The Password Manager Utility psmgr

Overview of the psmgr Utility

The psmgr utility manages the password table that enables access to the SPD Server host. When you start SPD Server, the command line option -ACLDIR specifies the location (directory path) where the table is located. The owner of the password table, typically the SPD Server administrator, can update the table.
The password table contains the following attributes and capabilities for each system user:
  • a user ID
  • a password
  • an access privilege
  • an optional IP address
  • an optional password expiration time
  • an optional ACL group name
  • an optional time limit between successful logins
  • an optional number of login failures before disabling the user
  • an optional user performance class
A user ID is restricted to 8 characters and does not have to correspond to any system user ID.
A password is also restricted to 8 characters.
A password for the psmgr table must have a minimum of 6 characters - at least one character must be numeric, and at least one character must be alphabetic. A new password must be different from a user's last six passwords. The password cannot contain the user ID.
If a user has three consecutive failed attempts to connect to the SPD Server host, his or her user ID is no longer enabled. Until an administrator resets the user ID, the user will not be able to connect to the SPD Server host.
If you are upgrading to SPD Server 4.5 from SPD Server 3.x, the SPD Server 4.5 psmgr utility must be re-populated from the SPD Server 3.x password table.

Invoking the psmgr Utility

You invoke the psmgr utility by entering the PSMGR command and specifying the directory path where the password table is located. (Or you can specify a password table that has not yet been created.)
For a UNIX system, use the command:
psmgr installdir/site
The command invokes the psmgr utility and specifies the directory path for the password table.
For a Windows system, use the command: 
psmgr
The command invokes the psmgr utility and uses the directory where SPD Server was installed to access the password table.

Converting to a psmgr 4.x Table

With SPD Server 4.5, you must convert your SPD Server 3.x password file to 4.5 format. Converting your password file to 4.5. format enables you to use the same set of active SPD Server user IDs in SPD Server 4.5 that you used in SPD Server 3.x. To convert your SPD Server password file to 4.5 format from 3.x format, do the following:
  1. Start the SPD Server 3.x psmgr utility using your SPD Server 3.x password table.
  2. Export your SPD Server 3.x password table.
  3. Start the SPD Server 4.5 psmgr utility with a new table.
  4. Import the exported file from step 2 into the new password table.
Example:
/Installdir3_0/bin/psmgr /Installdir3_0/site

Enter Command > export /Installdir3_0/site/oldtable
Enter Command > quit

/Installdir4_0/bin/psmgr /Installdir4_0/site

Enter Command > import /Installdir3_0/site/oldtable
This creates a psmgr table from an old format psmgr table that exists at /installdir3_0/site.

Adding New Users with psmgr

Overview of Adding New Users

Whether you want to create the password for the user, or you want the user to create his own password, there are two methods to set up a new user.

Add a New User Who Creates His Own Password

This two-part method requires that the new user knows how to use one of the following LIBNAME options to change his password: CHNGPASS=, or NEWPASSWD=. The first part adds a new user. Perform the following steps:
  1. Enter the PSMGR command and the password directory. For example:
    psmgr /SPDS/pwdir
  2. Enter the ADD command and the user ID. For example:
    add debby
  3. Enter a temporary password for the user. For example:
    temporarypassword
  4. Re-enter the temporary password for accuracy. For example:
    temporarypassword
  5. Enter an authorization level number from 0 to 7, depending on the authorization level that you want to assign to the user. For example:
    0
  6. Enter the IP address of a client machine if you want to limit the user's access to the client machine, or skip this step by pressing Enter. For example:
    11.21.1.217
  7. Enter the number of days you want the password to be valid. For example:
    30
  8. Enter the group name if the user is part of an ACL group, or skip this step by pressing Enter. For example:
    groupname
The user debby is added. The temporary password is good for one logon.
The second part changes the user's password. Change the user's password with the NEWPASSWD= option. For example:
LIBNAME mylib sasspds "spdsdata"
 host="bubba"
 serv="5200"
 user="debby"
 password="temporarypassword"
 NEWPASSWD="abc123"
Or, change the user's password with the CHNGPASS= option. For example:
LIBNAME mylib sasspds "spdsdata"
  host="bubba"
  serv="5200"
  user="debby"
  password="xyz123"
  CHNGPASS=YES
The user will be prompted for a new password.

Add a New User and Set a Password for the User

The second method adds a new user to the password table using the psmgr utility. The password expires immediately after the user is created. The SPD Server administrator creates a new password for the user and sends it to him.
  1. The SPD Server Administrator issues the CHGPASS command. For example:
    chgpass debby
  2. The SPD Server administrator enters Debby's old password. For example:
    oldpassword
  3. The SPD Server administrator enters Debby's new password. For example:
    newpassword
  4. The SPD Server administrator re-enters the new password for accuracy. For example:
    newpassword
The SPD Server administrator can now inform Debby of her new password. The new password expires in the number of days that was specified in step 7 of the previous section.

psmgr Commands

The psmgr utility is an interactive program. It reads commands and operands from your computer, and prompts you for input when necessary. You can also send a file of commands to the utility, structuring each command so that no input is required.
The commands and operands are positional, and they must be separated by blank spaces. If you give an insufficient number of operands, the utility prompts you for the remaining operands. Password operands, which are obtained with a prompt, are not echoed back to the computer.

psmgr Command Details

ADD

adds a new user to the password table.
Syntax 
add username passwd passwd privilege
    [ip_addr|-] [expiretime|-] [group|-]
    [timeout|-] [failures|-] [class|-]
Note: The new user's password expires during the first logon to SPD Server.
Arguments
username
the user ID of an SPD Server user, which is restricted to 8 characters. The first character of the username can be either an alpha or an underscore. The remaining characters can be either an apha, numeric, or underscores. The SPD Server user ID does not have to correspond to any system user ID.
passwd
the user's password, which is restricted to 8 characters. The psmgr table requires a password with a minimum of 6 characters - at least one character must be numeric, and at least one character must be alphabetic. The argument is repeated to verify the password.
privilege
an authorization level number from 0 to 7. The authorization level number assigns access privileges to the user.
The numbers 0-3 are equivalent. Use the numbers 0-3 to specify a normal, non-privileged user.
The numbers 4-7 are equivalent. Use the numbers 4-7 to specify a special user. Special users can update the password table and override any ACL restrictions on SPD Server tables. You might want to restrict special privileges to only the SPD Server user ID and password for yourself, the SPD Server administrator.
ip_addr
a numerical IP address; or a dash (-), which indicates that no IP address is specified. Use the IP address to restrict the user's access to SPD Server to that specific IP address.
Note: The IP address is not verified.
expiretime
a password expiration time; or a dash (-), which indicates that no password expiration time is being specified. The expiration time requires the user to change his password before the specified number of days has expired. The value, which is specified in days, represents the number of days from today (the current day) that the password is valid.
group
the default group for the user; or a dash (-), which indicates that no default group is being specified. If specified, the group definition must exist, which means that it was created by a previous GROUPDEF command. Group affiliation can be changed by a GROUPMEM command.
timeout
a maximum amount of time that is allowed between successful logins before the account is no longer enabled, or a dash (-), which indicates that no timeout is being specified.
failures
the number of password failures; or a dash (-), which indicates that no failure limit is being specified. The value specifies the number of login failures allowed before the user is disabled. A disabled can be re-enabled by the psmgr administrator using the reset command.
class
the performance class of the user specified as a number from 1 to 3. The value specifies whether the user is in a Low (1), Medium (2), or High (3) performance class. The SPD Server server can be configured to provide different server parameters, based on the user's performance class setting.

AUTHORIZE

authorizes a user to modify the password table.
Syntax 
authorize username userspasswd
Arguments
username
the user ID of an SPD Server user.
userspasswd
a valid user's password.
Description
Only a special user can update the password table. In other words, to use modification commands such as ADD and DELETE, you must be a special user or the owner of the password table. If you are not the owner of the password table, you can use the AUTHORIZE command to authorize yourself to update the password table. Enter your user ID and password in the password table, and then mark the user ID as special (by specifying the authorization level as number 4 or higher).
For example, assume that the psmgr LIST command is used to obtain the following output: 
  USER   AUTHORIZATION  IP ADDRESS
-------- ------------- ------------
bar            7
foo            1        192.149.173.5
You can grant yourself privileges by using the AUTHORIZE command and specifying bar as the user name bar, and include the bar password barpwd1.
Example 
authorize bar barpwd1

CHGAUTH

changes the authorization level for a user.
Syntax 
chgauth username authlevel
Arguments
username
the user ID of an SPD Server user.
authlevel
an authorization level for the user, which is specified using numbers 0 through 7. See the argument in the ADD command for an explanation of the numbers.

CHGEXPIRE

changes the expiration date for a given user's password. By default, a new user ID is created with an expired password.
Syntax 
chgexpire username exptime
Arguments
username
the user ID of an SPD Server user.
exptime
a password expiration time. The expiration time requires the user to change his password before the specified number of days has expired. The value, which is specified in days, represents the number of days from today (the current day) that the password is valid.

CHGIP

changes the IP address from which the user must connect to the SPD Server. The IP address on which the SAS, ODBC, JDBC, or SQL client software is running must match the IP address that is entered in the password table.
Syntax 
chgip username "New IP Address"
Arguments
username
the name (user ID) of an SPD Server user that also exists in the password table.
IP Address
the new IP address from which the user must connect to the SPD Server host. The IP address must be specified numerically using the xxx.xxx.xxx.xxx format. The IP address is not verified. Invalid and incorrect IP addresses are noted as errors in the SPD Server log and will cause that user's future logon attempts to fail. The default value is blank.

CHGTIMEOUT

changes the logon time-out date for a user's password.
Syntax 
chgtimeout username timeoutperiod
Arguments
username
the user ID of an SPD Server user.
timeoutperiod
a password logon timeout period. The timeout period requires the user to successfully logon before the specified number of days has expired. The value, which is specified in days, represents the number of days from the last successful logon that the password is valid.

CHGPASS

changes the password for a user.
Syntax 
chgpass username oldpwd newpwd
Arguments
username
the user ID of an SPD Server user.
oldpwd
the user's old password.
newpwd
a new password for the user. If you are prompted for the new password, you are prompted again to re-enter it for accuracy. The new password must be different from the last 6 passwords. The new password must also contain at least 6 characters - with at least one numeric character, and with at least one alphabetic character. The password cannot contain the user ID.

CHGPERFCLASS

changes the performance class of a user.
Syntax 
chgperfclass class
Arguments
username
the user ID of an SPD Server user.
class
a performance class for the user, which is specified using numbers 1 through 3. See the class argumentin the ADD command for an explanation of the numbers.

DELETE

deletes a user ID.
Syntax 
delete username !
Arguments
username
the user ID of an SPD Server user.
!
verifies that you intend to delete the user ID from the password table. If you do not specify !, you will receive a Y or N prompt to verify the deletion.

EXPORT

exports the current password table into a flat file.
Syntax 
export textfile
Arguments
textfile
name of the flat file to create that will contain the contents of the current password table.
Description
The EXPORT command generates a single line in the flat file for each record in the password table. User passwords are encrypted in the table.
What you see in the flat file is a representation of what is stored in the password table. When you have changes that affect many users, it might be easier to edit the flat file than to use the psmgr utility. After making changes in the file, you can use the IMPORT command to construct a new, modified password table.

GROUPDEF

defines a new ACL group entry.
Syntax 
groupdef groupname
Arguments
groupname
the name of a group. The name must be unique, and is restricted to 8 characters. The first character of the groupname can be either an alpha or an underscore. The remaining characters can be either an apha, numeric, or underscores. The groupname argument verifies that the groups that are specified with the GROUPMEM command are valid.

GROUPDEL

deletes an ACL group entry.
Syntax 
groupdel groupname !
Arguments
groupname
the name of a group.
!
verifies that you intend to delete the group from the password table. If you do not specify !, you receive a Y or N prompt to verify the deletion.

GROUPMEM

updates the ACL group list for a user ID.
Syntax 
groupmem username groupname [groupname|""]
         [groupname|""] [groupname|""] [groupname|""]
Arguments
username
the user ID of an SPD Server user.
groupname
the name of an ACL group. The name must be unique, and is restricted to 8 characters. Separate each ACL group name with a space. The first ACL group name that is specified becomes the default ACL group for the user. You can specify up to five groups.
Note: If you specify fewer than five ACL groups, the utility prompts for additional ACL groups (up to five). Press Enter for the remaining ACL groups if no more are required.
Note: If you use the groupmem command in batch mode, the syntax requires you to submit five groupname arguments. If you want to update the user ID with less than five ACL group members, replace the empty groupname arguments with “ “.

GROUPS

lists the all the ACL groups in the password table.
Syntax 
groups

HELP

displays general or command-specific help for the psmgr utility.
Syntax 
help [command]
Arguments
command
a psmgr command. If you specify a command, a short description of the command is displayed. If you issue a HELP command without an operand, a list of all available psmgr commands is displayed.

IMPORT

imports user information from a flat file, which was created with the EXPORT command, to the password table.
Syntax 
import textfile
Arguments
textfile
the name of the flat file to import that contains the user definitions to add to the password table.
Description
The IMPORT command reads the flat file, interpreting each single line as a record in the password table. Typically, the flat file is output from a submitted EXPORT command that was issued on the same password table or another password table.
During the import, if the psmgr utility encounters an identical user name (SPD Server user ID) in the password table, it skips the line. The psmgr utility displays a message that states that the line was skipped.

LIST

lists the contents of the password table, or a specific user.
Syntax 
list [username]
Arguments
username
the user ID of an SPD Server user. If no username is specified, the entire password table is listed.
Example 
list bar
This example might produce the following listing: 
USER AUTHORIZATION IP ADDRESS
---- ------------- -----------
 bar       7

RESET

resets a password for a user. The RESET command resets a user's password after three consecutive failed attempts to connect to a server. After the third failed attempt, the user ID is no longer enabled. After the password has been reset, the user must change the password before he can connect to a server.
Syntax 
reset username newpwd newpwd
Arguments
username
the name (user ID) of an SPD Server user, up to 8 characters.
newpwd
a new password for the user. The new password can be up to 8 characters maximum. The new password must contain at least 6 characters - at least one character must be numeric, and at least one character must be alphabetic. The argument is repeated to verify the password for accuracy. Note: The new password expires immediately and must be changed with the psmgr CHGPASS command.
Example 
reset tom abc123 abc123
This example resets the password for tom .

QUIT

ends the session and exits from psmgr.
Syntax 
quit

Using a File as Input to psmgr

You can create and then send a file of commands to the psmgr utility.
Example
Here is a command file named pscmds: 
authorize bar barpwd
add newuser newpwd1 newpwd1 0 - - - - - -
list
quit
The command file contains the password barpwd for user bar. Because the command file contains user IDs and user passwords, you might want to secure access to the command file. In UNIX environments, you can secure access to command files using native UNIX file permissions.
To run the psmgr utility using the command file named pscmds as input, use the appropriate syntax:
For UNIX:
psmgr /usr/local/SPDS/site < pscmds
For Windows: 
psmgr d:\spds\site < pscmds
Copyright © SAS Institute Inc. All rights reserved.