES property in the SEOS class record.
    This property corresponds to the interval parameter of the ch[x]usr command.
  • PASSWD_L_A_C
    Displays the date and time at which an administrator last updated the password.
  • PASSWD_L_C
    Displays the date and time at which a user last updated the password.
  • PGMINFO
    Defines the program information that 
    PAM Server Control
    generates automatically.
    The Watchdog automatically verifies the information stored in this property. If it is changed, 
    PAM Server Control
    defines the program as untrusted.
    You can select any of the following flags to
    exclude
    the associated information from this verification process:
    • crc
      The cyclic redundancy check and MD5 signature.
    • ctime
      (UNIX only) The time of the last file status change.
    • device
      On UNIX, the logical disk that the file resides on. On Windows, the drive number of the disk containing the file.
    • group
      The group that owns the program file.
    • inode
      On UNIX, the file system address of the program file. On Windows, this flag has no meaning
    • mode
      The associated security protection mode for the program file.
    • mtime
      The time the program file was last modified.
    • owner
      The user who owns the program file.
    • sha1
      The SHA1 signature. Digital signature method that is named Secure Hash Algorithm that could be applied to the program or sensitive files.
    • size
      The size of the program file.
    Use the flags, flags+, or flags- parameter with the chres, editres, or newres command to modify the flags in this property.
  • PHONE
    Defines the user's telephone number. This information is not used for authorization.
  • POLICYMODEL
    Specifies the PMDB that receives new passwords when you change user passwords with the sepass utility. The passwords are
    not
    sent to the Policy Model defined by the parent_pmd or passwd_pmd configuration settings if a value is entered for this property.
    Note:
    This property corresponds to the pmdb[-] parameter of the ch[x]usr and ch[x]grp commands.
  • PROFILE
    Defines the path to the profile of a user. This string can include a local absolute path, or a UNC path.
  • PWD_AUTOGEN
    Displays whether the user password is automatically generated. Used by CA SSO.
    The default is no.
  • PWD_SYNC
    Displays whether the user password is automatically kept identical for all user applications. Used by CA SSO.
    The default is no.
  • RESUME_DATE
    Defines the date on which a suspended USER account becomes unsuspended.
    RESUME_DATE and SUSPEND_DATE work together.
    This property corresponds to the resume[-] parameter of the ch[x]usr and ch[x]grp commands.
  • REVACL
    Displays the access control lists of the accessor.
  • REVOKE_COUNT
    Used by CA SSO
  • SCRIPT_VARS
    Used by CA SSO, Defines a variables list with the variable values of the application script that are saved per application.
  • SECLABEL
    Defines the security label of a user or resource.
    The SECLABEL property corresponds to the label[-] parameter of the chres and ch[x]usr commands.
  • SECLEVEL
    Defines the security level of an accessor or resource.
    Note:
    This property corresponds to the level[-] parameter of the ch[x]usr and chres commands.
  • SESSION_GROUP
    Defines an SSO session group for a user. The SESSION_GROUP property is a string with a maximum length of 16 characters.
    In Windows, an administrator can enter a session group new name if the preferred name is not in the drop-down list.
    Used by CA SSO
  • SHIFT
    Used by CA SSO
  • SUSPEND_DATE
    Defines the date on which a user account is suspended and so becomes invalid.
    If the suspend date for a record precedes its resume date, the user can work before the suspend date and after the resume date.
    If a user has a resume date that is earlier than the suspend date, the record is also invalid
    before
    the resume date. The user can work only between the resume and suspend dates.
    A value for the SUSPEND_DATE property in a user record overrides the value in a group record.
    This property corresponds to the suspend[-] parameter of the ch[x]usr and ch[x]grp commands.
  • SUSPEND_WHO
    Displays the administrator who activated the suspend date.
    Note:
    This property corresponds to the suspend[-] parameter of the ch[x]usr command.
  • UALIAS
    Displays the aliases of a specific user-defined to one or more authentication hosts. Used by CA SSO.
  • UPDATE_TIME
    (Informational) Displays the date and time when the record was last modified.
  • UPDATE_WHO
    (Informational) Displays the administrator who performed the update.