GROUP Class

Each record in the GROUP class defines a group of users in the database.
capamsc141
Each record in the GROUP class defines a group of users in the database.
The key of each GROUP class record is the name of the group.
The properties of profile groups apply to each user associated with the profile group. However, if the same property is specified in a user (USER or XUSER) record, the user record overrides those in the profile group record.
You can change most of these properties from the 
Privileged Access Manager
Endpoint Management, or by using the selang command chgrp.
Usually, and unless otherwise indicated, to change a property using ch[x]grp, you use the property name as the command parameter.
You can view all properties from the 
Privileged Access Manager
Endpoint Management, or by using the selang command showgrp.
  • APPLS
    (Informational) Displays the list of applications that the accessor is authorized to access. Used by CA SSO.
  • AUDIT_MODE
    Defines the activities that 
    Privileged Access Manager
    records in the audit log. You can specify any combination of the following activities:
    • No logging
    • All activities recorded in the trace file
    • Unsuccessful login attempts
    • Successful logins
    • Failed access attempts to resources protected by
      Privileged Access Manager
    • Successful accesses to resources protected by
      Privileged Access Manager
    • Interactive logins
    This property corresponds to the audit parameter of the ch[x]usr and ch[x]grp commands. You can use AUDIT_MODE for a GROUP or XGROUP to set the audit mode for all members of the group. However, you cannot use AUDIT_MODE to set the audit mode for group members if the audit mode of a user is defined in a USER record, XUSER record, or profile group.
  • AUTHNMTHD
    (Informational) Displays the authentication method or methods to be used with the group record; from method 1 to method 32, or none. Used by CA SSO.
  • COMMENT
    Defines additional information that you want to include in the record. 
    Privileged Access Manager
    does not use this information for authorization.
    Limit:
    255 characters
  • CREATE_TIME
    (Informational) Displays the date and time when the record was created.
  • DAYTIME
    Defines the day and time restrictions that govern when an accessor can access a resource.
    Use the restrictions parameter with the chres, ch[x]usr, or ch[x]grp commands to modify this property.
    The resolution of daytime restrictions is one minute.
  • EXPIRE_DATE
    Defines the date on which an accessor becomes invalid. A value for the EXPIRE_DATE property in a user record overrides a value in a group record.
    Note:
    This property corresponds to the expire[-] parameter of the ch[x]usr and ch[x]grp commands.
  • FULLNAME
    Defines the full name associated with an accessor. 
    Privileged Access Manager
    uses the full name to identify the accessor in audit log messages, but not for authorization.
    FULLNAME is an alphanumeric string. For groups, the maximum length is 255 characters. For users, the maximum length is 47 characters.
  • GAPPLS
    Defines the list of application groups that the group is authorized to access. Used by CA SSO.
  • GROUP_MEMBER
    Defines the groups that are members of this group.
  • GROUP_TYPE
    Specifies the group authority attributes. Each of these attributes corresponds to the parameter of the same name in the ch[x]grp command. A group can have one or more of the following authority attributes:
    • ADMIN
      Specifies whether a user who belongs to the group can perform administrative functions, similar to root in the UNIX environment.
    • AUDITOR
      Specifies whether a user who belongs to the group can monitor the system, list information in the database, and can set the audit mode for existing records.
    • OPERATOR
      Specifies whether a user who belongs to the group can list everything in the database and can use the secons utility.
    • PWMANAGER
      Specifies whether a user who belongs to the group can modify the password settings of other users and can enable a user account that the serevu utility has disabled.
    • SERVER
      Specifies whether a process can ask users who belong to the group for authorization and can issue the SEOSROUTE_VerifyCreate API call.
  • HOMEDIR
    Defines the path of the home directory assigned to a new group member.
    Use the homedir parameter with the chgrp, editgrp, or newgrp command to modify this property.
    Limit:
    255 alphanumeric characters
  • INACTIVE
    Defines the number of days of inactivity that must pass before the system changes the status of a user to inactive. If the account status is inactive, the user cannot log in.
    A value for the INACTIVE property in a USER record overrides a value in a GROUP record. Both override the INACT property in the SEOS class record.
    Privileged Access Manager
    does not store the status; it calculates the status dynamically. To identify inactive users, compare the INACTIVE value with the LAST_ACC_TIME value of the user.
    INACTIVE is part of the profile feature.
  • MAXLOGINS
    Defines the maximum number of concurrent logins that a user is allowed. A zero value indicates that the user can have any number of concurrent logins.
    A value for the MAXLOGINS property in a user record overrides a value in a group record. Both override the value of MAXLOGINS in the SEOS class record.
    MAXLOGINS is part of the profile feature.
  • MEMBER_OF
    Defines the groups that this group is a member of.
  • OWNER
    Defines the user or group that owns the record.
  • PASSWDRULES
    Specifies the password rules. This property contains several fields that determine how 
    Privileged Access Manager
    handles password protection. For a complete list of the rules, see the modifiable property PROFILE of the USER class.
    Use the passwordparameter and the rules or rules- option with the setoptions command to modify this property.
    PASSWDRULES is part of the profile feature.
  • POLICYMODEL
    Specifies the PMDB that receives new passwords when you change user passwords with the sepass utility. The passwords are
    not
    sent to the Policy Model defined by the parent_pmd or passwd_pmd configuration settings if a value is entered for this property.
    Note:
    This property corresponds to the pmdb[-] parameter of the ch[x]usr and ch[x]grp commands.
    POLICYMODEL is part of the profile feature.
  • PROFUSR
    Displays a list of the users associated with this profile group.
  • PWD_AUTOGEN
    Indicates whether the group password is automatically generated. The default is no. Used by CA SSO.
  • PWD_SYNC
    Indicates whether the group password is automatically kept identical for all group applications. The default is no. Used by CA SSO.
  • PWPOLICY
    Defines the record name of the password policy for the group. A password policy is a set of rules for checking the validity of a new password and for defining when a password expires. The default is no validity check. Used by CA SSO.
  • RESUME_DATE
    Defines the date on which a suspended USER account becomes unsuspended.
    RESUME_DATE and SUSPEND_DATE work together.
    This property corresponds to the resume[-] parameter of the ch[x]usr and ch[x]grp commands.RESUME_DATE is part of the profile feature.
  • REVACL
    Displays the access control lists of the accessor.
  • SHELL
    (UNIX only) The shell program that is assigned to a new UNIX user when the user is a member of this group.
    Use the shellprog parameter with the chxgrp command to modify this property.
  • SUBGROUP
    Displays the list of groups that have this group as a parent.
  • SUPGROUP
    Defines the name of the parent group (superior group).
    Use the parent[-] parameter with the ch[x]grp command to modify this property.
  • SUSPEND_DATE
    Defines the date on which a user account is suspended and so becomes invalid.
    If the suspend date for a record precedes its resume date, the user can work before the suspend date and after the resume date.
    suspend_date3a
    suspend_date3a
    If a user has a resume date that is earlier than the suspend date, the record is also invalid
    before
    the resume date. The user can work only between the resume and suspend dates.
    suspend_date4a
    suspend_date4a
    A value for the SUSPEND_DATE property in a user record overrides the value in a group record.
    This property corresponds to the suspend[-] parameter of the ch[x]usr and ch[x]grp commands.
  • SUSPEND_WHO
    Displays the administrator who activated the suspend date.
  • UPDATE_TIME
    (Informational) Displays the date and time when the record was last modified.
  • UPDATE_WHO
    (Informational) Displays the administrator who performed the update.
  • USERLIST
    Defines the users that belong to the group.
    The user list that is contained in this property can be different from the one in the native environment USERS property.
    Use the join[x][-] commands to modify this property.