Conference iosg::all-in-1

    Why doesn't he start using another group?
    
    Explain to the customer why we go to the trouble of preventing UIC
    reuse. He does understand that I suppose?
    
    If he has an existing UIC member of 111111 (or whatever) then we have
    to assume that he's used all the others before, and start above that
    number.

    If he knew he was going to create so many users why did he chose to 
    start at member number 177726?!
    He should start using a new group (via the template).
    DaveT

Hi all,

thanks for your replies !

The reason he can't or want to create a new uic-group is that he has a lot
of layered products (non Digital) and this software needs all user in one 
uic-group.

regards 

Thomas

>In other words : he said : this is a programming error and he 
>will NOT change the uic for all this users by hand.
    
    The customer must have had a reason for starting at [100,177726]
    instead of [100,1], so ALL-IN-1 is respecting that.  Imagine the
    complaints if Engineering went back and used UIC's in the group that
    were not used.  You would hear complaints that ALL-IN-1 should respect
    the system manager's wish to have only 50 users per group.  I just
    can't see it behaving any other way.  Undoubtedly, there are customers
    who regard a UIC assignment as forever, similar to a badge number.  If
    a file is found to belong to a given UIC, they can go back and find out
    who owned that UIC, and therefore the file.  That won't work if
    ALL-IN-1 reuses UIC's that are deleted.
    
    You could probably use DCL or a 3GL to write a routine that similated
    this function but did as the customer wished, then substitute that in
    the create user script.
    
    Ben

Hi Ben,

thanks for your reply !

The customer is very angry and will never ever change the uic's by hand or
with a DCL procedure !!

He can't understand why ALL-IN-1 is unable to use uic's which were never used 
before or deleted and which were smaller than 177726.

For him is it a bug that ALL-IN-1 is unable to fill up the uic-gap.
He has a uic gap of approx. 1500 uic's ([100,162700] - [100,177725]).

He WILL now know from where ALL-IN-1 get the information that the uic 177725 
was ever used before and he will now a change so that ALL-IN-1 is able to use 
uic's which are smaller than 177725.

What is the filename of the file from where ALL-IN-1 reads the information 
that this uic was ever used before ?
Is there any way to "reset" this information ?

He asks now if it is possible to change the make_uic function ( new parameter 
or something else) in any way.

regards

Thomas    

    <<<< He can't understand why ALL-IN-1 is unable to use uic's which were
    <<<< never used before or deleted and which were smaller than 177726.
    
    How does he think we *KNOW* they were never used before?
    
    Here's the explanation:
    
    	Create an account with UIC [100,162700]
    
    	Grant that account access to some highly important, very secret
    	files, by adding an ACL to them.
    
    	Now delete the account.
    
    	Now get ALL-IN-1 to create a new account. You want us to use the
    	now vacated UIC.
    
    	Bingo! The new account now has access to the secret files....
    
    You can see that we aren't going to "fix" this "problem", and we in
    fact went to a lot of trouble to close this security hole that other
    people have complained about.

Hi Graham,

thanks for your reply !

Ok - I understand why ALL-IN-1 never use a "used" uic again.

Why is ALL-IN-1 unable to fillup the uic-gap ?

Ok - ALL-IN-1 remembers every used uic.

I found a Tima articled where stand that the customer must change the uic by 
hand - BUT

when the customer do that ALL-IN-1 will still remember the used uic - or not ?

example : uic [100,177775] 

customer change this uic to [100,10000] by hand

customer try to create a new ALL-IN-1 user

ALL-IN-1 remember the uic [100,177775] 

error uic group full (maybe I'm wrong)

ALL-IN-1 must get this information about the "used" uic's from anywhere 
(dat file)

Is there any possibility to change this file to fillup the gap and delete the
pointer to the highest ever used uic ?

If there is a possibility it's maybe dangerous ( for example create a new 
file). 
What's happen with the uic's which were used by the ALL-IN-1 users and the 
customer tries to create a new user and have two different users with the same 
uic ?

thanks alot for your help !

regards 

Thomas

    First: Note that if the customer starts changing any data files, they
    will be removing the careful checks we have put in to help with good
    security. You must be sure they understand that if a security problem
    happens later, they can *NOT* blame Digital for it.
    
    
    The way the account creation code works is to look in the file
    OA$DATA:SM_UIC_ALLOCATION.DAT to find the highest UIC member that
    ALL-IN-1 has used. It then looks in SYSUAF for the highest UIC member,
    in case other accounts have been created outside ALL-IN-1. The account
    is created with the highest unused UIC. Then the next free UIC member
    is written back into the file.
    
    The file is mapped by the form SM$UIC$ALLOCATION, so you can use this
    form to change the file. But you must move the accounts with the high
    UICs too.
    
    
    <<<< What's happen with the uic's which were used by the ALL-IN-1 users
    <<<< and the customer tries to create a new user and have two different
    <<<< users with the same uic ?
    
    We can only control accounts that ALL-IN-1 creates. If other accounts
    are created, they should use the same care that we do. Open VMS should
    stop UICs being used again, but it doesn't, so we had to build our own
    way of stopping it.
    
    Graham and Dave.

Hi Graham and Dave,

thanks for your answer !

I'll inform the customer.

regards

Thomas