Note: The information contained in this article is structured as help information for the System Management Interface Tool (SMIT) and is not intended for use as a procedural or conceptual article.
Provides a menu for adding, removing, and listing users, for viewing and working with existing user accounts on the system, and for locking or unlocking user accounts.
Allows you to reset the count of consecutive unsuccessful login attempts on a user's account. When the count of consecutive unsuccessful login attempts exceeds the number allowed, the account is locked and the user cannot login.
Specifies the user whose unsuccessful login count you want to reset. The user must already exist on the system. To change a user's unsuccessful login count, you must have the correct access privileges.
Type in the name of an existing user, or use the List box and select a user from the choices displayed. When you select the Do button or press Enter, the system will reset the user's unsuccessful login count.
Creates a user account with the login name and other attributes that you specify.
Defines a unique decimal integer string to associate with this user account on the system.
It is strongly recommended to let the system generate the user's ID to incorporate all the security restrictions and conventions that may apply to your system. To have the system generate the ID, leave this field blank.
Indicates the administrative status of the user. Only the root user can alter the attributes of an administrative user.
This field is displayed with False or True as its value. True indicates that the user is an administrator. To change this value, use the Tab key to cycle through the values until the value you want is displayed in the field.
Note: This attribute can be changed by the root user only.
The group name the user will have when the user logs in for the first time. Groups are collections of users that can share access authority to protected resources. Groups can be formed for users who access the same applications or hardware resources, perform similar tasks, or have similar needs for information. A user can be a member in up to 64 groups. However, you can specify only one primary group for a user.
To specify the primary group name, type the name of an existing group, or use the List box and select the group from the choices displayed. If you do not specify or list any groups, the system assigns the user to the primary default group specified in the /usr/lib/security/mkuser.default file.
Note: To make this user a member of other groups, use the Group Set field.
The groups in which the user is a member. Groups are collections of users that can share access authority to protected resources. Groups can be formed for users who access the same applications or hardware resources, perform similar tasks, or have similar needs for information. A user can be a member in up to 64 groups. The groups must already exist on the system.
To specify the user's group set, type a string containing the group names (each group name can contain one to eight bytes. Separate the names with commas), or use the List box and select the names from the choices displayed (as you select, the string of names is displayed in the field in the correct format). If you do not specify any groups, the system assigns the user to the default groups specified in the /usr/lib/security/mkuser.default file.
Specifies the nonadministrative groups for which the user is an administrator.
The attributes of a nonadministrative group can be modified by its administrators and the root user. This is different than the attributes of an administrative group which can be modified by only the root user.
A user can be the administrator of more than one group. The groups must already exist on the system.
To enter the groups, type in a string containing the group names (each group name can contain one to eight bytes; separate the names with commas), or use the List box and select the names from the choices displayed (as you select, the string of names is displayed in the field in the correct format).
If you do not enter or list any groups, the system checks the defaults in the /etc/security/user file for default administrator definitions. It is possible that the user may not be made an administrator of any groups.
Indicates whether another user can switch to this user account with the su command. The user who tries to switch to this account must know the password for the account.
This field is displayed with False or True as its value. True indicates that another user can switch to the specified account. To change this value, use the Tab key to toggle the True/False value.
Specifies the groups that can su (switch user) to this user's account. You may want groups, such as a group with administrative privileges, to be able to access this user's account to update the user's system configuration or change some attribute values, such as print queues or host names.
More than one group can su to a user account. The groups must already exist on the system.
To enter su groups, type in a string containing the group names (each group name can contain one to eight bytes; separate the names with commas), or use the List box and select the names from the choices displayed (as you select, the string of names is displayed in the field in the correct format).
You can specify the keyword ALL to indicate all groups or place an ! (exclamation point) in front of a group name listed in the field to exclude a specific group.
If you do not enter or list any groups, the system allows the groups listed as default su groups in the /etc/security/user file to switch to this user account with the su command.
Specifies the full path name to the directory where the user's files are stored. When the user logs in, the system sets the current directory to be the user's home directory.
To enter the user's home directory, type in the full path name.
If you do not enter a home directory, the system creates the home directory using the default specified in the /usr/lib/security/mkuser.default file and stores the path in the /etc/passwd file.
Note: You must ensure that the new home directory exists and that the user has access to this directory. Additionally, any required files should be moved or copied into this directory.
Specifies the program to run when the user logs in.
To enter the initial program, type in the string containing the full path name to the program. Be sure to type in a / (slash) between any subdirectory names in the path.
If you do not enter an initial program, the system uses the default specified in the /usr/lib/security/mkuser.default file.
Contains general comments about the user. For example, you can list the user's full name, department, employee serial number, or office location.
To enter the information, type in a string of letters and numbers. You can use special characters, except for the colon (:), semicolon (;), or caret (^). You may want to use commas to separate phrases that you enter in the string.
If you do not enter information, the system enters any defaults specified in the appropriate stanza of the /usr/lib/security/mkuser.default file.
Defines when the user account will no longer be valid (that is, when this user can no longer log in to the system).
To enter an expiration date, type in a 0 (zero) to indicate that the account does not expire or type in a numeric string in the form MMDDhhmmyy (where MM is the month, DD is the day, hh is the hour in the 0 to 24 hour notation, mm is the minutes past the hour, and yy is the last two digits of the year).
Indicates whether the user's account is locked, which prevents the user from logging in. True indicates the account is locked and the user cannot login. False indicates the account is not locked and the user can login.
This option will not unlock a user's account that was locked as a result of too many failed login attempts.
Note: To unlock a user's account that was locked because of too many failed logins, the system administrator can use the Reset User's Failed Login Count menu item under the Users menu item of the Security & Users menu.
Indicates whether the user can log into the system with the login command.
This field is displayed with True or False as its value. True indicates that the user can log in to the system. To change this value, use the Tab key to toggle the True/False value.
Indicates whether the user account can be accessed by remotely logging in with the telnet or rlogin commands.
This field is displayed with False or True as its value. True, the default value, indicates that the user account can be accessed remotely. To change this value, use the Tab key to toggle the True/False values.
Specifies the time of day and days of the week the user is allowed to login to the system. Any attempt to access the system outside of these times is not allowed. The value is a comma-separated list of day and time periods. An ! (exclamation point) in front of the time indicates the user is not allowed to log in during that time. If this attribute is not specified, the user can log in at all times. Refer to the chuser command documentation for details.
The number of consecutive unsuccessful login attempts the user is allowed. If this number is exceeded, the account is locked and the user cannot login. If 0 is specified this feature is disabled.
Note: To unlock a user's account that was locked because of too many failed logins, the system administrator can use the Reset User's Failed Login Count menu item under the Users menu item of the Security & Users menu.
Specifies the list of terminals that can access this user account. When a user tries to access the account, the system attempts to match the terminal from which the access request is made with a terminal listed in this field. The system works through the list of ttys in the order specified in this field and grants access to the account to the first tty that it matches. If the system cannot find a match, the user cannot log in to the account from the terminal.
To enter a list of valid ttys for this user account, type in the full path names to each terminal (separating each path name with a comma).
Note: As shortcuts, type in the keyword ALL to indicate that all ttys known to the system are valid for the account, or prefix a tty's path with an ! (exclamation point) to exclude it from a list of entries. You can even combine the two shortcuts. For example,
If you do not enter a list of valid ttys, the system uses the defaults from the /etc/security/user file.
Defines the maximum age (in weeks) for the user's password. When the password reaches this age, the system requires it to be changed before the user can login again. The value is a decimal integer string. If you specify "0", this feature is disabled. You can specify a number from 0 to 52.
Defines the minimum age (in weeks) for the user's password before it can be changed. The value is a decimal integer string. If you specify "0", the password can be changed at any time. You can specify a number from 0 to 52.
The minimum number of characters that the user's password must contain. The value is a decimal integer string. If you specify "0", there is no minimum length. You can specify a number from 0 to 8.
NOTE: The minimum length of a password is determined by "minlen" or "minalpha"+"minother", whichever is greater. "minalpha"+"minother" should never be greater than 8. If "minalpha"+"minother" is greater than 8, the effective value for "minother" is reduced to "8-minalpha".
The minimum number of alphabetic characters that must be included in the user's password. The value is a decimal integer string. If you specify "0", no minimum number of alphabetic characters is required. You can specify a number from 0 to 8.
The minimum number of characters other than alpha characters that must be included in the user's password. The value is a decimal integer string. If you specify "0", no minimum number of other characters is required. You can specify a number from 0 to 8.
The maximum number of times that a character can be repeated within the user's password. The value is a decimal integer string. If you specify "8", any number of characters can be repeated. You can specify a number from 0 to 8.
The minimum number of characters required in the user's new password that were not in the old password. The value is a decimal integer string. If you specify "0", no minimum number of different characters is required. You can specify a number from 0 to 8.
Specifies the number of days prior to the expiration of the user's password when a warning message is issued. The value is a decimal integer string. The message appears each time the user logs in during this warning period, and gives the date when the user's password expires.
List of administrator-supplied methods for checking the user's new password during a password change. The value is a comma-separated list of program names, which must be specified using absolute pathnames or a path relative to /usr/lib. If the password does not meet the requirements of all the methods specified, the password change will not be allowed.
List of dictionary files containing words that cannot be used as passwords. The value is a comma-separated list of files, which must be specified using absolute pathnames.
The number of previous passwords that the user will not be able to reuse. The value is a decimal integer string. The interpretation of this value may depend on the value of the WEEKS before password reuse attribute. If 0 is specified, any previous password can be reused as long as the WEEKS before password reuse time has elapsed.
The number of weeks that must pass before a user is able to reuse a password after it has been selected as the user's current password. The value is a decimal integer string, and the recommended number of weeks is 26 (six months). The interpretation of this value may depend on the value of the NUMBER OF PASSWORDS before reuse attribute. If 0 is specified, any previous password can be reused as long as the NUMBER OF PASSWORDS before reuse attribute has been satisfied.
The number of weeks after the user's password expires (reaches its maximum age) during which the user can still change the password. If this time period passes without a password change, the user account no longer allows logins until an administrator resets the password. The value is a decimal integer string. If 0 is specified, logins will be prevented at the time the password expires. If -1 is specified, this feature is disabled. If Password MAX. AGE is 0, any value entered here is ignored.
Defines the largest hard file size, in 512-byte blocks, that a process invoked by this user can create or extend.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the file size, type in a decimal integer string for the appropriate number of blocks. The minimum value is 8192 blocks. The default value is set in the /etc/security/limits file.
Defines the largest amount of system unit time (in seconds) that a user's process can use.
To enter the maximum CPU time, type in a decimal integer string for the appropriate number of seconds. A value of -1 disables this option.
Defines the largest hard data segment size, in 512-byte blocks, for a user's process.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the segment size, type in a decimal integer string for the number of blocks. The minimum value is 1272 blocks. The default value is set in the /etc/security/limits file.
Defines the largest hard process stack segment size, in 512-byte blocks, for a user's process. A user can change this value, but not beyond the hard limit value.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the stack size, type in a decimal integer string for the number of blocks. The default value is set in the /etc/security/limits file.
Defines the largest hard core file size, in 512-byte blocks, that a user's process can create. A core file contains a memory image of a terminated process. The system creates core files in the current directory when certain system errors (commonly called core dumps) occur. A user can change this value, but not beyond the hard limit value.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the core file size, type in a decimal integer string for the number of blocks. The default value is set in the /etc/security/limits file.
Defines the largest soft resident set size, in bytes, to which the resident set size of a process can grow. The resident set size is the number of virtual pages resident in RAM.
A user can change this value, but not beyond the hard limit value.
This limit is not enforced by the kernel. A process may exceed its soft limit size without being ended.
Defines a number one greater than the soft limit on the maximum file descriptor that the system may assign to newly-created descriptors opened by this process.
A user can change this value, but not beyond the hard limit value.
To enter the nofile limit, type in a decimal integer string for the number of descriptors. The default value is set in the /etc/security/limits file.
Defines the soft limit on the maximum number of threads each process can create. This limit is enforced by both the kernel and by the pthread library. Any attempt to create threads after the limit has been exceeded will fail.
A user can change this value, but not beyond the hard limit value.
To enter the thread limit, type in a decimal integer string for the number of threads. The default value is unlimited and is set in the /etc/security/limits file.
Defines the soft limit on the maximum number of processes this user can create. Any attempt to create a process after the limit has been exceeded will fail. This limit does not apply to the root user.
A user can change this value, but not beyond the hard limit value.
To enter the process limit, type in a decimal integer string for the number of processes. The default value is unlimited and set in the /etc/security/limits file.
Defines the largest hard resident set size, in bytes, to which the resident set size of a process can grow. The resident set size is the number of virtual pages resident in RAM.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
This limit is not enforced by the kernel. A process may exceed its hard limit size without being ended.
Defines a number one greater than the maximum file descriptor that the system may assign to newly-created descriptors opened by this process. A user can change this value, but not beyond the hard limit value.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the nofile limit, type in a decimal integer string for the number of descriptors. The default value is set in the /etc/security/limits file.
Defines the maximum number of threads each process can create. This limit is enforced by both the kernel and by the pthread library. Any attempt to create threads after the limit has been exceeded will fail. A user can change this value, but not beyond the hard limit value.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the thread limit, type in a decimal integer string for the number of threads. The default value is unlimited and is set in the /etc/security/limits file.
Defines the maximum number of processes this user can create. Any attempt to create a process after the limit has been exceeded will fail. A user can change this value, but not beyond the hard limit value. This limit does not apply to the root user.
A user may lower this value, but cannot raise it afterwards. The root user may raise or lower hard limits as needed.
To enter the process limit, type in a decimal integer string for the number of processes. The default value is unlimited and set in the /etc/security/limits file.
Defines the access permissions mask a file has when the user creates it. The mask is used by the create system call to determine how to set the file permissions.
Type in the value as a three-digit octal number (nnn) that represents the read (r), write (w), and execute (x) permissions for the file owner, file group, and other users.
Specifies the audit classes to trace while the user is working on the system, if auditing is enabled. Audit classes are a collection of audit events (such as events generated when the user logs in or when a user attribute is changed) determined by the administrator.
To enter a list of audit classes, type the list of classes and separate each class with a comma. Alternately, use the List feature to choose from a list of audit classes. If you want to trace all audit events for this user, type the word ALL in this field. (Because of the large number of events which will be generated, it is recommended that you not use ALL).
Specifies a variable that defines the user's access to the trusted path. The system uses this variable when the user tries to invoke the trusted shell or a trusted process, or enters the secure attention key (SAK) sequence.
The system recognizes the following values:
This field is displayed with one of the values in place. Use the List feature to get a list of valid options.
Specifies the identity and access privilege authentication that the system uses when the user logs in or switches (su) to this user account.
You can type in one of the following authentication methods:
If you leave this field blank, the system uses the method set in the /etc/security/user file.
Specifies a second level of identity and access privilege authentication that the system should use if the user successfully logs in to this user account.
The system recognizes the same values as used in the primary authentication (SYSTEM, NONE, and METHOD; username pairs).
If you leave this field blank, the system uses the method set in the /etc/security/user file.
Provides a dialog for changing the password of a user. You must know the user's old password or be the root user to change a user's password.
Shows the attributes for a specific user. If you have the correct access privileges, you can change certain attribute values of the user.
Displays attributes for a user and allows you to change them. Root privileges are required to change some attributes.
Allows a system administrator to lock or unlock a user's account. When a user's account is locked, no one can login to that account. When a user's account is unlocked, anyone who knows the correct password can login to the account.
This option will not unlock a user's account that was locked as a result of too many failed login attempts.
Note: To unlock a user's account that was locked because of too many failed logins, the system administrator can use the Reset User's Failed Login Count menu item under the Users menu item of the Security & Users menu.
Specifies the user whose attributes you want to change or view. The user must already exist on the system. To change a user's attributes, you must have the correct access privileges.
Type in the name of an existing user, or use the List box and select a user from the choices displayed. When you select the Do button or press Enter, the user's attributes are displayed.
Note: You cannot change a user's name in this attribute dialog.
Removes a user account from the system. Removing a user account deletes the attributes defined for a user, but does not remove the user's home directory or files the user owns. By answering Yes in the Remove Authentication Information? option (in the displayed dialog), you can have the system remove the user's password and other user authentication information.
Specifies the user you want to remove from the system. The user must already exist on the system and you must have the correct access privileges to remove the user.
When you remove this user, the system deletes the user's attributes from the user files, but does not remove the user's home directory or files the user owns. The system does not remove the user's password and other user authentication information unless you answer Yes in the Remove Authentication Information? field.
Type in the name of an existing user account, or use the List box and select a user from the choices displayed.
Indicates if the system should delete the user's password and other user authentication information from the /etc/security/passwd file.
This field is displayed with Yes or No as its value. Yes instructs the system to remove password and other user authentication information, and also the user keystore. To change this value, use the Tab key to toggle the Yes/No values.
Displays the users that already exist on the system.
Provides menus for viewing and working with the existing groups on the system and for creating new ones. Groups are collections of users who can share access authorities for protected resources.
Provides a menu for viewing and working with the existing groups on the system and for creating new ones. Groups are collections of users who can share access permissions for protected resources.
Displays the groups that already exist on the system.
Creates a new collection of users that can share access to specific protected resources.
Indicates if the group is an administrative group. Only the root user can modify the attributes of an administrative group.
This field is displayed with False or True as its value. True indicates that group is an administrative group. False indicates that it is a nonadministrative group (its attributes can be modified by the group's specified administrators and the root user). To change this value, use the Tab key to toggle the True/False values.
Shows the attributes for a specific group. If you have the correct access privileges, you can change certain attribute values of the group.
Specifies the group whose attributes you want to change or view. The group must already exist on the system. To change a group's attributes, you must have the correct access privileges.
Type in an existing group name, or use the List box and select a group from the choices displayed. When you select the Do button, the group's attributes are displayed.
Specifies the names of the users that belong to this group. The members of a group can access (that is, read, write, or execute) a resource or file owned by another member of the group as specified by the resource's access control list.
To enter the user members of this group, type in their names (separated by commas), or use the List box and select the users from the choices displayed (the users are displayed in the field in the correct format).
Note: A user cannot be removed from the user's primary group, unless you first redefine the user's primary group (use Change/Show Characteristics of a User option, which alters this information in the /etc/passwd file).
Specifies the members that can work with the group attributes (for example, add new members to the group or remove members from it) if the group is a nonadministrative group.
Note: The group attributes of an administrative group can be modified by only the root user; so if the group is an administrative group (specified in the ADMINISTRATIVE group attribute), no administrators can be defined in this field.
To enter the administrators, type in their user names (separated by commas), or use the List box and select the users from the choices displayed (the users are displayed in the field in the correct format).
Removes a group from the system. Removing a group deletes the group's attributes from the group files, but does not remove the users (who are members of the group) from the system.
The group must already exist on the system and you must have the correct access privileges to remove groups from the system.
If the group is the primary group for any user, it cannot be removed unless you first redefine the user's primary group (use Change/Show Characteristics of a User option, which alters this information in the /etc/passwd file).
Specifies the group you want to remove from the system. The group must already exist on the system and you must have the correct access privileges to remove groups from the system.
When you remove this group, the system deletes the group's attributes from the group files, but does not remove the users (who are members of the group) from the system.
Type in the name of an existing group, or use the List box and select a group from the choices displayed.
Provides a menu for changing a user's password or for viewing or changing password attributes for a user. A password is a string of characters used to gain access to a system. The password is known only by the user of the account and the system. Therefore, you must know the user's password or be the root user to change a user's password.
When changing a password, you must follow the password restrictions and conventions for the system as specified in each user's stanza in the /etc/security/user configuration file.
Note: If you are the root user when you change a user's password, the system sets the ADMCHG flag in the /etc/security/passwd file so that the user is forced to change the password the next time the user logs in to the system.
Specifies the user whose password you want to change. You must know the user's password or be the root user to change another user's password.
You must follow the password restrictions and conventions for the system as specified in each user's stanza in the /etc/security/user configuration file.
To change the password for a user other than yourself, type in the user's name or use the List box and select a user from the choices displayed. You will be prompted to enter the user's current password and then the new password.
To change your own password, type in your name or select it from the choices displayed. You will be prompted to supply your current password as well as a new password. The password is changed automatically in the appropriate databases and files.
Note: If you are the root user when you change a user's password, the system sets the ADMCHG flag in the /etc/security/passwd file so that the user is forced to change the password the next time the user logs in to the system.
Displays or changes the attributes that control a user's password, such as age, composition, and reuse.
Provides a menu to change or show login controls for users or ports.
Displays or changes the attributes that control a user's attempts to log in.
Displays or changes the attributes that control a port when a user attempts to log in.
Specifies the name of the terminal used for login.
The time of day and days of the week the port is available for users to log in to the system. If a login attempt occurs on the port outside of these times, the login attempt does not succeed. The value is a comma-separated list of day and time periods. An ! (exclamation point) in front of the time indicates the port is not available for login during that time. If this attribute is not specified, the port is always available for logins. For formatting details, refer to the /etc/security/login.cfg file documentation.
The number of seconds used, after a failed login occurs from the port, to compute the delay until the next login will be accepted from the port. The delay equals the value you specify in this field multiplied by the number of consecutive failed logins from the port. The value is a decimal integer string. If 0 is specified, there is no delay between unsuccessful login attempts.
The number of consecutive failed login attempts allowed within a time period before the port is locked. The value is a decimal integer string. If 0 is specified, this feature is disabled. The time period is specified by the INTERVAL for counting failed logins attribute in this dialog. The port is locked and logins are prevented for a length of time depending on the value of the REENABLE DELAY for locked port attribute in this dialog.
The number of seconds during which a number of failed login attempts must occur before the port is locked. The value is a decimal integer string.
The number of minutes that must pass after a port is locked before it is automatically unlocked. The value is a decimal integer string. If 0 is specified, the port will not be reenabled.
Indicates whether a port that has been locked because of excessive failed logins should be reset to accept logins again. True indicates that the port should be reset to accept logins, and False indicates that the port lock should not be reset.
Defines the largest soft file size, in 512-byte blocks, that a process invoked by this user can create or extend. A user can change this value, but not beyond the hard limit value.
To enter the file size, type in a decimal integer string for the appropriate number of blocks. The minimum value is 8192 blocks. The default value is set in the /etc/security/limits file.
Defines the largest soft value of system unit time (in seconds) that a user's process can use. A user can change this value, but not beyond the hard limit value.
To enter the CPU time, type in a decimal integer string for the appropriate number of seconds. The default value is set in the /etc/security/limits file.
Defines the largest soft data segment size, in 512-byte blocks, for a user's process. A user can change this value, but not beyond the hard limit value.
To enter the segment size, type in a decimal integer string for the number of blocks. The minimum value is 1272 blocks. The default value is set in the /etc/security/limits file.
Defines the largest soft process stack segment size, in 512-byte blocks, for a user's process. A user can change this value, but not beyond the hard limit value.
To enter the stack size, type in a decimal integer string for the number of blocks. The default value is set in the /etc/security/limits file.
Defines the largest soft core file size, in 512-byte blocks, that a user's process can create. A core file contains a memory image of a terminated process. The system creates core files in the current directory when certain system errors (commonly called core dumps) occur. A user can change this value, but not beyond the hard limit value.
To enter the core file size, type in a decimal integer string for the number of blocks. The default value is set in the /etc/security/limits file.
Displays the attributes for a specific role. If you have the correct access privileges, you can change certain attributes of the role.
Removes a role from the system. Removing a role deletes the role's attributes from the role files, but does not remove the users who are members of the role from the system.
The role must already exist on the system and you must have the correct access privileges to remove roles from the system.
Provides a menu for viewing and working with existing roles on the system, and for creating new roles. Roles consist of zero or more authentications that allow a user to execute functions that normally require root permission.
Displays the roles that already exist on the system.
A message catalog where an optional role description is stored. The message must be in set 1.
The message number within the message catalog.
Contains a list of SMIT screen identifiers, separated by commas, that allow a role to be mapped to various SMIT screens. An asterisk implies all screens, and an exclamation point negates a screen. Negation takes precedence over non-negation; that is, if the screen attribute is "*,!*", the "!*" takes precedence and denies access to all screens.
Examples:
*,!screen1 - Allows access to all screens except screen1
screen1,! - Denies access to all screens.
Creates a role with the authorizations and other attributes that you specify.
Specifies the role you want to remove from the system. The role must already exist on the system and you must have the correct access privileges to remove the role.
Type in the name of the existing role, or use the List box and select a role from the choices displayed.
Specifies the role that has the attributes you want to change or view. The role must already exist on the system and you must have the correct access privileges to change the role.
Type in the name of the existing role, or use the List function and select a role from the choices displayed.
Note: You cannot change the name of a role. If you want to rename a role, you must create a new role with the new name and delete the old one.
Specify the roles implied by this role. For example, if the role list attribute contains the value of "role1,role2", then assigning this role to a user also assigns the roles of role1 and role2 to that user.
Specify the additional authorizations that you want associated with this role. Users assigned to this role acquire these authorizations.
Specify the groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
Specify a comma-separated list of roles for this user.
Specify a comma-separated list of roles for this user.
Provides options for configuring and managing an LDAP client or server.
Provides options for configuring an LDAP client and managing daemons.
Provides options for configuring an LDAP server and managing daemons.
Configures and reconfigures the system as an LDAP client. This requires the ldap.client fileset to be installed.
Displays the currently configured LDAP client values on the system.
Clears stored values in the LDAP client daemon cache.
Stops the currently active LDAP client daemon, then restarts it. If the LDAP client daemon is not active, it is started.
Starts the LDAP client daemon.
Stops the LDAP client daemon.
A list of the systems to contact as LDAP servers. Separate each LDAP server host name or IP address with a comma. Information in this field is required.
The LDAP distinguished name (DN) used to bind to the LDAP server. The DN you specify must exist on the LDAP server. The ability to perform operations on entries in the LDAP server database from the LDAP client is dependent on the access permissions granted to the bind DN on the LDAP server. Information in this field is required.
Examples:
cn=admin
cn=proxy,o=ibm
cn=user,ou=people,cn=aixdata
The text-only password for the distinguished name (DN) used to bind to the LDAP server. The password you use must match the password on the LDAP server for the specified DN. Information in this field is required.
The authentication mechanism used to authenticate users. Valid values are:
Note: If you select "ldap_auth", it is recommended that you use SSL to protect the clear text password from exposure.
The suffix or base distinguished name (DN) to search on the LDAP server for users, groups, and other network information entities. If this suffix is not specified, the entire database on the LDAP server is searched and the first set of recognized data used.
Examples:
cn=aixdata
o=ibm
The port number on the LDAP server to connect to. If SSL is used, the default is port number 636. Otherwise, the default is port number 389.
The full path to the SSL key database.
The password for the SSL Key. If a password is not specified, it is assumed that a password stash file exists with the same file specification as the Key Path, but with an extension of ".sth".
The maximum number of user entries used in the client side daemon cache. Valid values are 100-10000 for the user cache. The default value is 1000. The group cache size is set to 10% of the specified user cache size.
The time, in seconds, before the cache expires. Valid values are 60-3600 seconds. The default value is 300 seconds. Setting this value to 0 disables caching.
The number of threads the client side daemon uses. Valid values are 1-1000. The default value is 10.
The time interval, in seconds, for a heartbeat between this client and the LDAP server. Valid values are 60-3600 seconds. The default value is 300 seconds.
A list of existing users who can authenticate through LDAP. Separate each user name with a comma. The specified users must be defined on the LDAP server to log in to the local system. To enable all users on the client, specify "ALL".
The type of user attributes to retrieve. Valid values are:
The location of the default entry for attributes. Valid values are:
The maximum time, in seconds, that an LDAP client request waits for a response from the LDAP server. Valid values are 0-3600 seconds. You can set this value to "0" to disable the timeout and require the client to wait until a response is received.
Configures and reconfigures the system as an LDAP server. This requires the ldap.server fileset to be installed.
Starts the LDAP Server.
Stops the LDAP Server.
The LDAP server administrator distinguished name (DN). Information in this field is required.
Examples:
cn=admin
cn=administrator
cn=user
The text-only password for the administrator distinguished name (DN). Information in this field is required.
The LDAP schema used to represent user/group entries in the LDAP server. Valid values are:
Note: Information in this field is required except when "Export Users" is set to "no".
The suffix or base distinguished name (DN) to create that stores users, groups and other network information entities. For example, "cn=aixdata" or "o=ibm". The default is "cn=aixdata".
The port number that the LDAP server listens on. If SSL is being used, this defaults to port number 636. Otherwise, the default is port number 389.
The full path to the SSL key database of the server.
The password for the SSL Key. If a password is not specified, it is assumed that a password stash file exists with the same file specification as the Key Path, but with an extension of ".sth".
To export user and group definitions from the local system to LDAP, select "yes". Local definitions are not altered. Otherwise, select "no". The default is "yes".
The proxy user distinguished name (DN) used by LDAP clients to access the user and group data on the LDAP server. This value is typically in the format of "cn=proxyuser,baseDN", where "proxyuser" is the requested name of the entry and "baseDN" is the value specified in "Suffix / Base DN". The default access privilege of the proxy user to objects on the LDAP server is set using the values provided in the /etc/security/ldap/proxy.ldif.template file.
The password to set for the proxy user distinguished name. This password is required if "Proxy User DN" is specified.
You can use the Enterprise Identity Mapping (EIM) tool to create, maintain, or delete an EIM domain control and its associated registries, identifiers, and associations between identifiers and registry users. This should make it easier for operating systems, applications, and administrators to manage multiple identities. You can also give users, and other administrators, access to an EIM domain or list or remove the EIM entities.
Provides options for configuring EIM clients and LDAP servers.
Provides options for managing EIM using stored default information.
Provides options for managing EIM from manual input or by exporting records from a database.
Provides options for configuring an EIM client.
Provides options for configuring an LDAP server.
The full distinguished name (DN) of the EIM domain. This name begins with "ibm-eimDomainName=" and consists of the following:
Example DN: ibm-eimDomainName=MyDomain,o=ibm,c=us
The URL and port for the LDAP server controlling the EIM data. The format is shown in the following examples:
ldap://some.ldap.host:389
ldaps://secure.ldap.host:636
The method of authentication to the LDAP server. You can select one of the following methods:
The distinguished name to use for the simple bind to LDAP. For example, "cn=admin". The bind distinguished name has one of the following EIM authorities:
The password associated with the bind Distinguished Name.
The name of the SSL key database file, including the full path name. If the file cannot be found, it is assumed to be the name of a RACF key ring that contains authentication certificates. This value is required for SSL communications with a secure LDAP host (prefixed "ldaps://").
Example: /u/eimuser/ldap.kdb
The password required to access the encrypted information in the key database file. As an alternative, you can specify an SSL password stash file by prefixing the stash file name with "file://", for example:
file:///u/eimuser/ldapclient.sth
Identifies which certificate to use from the key database file or RACF key ring. If a certificate label is not specified, the default certificate in the file or ring is used.
The type of object being managed. You can select one of the following:
The type of action being performed. You can select one of the following:
Indicates how to treat dependents during EIM operations. You can select one of the following:
The scope of access authority the user has over the EIM domain. You can select one of the following:
The type for the access user name. You can select one of the following:
The name of a system registry. An application registry is a subset of a system registry. If you are adding an application registry, you must specify the application registry you are defining and whether it is an existing system registry.
A string of text that uniquely identifies this object. For example, the name of a person (John Doe).
Another string of text that identifies this object. For example, a shortened name of a person (John). You can specify multiple non-unique identifiers.
The Universal Resource Identifier (URI) for the registry, if one exists.
Additional information to associate with an identifier or association.
Note: You can define user information only for target associations. You can specify this option multiple times to assign multiple pieces of information.
The user distinguished name (DN) with EIM access or the Kerberos identity with EIM privileges (depending on the specified "Access user type").
The name of a registry. When you add a new registry, EIM considers the registry a system registry unless you also specify the registry parent. If you specify the registry parent, EIM considers the registry an application registry.
The relationship between an identifier and a registry. You can select one of the following:
NOTE: You can specify this option multiple times to define multiple relationships.
The user ID of the user defined in the registry.
Another name for a registry. You must specify this option multiple times to assign multiple aliases.
The type of registry. Predefined types that EIM recognizes include the following:
You can also create your own types by concatenating a unique OID with one of the following two normalization methods:
The type for a registry alias. You can invent your own value or use one of the following suggested values:
Note: For a set of options or single input data record, EIM recognizes only the first specification of the Registry Alias Type. EIM does recognize multiple registry aliases and associates all of them with the single Registry Alias Type.
A string of text to associate with the domain, registry, identifier, or association. You can define a user description only for target associations.
An integer from 1 to 10 that controls the amount of trace detail that EIM displays. This is for diagnosing problems in EIM. The default value of 0 indicates no trace information. You can specify an integer value from 1 to 10, from the least to greatest amount of trace information.
The utility checks the value and displays trace information defined for the level and all lower levels. The following levels trigger specific information:
"3", which indicates EIM API call parameters and return values
"6", which indicates option values and input file labels
"9", which indicates utility routine entry and exit statements
Denotes a specific version of the LDAP server fileset to configure. The value must be in the format #.# where each pound sign (#) is a number. For example, 6.0 would be a valid format. If the version is not specified, mksecldap configures the most recent version of the LDAP server fileset that is installed.
Applies the high-level security option. Use this option when security is paramount. Equivilent to the 'aixpert -l high' command.
Configuring a system to high security level might deny services that are needed. For example, telnet and rlogin are disabled with this level of security, because the login password is sent over the network unencrypted.
Applies the medium-level security option. Use this option when you want to balance performance and accessibilty with strong security. Equivilent to the 'aixpert -l medium' command.
Applies the low-level security option. Use this option to minimize the impact of security on accessibility, usability and performance. Equivilent to the 'aixpert -l low' command.
Applies the default level of security and cancels all previous security settings, restoring the system to its traditional open configuration. Equivilent to the 'aixpert -l default' command.
Writes all valid security level settings to the '/etc/security/aixpert/core/secaixpert.xml' file, or to a different file set by the '-o' flag.
When you select this option you will be put in the vi editor with all the options/settings for advanced level security. You can comment out any settings not required, write quit the file, and the new settings will be implemented on the system. To comment out a setting, place <!-- in front of the setting, and --> after the setting.
Cancels the security settings previously configured with the 'aixpert' command.
Reports any security settings that have been changed or regressed from the parameters that were set by the 'aixpert' command.
Applies the following four control objectives of the SOX-COBIT Best Practices:
Reports any security settings that have been changed or regressed from the parameters that were set by the 'aixpert' command with respect to SOX-COBIT best practices security. Equivilent to the 'aixpert -c -l sox-cobit' command.
Specify 'Yes' to remove the group's key store. Access to any EFS file created by this group user and protected by this group's key store may be lost through strong encryption.
Specify 'No' to not remove the group's key store file located /etc/security/efs/.
Specify 'Yes' if you want to allow the user to change his keystore mode.
Specify 'No' and the user will not be able to change his keystore mode.