[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iosg::all-in-1_v30

Title:*OLD* ALL-IN-1 (tm) Support Conference
Notice:Closed - See Note 4331.l to move to IOSG::ALL-IN-1
Moderator:IOSG::PYE
Created:Thu Jan 30 1992
Last Modified:Tue Jan 23 1996
Last Successful Update:Fri Jun 06 1997
Number of topics:4343
Total number of notes:18308

3395.0. "UIC usage bother" by GIDDAY::BURT (Plot? What plot? Where?) Thu Oct 14 1993 08:00

Hello and Greetings,

Customer is running ALL-IN-1 V3.0 under VMS 5.4
He has the SYSUAF from _hell_!

The customer was having problems creating a new user, getting error 
"you are not an administrator...
identifier or holder identifier does not exist in the rights database"
His identifiers hadn't been set up correctly - once that was sorted out I 
found that he had ALLIN1 and SYSTEM sharing the same UIC. I sent him the 
"how-to-fix" info, and he has done most of it (some file ownership still needs 
to be re-set)

He was still having problems creating a new user - "no space available on any 
of the specified disks". There is a bit of a problem using the fix as 
described in STARS for this problem (which is caused by a pre-existing rights 
ident). 

The customer habitually creates users in VMS prior to adding them to ALL-IN-1. 
They are ALL in the same UIC group, and there are at LEAST 100 users with the 
same UIC.

What I would like is a plan of attack - the UICs are going to have to change 
from being shared to unique, but I'm concerned about the UIC problem with 
re-use etc.

Help! Please!

Chele
T.RTitleUserPersonal
Name		DateLines
3395.1orange 2 white 0IOSG::TYLDESLEYThe best team won... (Wales ;-)Thu Oct 14 1993 10:099
    Hello Chele,
    As a start, you could have a look through the discussions we had
    earlier with Sunil - 2385.5 and onwards. It really isn't a good idea 
    to create your VMS a/cs outside ALL-IN-1, for ALL-IN-1 to use, because
    the UIC allocation history file that ALL-IN-1 keeps is not updated,
    and the site could re-use a UIC, and possibly allow a user access to 
    drawers where s/he shouldn't be (V3.0).
    Cheers                                
    DaveT
3395.2unique uicsGIDDAY::BURTPlot? What plot? Where?Mon Oct 18 1993 05:346
Hiya,

Is the preference for unique UICs actually documented somewhere?
I need a bit of paper to place delicately beneath the customer's proboscis.

Chele
3395.3insert under proboscisIOSG::TYLDESLEYThe best team won... (Wales ;-)Mon Oct 18 1993 09:278
    Hi.
    Well, there is a brief reference on page 25 (3rd para) ALL-IN-1 
    Information Update, August 1992. I haven't got my bookreader access
    at the moment, so I can't check any further - sorry. If I could,
    I'd have a look in the docn for shared drawers, and also, if I had a
    copy (;-), I'd look in TR's book on Managing and Programming V3.0.
    Cheers
    DaveT
3395.4Information Update articleIOSG::EDMONDSONEstne volumen in toga, an solum tibi libet me videre?Mon Oct 18 1993 10:3662
Here's the first half of the Information Update article that Dave mentioned:
    
    ALL-IN-1 Version 3.0 includes a UIC Allocation file, which provides a
    simple way to keep a check of which UIC groups and member numbers have
    been allocated to your users. Together with improved data entry forms
    for user details, improved account templates, and improved logging of
    the Create User process, this has helped to improve the process of
    creating user accounts.

    Another improvement introduced in ALL-IN-1 Version 3.0 is the UAI$
    DSAB, which allows much simpler reading of, and writing to, the system
    user authorization file, SYSUAF.DAT. This, in turn, has allowed much of
    the account creation process to be moved to the script OA$LIB:SM_
    CR_USER_DETAILS.SCP. This script uses the new MAKE_UIC function to read
    through SYSUAF.DAT, identify the next available UIC in a particular UIC
    group, and allocate this UIC number to the new VMS account record in
    SYSUAF.DAT.

    Finding a UIC in this way involves a risk that UICs from deleted
    accounts may inadvertently be reused. If this happens, the new user may
    have access, through access control list entries, to files and
    directories of the previous user. This is no different from using
    Authorize to create VMS accounts - the risk of reusing a UIC number is
    just the same.

    To help avoid this problem, the Create User process in ALL-IN-1 Version
    3.0 includes a mechanism to prevent the reuse of UICs that ALL-IN-1 has
    granted in the past. This mechanism uses the UIC Allocation file,
    OA$DATA:SM_ UIC_ALLOCATION.DAT, which is mapped by the entry form
    SM$UIC$ALLOCATION in OA$LIB:MANAGER. Each time the MAKE_UIC function
    is used to create an entry in SYSUAF.DAT, it adds an entry to the UIC
    Allocation file. This entry has a value that is one greater than the
    UIC member number allocated to the new user account. For example, if an
    ALL-IN-1 user account VASQUEZ is created with a UIC value of [320,155],
    the MAKE_UIC function adds a new record for group number 320 in the UIC
    Allocation file. This new record has a value of 156.

    The next time an ALL-IN-1 user account is created, the script
    SM_CR_USER_DETAILS.SCP uses this value from the UIC Allocation file as
    the start-member parameter of the MAKE_UIC function. Thus, if an
    ALL-IN-1 account has used a UIC member number in the specified group,
    and the account has since been deleted, ALL-IN-1 has a record of this
    usage and does not reallocate the same UIC member number.

    If, since the last update of the UIC Allocation file for the specified
    UIC group, a higher member number has been added to SYSUAF.DAT (for
    example, through the use of the Authorize Utility), MAKE_UIC ignores
    the value of the start-member parameter and uses a value of one greater
    than the number in SYSUAF.DAT. If, on the other hand, the value of
    start-member is greater than the highest existing UIC member number
    within the specified group, MAKE_UIC uses this value as the member
    number of the new user. Provided that the integrity of the UIC
    Allocation file has been maintained, this ensures that ALL-IN-1 cannot
    reuse any UIC that it has previously used.

    In some ways, the UIC Allocation file is more effective in maintaining
    security than using the Authorize Utility to add users and keeping an
    informal check of which UICs you have used. In fact, some ALL-IN-1
    sites use the ALL-IN-1 Create User process simply as an easy means of
    creating VMS accounts, even when the user does not intend using
    ALL-IN-1.