ch x usr Command Change User Properties
Valid in the AC environment
capamsc141
Valid in the AC environment
Use the commands chusr, chxusr, editusr, editxusr, newusr, and newxusr to change the properties of users, and to define the user records in the
Privileged Access Manager
database if necessary.These commands all have synonyms, as follows:
- chusrcu
- chxusrcxu
- editusreu
- editxusrexu
- newusrnu
- newxusrnxu
This means, for example, that the command cu is identical to the command chusr.
All these commands are identical in structure, and vary only in their scope. Use these commands as follows:
- Use the chusr, editusr, and newusr commands for internal users. The differences between these commands are as follows:
- The chusr commandmodifiesone or more USER records.
- The editusr commandcreates or modifiesone or more USER records.
- The newusr commandcreatesone or more USER records.
These commands also exist in the native environment but operate differently there. - Use the chxusr, editxusr and newxusr commands for enterprise users. The differences between these commands are as follows:
- The chxusr commandmodifiesone or more XUSER records.
- The editxusr commandcreates or modifiesone or more XUSER records.
- The newxusr commandcreatesone or more XUSER records.
The USER and XUSER class records are identical for all properties, except that where properties are defined in the enterprise user stores, the XUSER records do not redefine them.
When you execute these commands, the changes that you make modify the user record immediately, even if the user is currently logged in to the system.
Authorization Required
To create a
Privileged Access Manager
user, at least one of the following conditions must be true:- You have the ADMIN attribute.
- You are assigned the CREATE authority in the access control list of the USER or XUSER record in the ADMIN class.
To add or modify a user, at least one of the following conditions must be true:
- You have the ADMIN attribute.
- The user record is within the scope of a group in which you have the GROUP-ADMIN attribute and you have the same authority as the owner of the record.
- The user record is within the scope of a group in which you have the GROUP-AUDITOR attribute, and you want to specify the audit parameter.
- You are the owner of the group.
- You are assigned the MODIFY (for ch[x]usr) or CREATE (for edit[x]usr) authority in the access control list of the USER or XUSER record in the ADMIN class.
{{chusr|cu}|chxusr|cxu}|{editusr|eu}|{editxusr|eu}|{newusr|nu}| {newxusr|nxu}} \
{userName|(userName [,userName...])}\ [{admin | admin-}] \ [audit({none | all | {[success][failure][loginsuccess]|[loginfail]|[trace]|[interactive]}})] \ [{auditor | auditor-}] \ [{category(categoryName) | category-(categoryName)}] \ [{comment(string) | comment-}] \ [country(string)] \ [email(emailAddress)] \ [enable] \ epwasown(password) \ [{expire[(date)] | expire-}] \ [fullname (fullName)] [{gowner(groupName)] \ [{grace(nLogins) | grace-}] \ [{ign_hol | ign_hol-}] \ [{inactive(nDays) | inactive-}] \ [{interval(nDays) | interval-}] \ [{label(labelName) | label-}] \ [{level(number) | level-}] \ [location(string)] \ [{logical|logical-}] \ [{maxlogins(nLogins) | maxlogins-}] \ [{min_life(nDays) | min_life-}] \ [{notify(mailAddress) | notify-}] \ [{operator | operator-}] \ [organization(string)] \ [org_unit(string) \ [owner({userName | groupName})] \ [password(string)] \ [phone(string)] \ [{pmdb(pmdbName) | pmdb-}] \ [{profile(groupName) | profile-}] \ [pwasown(string)] \ [{pwmanager | pwmanager-}] \ [regular] \ [{restrictions( \[days({anyday|weekdays|[mon] [tue] [wed] [thu] [fri] [sat] [sun]})] \[time({anytime|startTime:endTime})]) |restrictions-}] \ [{resume[(date)] | resume-}] \ [{server | server-}] \ [{suspend[(date)] | suspend-}] \ [nt|nt( ] \[admin|admin-] \[comment('comment')|comment- ] \[country('country-name')] \[expire|expire(mm/dd/yy[@hh:mm])|expire-] \[flags({account-flags)|-account-flags})] \[homedir(any-string)] \[homedrive(home-drive)] \[location(any-string)] \[logonserver(server-name)] \[name(full_name)] \[organization(name)] \[org_unit(name)] \[password(user's temporary password)] \[pgroup(primary-group)] \[phone(any-string)] \[privileges(privilege-list)] \[restrictions(days(day-data) time(hhmm:hhmm|anytime) )] \[script(logon-script-path)] \[workstations(workstations-list)] )] \ [unix({ [gecos(string)] \[homedir(path)] \[pgroup(groupName)] \[shellprog(fileName)] \[userid(number)]}]
- adminAssigns the ADMIN attribute to the user. A user with the ADMIN attribute is allowed to issue all selang commands with all parameters except the audit parameter. You must have the ADMIN attribute to use the admin parameter.
- admin-Removes the ADMIN attribute from the user. (Privileged Access Managerverifies that at least one user has the ADMIN attribute.)You cannot use this parameter with the new[x]usr command.
- auditSpecifies which user activities on resources protected byPrivileged Access Managerare logged to the audit log. To specify more than one event type, separate the event type names with a space or a comma.Privileged Access Managerlogs activities based on these attributes:
- all- All user activities. The monitored activities are: failure, loginfail, loginsuccess, success, interactive and trace.
- failure- Failed access attempts.
- loginfail- Failed login attempts.
- loginsuccess- Successful logins.
- none- No user activities.
- success- Successful accesses.
- interactive- Interactive sessions.
- trace- Every message that appears in the trace file because of this user's actions.
- auditorAssigns the AUDITOR attribute to the user. A user with the AUDITOR attribute can audit the use of system resources and is able to control the logging of detected accesses to anyPrivileged Access Manager-protected resource duringPrivileged Access Managerauthorization checking and accesses to the database. See theEndpoint Administration Guidefor your OS for more information about the authorities granted to a user with the AUDITOR attribute.
- auditor-Removes the AUDITOR attribute from the user record.You cannot use this parameter with the new[x]usr command.
- auth_typeSpecifies the authentication method.Used only by SSO.You cannot use this parameter for enterprise users.
- category(categoryName[, categoryName...])Assigns one or more security categories to the user.
- category-(categoryName[, categoryName...])Removes one or more security categories from the user record.You cannot use this parameter with the new[x]usr command.
- comment(commentString)Assigns a comment to the user record.
- commentStringSpecifies the comment.commentStringis an alphanumeric string of up to 255 characters. IfcommentStringcontains blanks, enclose it in single quotation marks.
- comment-Deletes the comment from the user record.You cannot use this parameter with the new[x]usr command.
- country(countryName)Specifies the country where the user is located. The country is not used during the authorization process.
- countryNameDefines the country. This parameter is an alphanumeric string of up to 19 characters. If the string contains blanks, enclose the entire string in single quotation marks.
- email(emailAddress)Defines the email address of the user.
- emailAddressDefines the email address of the user.Limits:Up to 128 characters
- enableEnables the login of a user that has for any reason been disabled.You cannot use this parameter with the new[x]usr command.
- epwasown(password)Changes the user password as if the user changes their own password. This password change is not an administrative change and so does not automatically expire the password.Note:This command is for internal use only. This command sets password in plain text as specified as an argument to /etc/shadow or the passwd file.
- expire(dateTime)Sets the date when the user account expires. If a date is not specified, the account expires immediately, or if the user is logged in, when the user logs out.If the user record has a value for this property, that value overrides the value in the GROUP record.Use the expire- parameter to enable expired user records; you do not use the resume parameter to do this.
- dateTimeDefines the date, and optionally the time. It has the following format:mm/dd/[yy]yy[@HH:MM]You can use either two digits or four digits to specify the year.
- expire-For the new[x]usr command, defines a user account that does not have an expiration date.For the ch[x]usr and edit[x]usr commands, removes an expiration date from a user account.
- flags(accountFlags|-accountFlags)Specifies particular attributes of a user's account. See the appendix Windows Values for a list of valid flag values.To remove flags from the user record, precedeaccountFlagswith a minus (-).
- fullname(fullName)Specifies the full name of the user.
- fullNameDefines the full name. It is an alphanumeric string of up to 255 characters. IffullNamecontains blanks, enclose the entire string in single quotation marks.
- gecos(string)Specifies a comment string for the user. Enclose the string in single quotation marks.
- gowner(groupName)Assigns aPrivileged Access Managergroup as the owner of the user record. The group owner of the user record has unrestricted access to it, provided the group owner's security level and security category authorities are sufficient. The group owner of the user record is always permitted to update and delete the user record.
- grace(nLogins)Defines the number of grace logins the user is allowed.After the number of grace logins is reached, the user cannot access the system and must contact the system administrator to select a new password. If grace is set to zero, the user cannot log in.If the user record has a value for this parameter, that value overrides the value in the GROUP record.If this parameter is not specified and the user has a profile group that contains a value for this parameter, the value in the GROUP record is used. If neither the USER nor GROUP record contains a value, thePrivileged Access Managerglobal grace login setting is used.
- nLoginsDefines the number of grace logins. Enter an integer between 0 and 255.
The user should change the password before the grace value reaches 0. Contact the system administrator to select a new password if the grace login value is reached. - grace-Deletes the user's grace login setting. ThePrivileged Access Managerglobal grace login setting is used instead.You cannot use this parameter with the newusr command.
- homedir(path)Specifies the full path of the user's home directory. Ifpathends with a slash,Privileged Access ManagerconcatenatesuserNameto the path.
- homedrive(drive)Specifies the drive of the user's home directory.
- ign_holAssigns the IGN_HOL attribute to the user. A user with the IGN_HOL attribute can log in during any period defined in a holiday record.
- ign_hol-Removes IGN_HOL attribute from the user.
- inactive(nDays)Specifies the number of days that must pass before the system changes the user to inactive. When the number of days is reached, the user cannot log in.Inactive users are not marked in the user record. To identify inactive users, you must compare the Last Accessed Time value with the Inactive Days value.
- nDaysDefines the number of days.nDaysis zero or a positive integer. IfnDaysis zero, the effect is the same as using the inactive- parameter.
- inactive-Changes the user's status from inactive to active.You cannot use this parameter with the newusr command.
- interval(nDays)Defines the number of days that must pass after the password was set or changed before the system prompts the user for a new password. Enter zero or a positive integer. IfnDaysis zeroPrivileged Access Managerdisables password interval checking and the password does not expire. This means the default set by the setoptions command is not used. SetnDaysto zero only for users with low security requirements.WhennDaysis reached,Privileged Access Managerinforms the user that the password has expired. The user can continue to use the password until the number of grace logins is reached. After the number of grace logins is reached, the user is denied access to the system and must contact the system administrator to be given a new password.
- interval-Cancels a user's password interval setting. If the user has a profile group with a value for this parameter, that value is used. Otherwise, the default set by the setoptions command is used.You cannot use this parameter with the new[x]usr command.
- label(labelName)Assigns a security label to the user.
- label-Deletes the security label from the user record.You cannot use this parameter with the new[x]usr command.
- level(levelNumber)Assigns a security level to the user record.levelNumberis an integer between 0 and 255.
- level-Deletes the security level from the user record,You cannot use this parameter with the newusr command.
- localappsUsed by CA SSO.
- location(locationString)Specifies the user's location. The location is not used during the authorization process.
- locationStringDefines the location.locationStringis an alphanumeric string of up to 47 characters. IflocationStringcontains blanks, enclose it in single quotation marks.
- logicalAssigns the LOGICAL attribute to the user. A user with the LOGICAL attribute cannot log in and is used for internalPrivileged Access Managerpurposes only.For example, the user nobody that you can use as the owner of resources to prevent even the resource owner from accessing the resource is a logical user by default. This means that no user can log in using this account.
- logical-Removes the LOGICAL attribute from the user.
- logonserver(server-name)Specifies the server that verifies the login information for the user. When the user logs in to the domain workstation,Privileged Access Managertransfers the login information to the server, which gives the workstation permission for the user to work.
- maxlogins(nLogins)Sets the maximum number of concurrent logins for the user. A value of 0 (zero) means that the user can log in from any number of terminals concurrently. If this parameter is not specified, the global maximum logins setting is used.If maxlogins is set to 1, you cannot run selang. You must shut downPrivileged Access Manager, change the maxlogins setting to greater than one, for example by using setpropadm utility, and startPrivileged Access Manageragain.
- maxlogins-Deletes the user's maximum login setting. The global setting is used instead.You cannot use this parameter with the new[x]usr command.
- min_life(nDays)The minimum number of days that must pass before the user is allowed to change the password again. Enter a positive integer.
- min_life-Deletes the user's min_life setting. If the user has a profile group with a value for this parameter, that value is used. Otherwise, the default set by the setoptions command is used.You cannot use this parameter with the new[x]usr command.
- nochngpassSpecifies that the user is not allowed to change passwords for another user.
- notify(notifyAddress)Sends an email tonotifyAddressevery time the user logs in. The recipient of the notify messages should log in frequently to respond to the unauthorized access attempts described in each message.WhenPrivileged Access Managersends a notification message, it writes an audit record in the audit log.
- notifyAddressDefines a user name or an email address.Limit:30 characters.
- notify-Specifies that no one is notified when the user logs in.You cannot use this parameter with the new[x]usr command.
- ntFor the chusr and editusr commands, this parameter changes the user's definition in the local Windows system.For the newusr command, this parameter adds the user to the local Windows system.If more than one argument is specified, separate the arguments with a space.See the environment command, for more information about how to operate on the local Windows system from withinPrivileged Access Manager.The nt option, and sub-options under the nt option, are not valid for enterprise users.
- operatorAssigns the OPERATOR attribute to the user. A user with the OPERATOR attribute can list all resource records in the database, and has read authority for allPrivileged Access Managerdefined files.A user with this attribute can also use all the options of the secons command. See theReference Guidefor more information about the secons utility.
- operator-Removes the OPERATOR attribute from a user record.You cannot use this parameter with the newusr command.
- organization(organizationString)Specifies the user's organization. The organization is not used during the authorization process.
- organizationStringDefines the organization.organizationStringis an alphanumeric string of up to 255 characters. IforganizationStringcontains blanks, enclose it in single quotation marks.
- org_unit(org_unitString)Specifies the user's organization unit. The organization unit is not used during the authorization process.
- org_unitStringDefines the organization unit.org_unitStringis an alphanumeric string of up to 255 characters. IforganizationStringcontains blanks, enclose it in single quotation marks.
- owner(Name)Assigns aPrivileged Access Manageruser or group as the owner of the user record. See theEndpoint Administration Guidefor your OS for more information.
- password(string)Assigns a password to a user. Specify any character except a space or a comma. If password checking is enabled, the password is valid for one login only. When the user next logs in to the system, a new password must be set.To change your own password, you need to set selang options usingsetoptions cng_ownpwdor use sepass.
- pgroup(groupName)Sets the user's primary group ID.groupNameis the name of a UNIX group.
- phone(phoneString)Defines the user's telephone number. The telephone number is not used during the authorization process.
- phoneStringDefines the telephone number.phoneStringis an alphanumeric string of up to 19 characters. IfphoneStringcontains blanks, enclose it in single quotation marks.
- pmdb(pmdbName)Specifies that when a user changes a password with the sepass utility, the new password is propagated to the specified PMDB. Enter the fully qualified name of the PMDB. The password is not sent to the Policy Model defined in the parent_pmd or passwd_pmd tokens in the [seos] section of seos.ini.This option cannot be used for enterprise users.
- pmdb-Removes the PMDB attribute from the user record.You cannot use this parameter with the new[x]usr command.
- privileges(privilege-list)Adds specific rights to the Windows user record or, when privList is preceded by a minus sign (-), removes the specified rights.You cannot use this parameter with the newusr command.
- profile(groupName)Assigns a user to a profile group. The following values can be taken from the profile group:
- audit
- auth_type
- expire
- grace
- inactive
- interval
- maxlogins
- min_life
- password rules
- pmdb
- pwd_autogen
- pwd_policy
- pwd_sync
- restrictions (days, time)
- resume
- suspend
- unix (homedir, shellprog)
- profile-Removes a user from the profile group.You cannot use this parameter with the new[x]usr command.
- pwmanagerAssigns the PWMANAGER attribute to the user. A user with this attribute can change the passwords of users in the database. See theEndpoint Administration Guidefor your OS for more information.
- pwmanager-Removes the PWMANAGER attribute from the user record.You cannot use this parameter with the new[x]usr command.
- pwasown(string)Replaces a password as if changed by the user. Specifying this parameter updates the time and date of the last change in the database. Grace logins are terminated.
- regularResets the OBJ_TYPE property of the record, and so removes authority attributes from the user.
- restrictions([Days] [Time])Specifies the days of the week and the times in the day when users can be logged in. The restrictions are stored in the DAYTIME property of the [X]USER record.If you omitDaysand specifyTime, the time restriction applies to any day-of-week restriction that is already defined in the record.If you omitTimeand specifyDays, theDaysrestriction applies to any time restriction already defined in the record.If you specify bothDaysandTime, the users can access the system only during the specified time period on the specified days.
- DaysSpecifies the days on which users can be logged in. You can use the following keywords when you specifyDays:
- anydayAllow users access to the file on any day.
- weekdaysAllow users access to the resource only on weekdays-Monday through Friday.
- Mon,Tue,Wed,Thu,Fri,Sat,SunAllow users access to the resource only on the specified days. You can specify the days in any order. If you specify more than one day, separate the days with a space or a comma.
- TimeSpecifies the period during which users can be logged in. The time argument takes the following sub-arguments:
- anytimeAllow users access to the resource at any time of the day.
- startTime:endTimeAllow access to the resource only during the specified period.The format ofstartTimeandendTimeishhmm, wherehhis the hour (00 through 23) andmmis the minutes (00 through 59). Note that 2400 is not a valid time value; use 0000 instead.startTimemust be less thanendTime.Note:Privileged Access Manageruses the time zone of the processor. If the user logs in at a terminal in a different time zone from the processor, you must take this into account.
- restrictions-([days] [time])Deletes any restrictions that limit the users' ability to be logged in.
- resume([dateTime])Enables a user record that was disabled by specifying the suspend parameter. If you specify both the suspend parameter and the resume parameter, the resume date must fall after the suspend date. If you omitdateTime, the user record is resumed immediately upon execution of the chusr command. See theEndpoint Administration Guidefor your OS for more information.EnterdateTimein the format [m]m/[d]d/yy[@HH:MM].
- resume-Erases the resume date, and time if used, from the user record. Consequently, the status of the user is changed from active (enabled) to suspended.You cannot use this parameter with the new[x]usr command.
- script(logon-script-path)Specifies the location of a file that runs automatically when the user logs in. This parameter is optional. Typically, this login script configures the working environment. You can also use the profile parameter to set up the user's working environment.
- serverSets the SERVER attribute on. This attribute allows a process running on behalf of the current user to ask for authorization for other users. See theEndpoint Administration Guidefor your OS for more information.
- server-Sets the SERVER attribute off.You cannot use this parameter with the new[x]usr command.
- shellprog(fileName)Specifies the full path of the initial program or shell that is executed after the user invokes the login or su command.fileNameis a character string.This option cannot be used for enterprise users.
- suspend([dateTime])Disables a user record, but leaves it defined in the database. A user cannot use a disabled user account to log in to the system.IfdateTimeis specified, the user record is disabled on the specified date. IfdateTimeis omitted, the user record is disabled immediately upon execution of the ch[x]usr command.EnterdateTimein the formatmm/dd/yy[@HH:MM].
- suspend-Erases the suspend date from the user record, changing the status of the user from disabled to enabled (active).You cannot use this parameter with the new[x]usr command.
- unixFor the chusr and editusr commands, this parameter changes the user's definition in the local UNIX system.For the newusr command, this parameter adds the user to the local UNIX system.If more than one argument is specified, separate the arguments with a space.See the environment command in this chapter for more information about how to operate on the local UNIX system from withinPrivileged Access Manager.The unix option, and sub-options under the unix option are not valid for enterprise users.
- userid(number)Sets the user's unique numeric ID (UID), used for unique discretionary access control.numberis a decimal number. By default, numbers less than 100 are not accepted. See the AllowedGidRange token in the appendixReference Guidefor more information about excluded numbers.
- userName|(userName[,userName...])Defines the name or names of the user or users. Each user name must be unique.When using the newusr command,userNameidentifies a new user toPrivileged Access Manager. If you are using the newusr command and the user is already defined to the native environment, this username will be used byPrivileged Access Manageras the USER record that corresponds to that user. Typically, however, you should take advantage of thePrivileged Access Managerability to use enterprise users, and not use newusr to create a USER record for a username that already exists in the native environment. Instead, use the chgxusr command to change thePrivileged Access Managerproperties of that user.Sometimes you may want aPrivileged Access Manageruser name that is not a native login name. In that case, the login command could not put that user to work, but another command such as sesu could.ON UNIX, where a user name includes a blackslash, use two backslashes when specifyinguserName.
Examples
- The user Bob wants to add the FINANCIAL category to Jim's record, change Jim's security level to 155, and restrict Jim's access to the system to weekdays between 8:00 a.m. and 8:00 p.m.
- The user Bob has the ADMIN attribute.
- The user Jim is defined toPrivileged Access Manager.
- The FINANCIAL category is defined toPrivileged Access Manager.
chuxsr Jim category(FINANCIAL) level(155) restrictions \ (days(weekdays)time(0800:2000)) - The user admin wants to suspend the user Joel, who will be on vacation for three weeks, starting on August 5, 1995.
- The user admin has the ADMIN attribute.
- The user Joel is defined toPrivileged Access Manager.
- Today's date is August 3, 1994.
chxusr Joel suspend(8/5/95) resume(8/26/95) - The user Security2 wants to remove the AUDITOR attribute from the user Bill and wants to audit all activity by Bill.
- The user Security2 has the ADMIN and AUDITOR attributes.
- The user Bill is defined toPrivileged Access Manager.
chxusr Bill auditor audit(all) - The user Rob wants to change the comment stored in the record of the user Mary.
- The user Rob is the owner of Mary's user record.
chxusr Mary comment ('Administrator of the SALES group') - The admin user Sally wants to remove the country name and the location properties stored in the record of the user Jared.
- The user Sally is the owner of Jared's user record.
chxusr Jared country() location() - The user Bob wants to define the users Peter and Joe toPrivileged Access Manager.
- The user Bob has the ADMIN attribute.
- The users Peter and Joe are not defined toPrivileged Access Manager.
- The following defaults apply:
- owner(Bob)
- audit(failure,loginfailure)
newusr (Peter Joe) - The user Bob wants to define the user Jane toPrivileged Access Managerand assign payroll as the owning group.
- The user Bob has the ADMIN attribute.
- The user Jane is not defined toPrivileged Access Manager.
- The full name of the user Jane is JG Harris.
- audit(failure,loginfailure)
newusr Jane owner(payroll) name('J.G. Harris') - The user Bob wants to define the userJohnDtoPrivileged Access Managerwith the security category NewEmployee and a security level of three. JohnD is to be allowed to use the system only on weekdays between the hours of 8:00 a.m. and 6:00 p.m.
- The user Bob has the ADMIN attribute.
- The NewEmployee category is defined toPrivileged Access Manager.
- The new user's full name is John Doe.
- The following defaults apply:
- owner(Bob)
- audit(failure)
newusr JohnD name('John Doe') category(NewEmployee) level(3) \ restrictions(days(weekdays) time(0800:1800))