The Password Manager Utility psmgr

Overview of the psmgr Utility

The psmgr utility manages the password manager database that enables access to the SPD Server host. When you start SPD Server, the command line option -ACLDIR specifies the location (directory path) of the password manager database. The owner of the password manager database, typically the SPD Server administrator, can update the database.
The password manager database contains the following attributes and capabilities for each system user:
  • a user ID
  • a password
  • an access privilege
  • an optional IP address
  • an optional password expiration time
  • an optional ACL group name
  • an optional time limit between successful logins
  • an optional number of login failures that can occur before the user ID is disabled
  • an optional user performance class
A user ID is restricted to 8 characters and does not need to correspond to any system user ID. A password is also restricted to 8 characters. All alphanumeric characters and the underscore symbol are acceptable for use in user IDs and passwords.
A password for the psmgr table must contain a minimum of 6 characters. At least one character must be numeric, and at least one character must be alphabetic. A new password must be different from the last six passwords for that user. The password cannot contain the user ID.
If a user has three consecutive failed attempts to connect to the SPD Server host, that user ID is no longer enabled. That user cannot connect to the SPD Server host until an administrator resets the user ID.
If you are upgrading to SPD Server 5.1 from SPD Server 3.x, you must repopulate the SPD Server 5.1 psmgr utility from the SPD Server 3.x password table.

Invoking the psmgr Utility

You invoke the psmgr utility by entering the psmgr command and specifying the directory path where the password manager database is located. (Or you can specify a path for a password table that has not yet been created..)
Use the following command:
psmgr <full-path-specification-to-password-table>
This command invokes the psmgr utility and specifies the directory path for the password manager database.

Migrating a psmgr Database from a Previous SPD Server Installation

You can use the psmgr EXPORT and IMPORT commands to migrate psmgr data from a previous installation.
To convert your SPD Server password file to SPD Server 4.x or SPD Server 5.1 format from SPD Server 3.x format, do the following:
  1. Start the SPD Server psmgr utility using your previous SPD Server installation.
  2. Export your SPD Server password table to a file.
  3. Start your new installation of the SPD Server psmgr utility with a new password table.
  4. In your new installation of SPD Server, import the file from the previous installation into the new password table.
Example:
The following example creates a psmgr table from an old format psmgr table that exists at /installdir3_0/site.
/Installdir3_0/bin/psmgr /Installdir3_0/site

Enter Command > export /Installdir3_0/site/oldtable
Enter Command > quit

/Installdir4_0/bin/psmgr /Installdir4_0/site

Enter Command > import /Installdir3_0/site/oldtable

psmgr Commands

The psmgr utility is an interactive program. It reads commands and operands from your computer, and prompts you for input when necessary. You can also send a file of commands to the utility and structure each command so that no input is required.
The commands and operands are positional, and they must be separated by blank spaces. If you specify an insufficient number of operands, the utility prompts you for the remaining operands. Password operands, which are obtained with a prompt, are not echoed back to the computer.
You can enter default values for a command in two ways. If you are entering a single operand, a carriage return in place of the operand value causes SPD Server to populate the operand with its default value. If you are entering multiple operands, entering a hyphen or minus “–” symbol for each operand value causes SPD Server to populate each operand with its default value.

psmgr Commands

ADD

adds a new user to the password manager database.
Syntax 
add username passwd passwd privilege
    [ip_addr|-] [expiretime|-] [group|-]
    [timeout|-] [failures|-] [class|-]
Arguments
user name
the user ID of an SPD Server user. The user ID is restricted to 8 characters. All characters must be alphanumeric or underscores. The SPD Server user ID does not have to correspond to any system user ID.
passwd
the user's password, which is restricted to 8 characters. The psmgr table requires a password with a minimum of 6 characters—at least one character must be numeric, and at least one character must be alphabetic. The argument is repeated to verify the password.
Note: This password expires after the first logon to SPD Server. The user must change the password by using either the NEWPASSWD= or the CHANGEPASS= LIBNAME option. Password changing techniques do not apply to users who rely on LDAP Authentication for SPD Server access.
privilege
an authorization level number in the range 0 to 7. The authorization level number assigns access privileges to the user.
The numbers 0–3 are equivalent. Use the numbers 0–3 to specify a normal, non-privileged user.
The numbers 4–7 are equivalent. Use the numbers 4–7 to specify a special user. Special users can update the password manager database and override any ACL restrictions on SPD Server tables. You should grant special privileges to the SPD Server user ID and password for yourself only.
ip_addr
a numerical IP address. A hyphen (-) indicates that no IP address is specified. This argument restricts the user's access to SPD Server to the specified IP address.
Note: The IP address is not verified.
expiretime
the length of time, in days, after which the user must change his password. A hyphen (-) indicates that no password expiration time is being specified. The time is measured from the day that you add the user.
group
the default group for the user. A hyphen (-) indicates that no default group is being specified. If specified, the group definition must have been created by a previous GROUPDEF command. You can change group affiliation by using a GROUPMEM command.
timeout
the maximum amount of time that is allowed between successful logins before the account is no longer enabled. A hyphen (-) indicates that no time-out is being specified.
failures
the number of password failures. A hyphen (-) indicates that no failure limit is being specified. The value specifies the number of login failures allowed before the user is disabled. A disabled can be re-enabled by the psmgr administrator using the reset command.
class
the performance class of the user. Valid values are in the range 1–3. The value specifies whether the user is in a Low (1), Medium (2), or High (3) performance class. The SPD Server server can be configured to provide different server parameters, based on the user's performance class setting.

AUTHORIZE

authorizes a user to modify the password manager database.
Syntax 
authorize username userspasswd
Arguments
username
the user ID of an SPD Server user.
userspasswd
a valid user's password.
Description
Only a special user can update the password manager database. You must be a special user or the owner of a password manager database to use modification commands such as ADD and DELETE. If you are not the owner of the password manager database, you can use the AUTHORIZE command to authorize yourself to update the password manager database. Enter your user ID and password in the password manager database, and then mark the user ID as special (by specifying the authorization level as 4 or higher).
For example, assume that you used the psmgr LIST command to obtain the following output: 
  USER   AUTHORIZATION  IP ADDRESS
-------- ------------- ------------
bar            7
foo            1        192.149.173.5
You can grant yourself privileges by issuing the AUTHORIZE command and specifying bar as the user name and barpwd1 as the bar password.
Example 
authorize bar barpwd1

CHGAUTH

changes the authorization level for a user.
Syntax
chgauth username authlevel
Arguments
username
the user ID of an SPD Server user.
authlevel
an authorization level for the user, in the range 1–7. The authorization level number assigns access privileges to the user.
The numbers 0–3 are equivalent. Use the numbers 0–3 to specify a normal, non-privileged user.
The numbers 4–7 are equivalent. Use the numbers 4–7 to specify a special user. Special users can update the password manager database and override any ACL restrictions on SPD Server tables. You should grant special privileges to the SPD Server user ID and password for yourself only.

CHGEXPIRE

changes the expiration date for the specified user's password. By default, a new user ID is created with an expired password.
Syntax 
chgexpire username exptime
Arguments
username
the user ID of an SPD Server user. The user ID is restricted to 8 characters. All characters must be alphanumeric or underscores. The SPD Server user ID does not have to correspond to any system user ID.
exptime
the length of time, in days, after which the user must change his password. A hyphen (-) indicates that no password expiration time is being specified. The time is measured from the day that you add the user.

CHGIP

changes the IP address from which the user must connect to the SPD Server. The IP address on which the SAS, ODBC, JDBC, or SQL client software is running must match the IP address that is entered in the password manager database.
Syntax
chgip username "New IP Address"
Arguments
username
the name (user ID) of an SPD Server user. This name must already exist in the password manager database.
ip_addr
the new IP address from which the user must connect to the SPD Server host. The IP address must be specified numerically using the format xxx.xxx.xxx.xxx. The IP address is not verified. Invalid and incorrect IP addresses are noted as errors in the SPD Server log and will cause that user's future logon attempts to fail. The default value is blank.

CHGTIMEOUT

changes the logon time-out date for a user's password.
Syntax
chgtimeout username timeoutperiod
Arguments
username
the user ID of an SPD Server user.
timeoutperiod
a password logon time-out period, specified in days. The time-out period requires the user to successfully log on before the specified number of days has expired. The value is the number of days from the last successful logon that the password is valid.

CHGPASS

changes the password for a user to a permanent password.
Syntax
chgpass username oldpwd newpwd
Arguments
username
the user ID of an SPD Server user.
oldpwd
the user's old password.
newpwd
the new password for the user. If you are prompted for the new password, you are prompted again to re-enter it for accuracy. The new password must be different from the last six passwords. The new password must also contain at least 6 characters, with at least one numeric character and with at least one alphabetic character. The password cannot contain the user ID.

CHGPERFCLASS

changes the performance class of a user.
Syntax
chgperfclass class
Arguments
username
the user ID of an SPD Server user.
class
a performance class for the user, in the range 1–3. The value specifies whether the user is in a Low (1), Medium (2), or High (3) performance class. The SPD Server server can be configured to provide different server parameters, based on the user's performance class setting.

DELETE

deletes a user ID.
Syntax
delete username !
Arguments
username
the user ID of an SPD Server user.
!
verifies that you intend to delete the user ID from the password manager database. If you do not specify !, you are prompted to verify the deletion.

EXPORT

exports the current password manager database into a flat file.
Syntax
export textfile
Arguments
textfile
name of the flat file to create that will contain the contents of the current password manager database.
Description
The EXPORT command generates a single line in the flat file for each record in the password manager database. User passwords are encrypted in the table.
The contents of the flat file is a representation of what is stored in the password manager database. When you are making changes that affect many users, it might be easier to edit the flat file than to use the psmgr utility. After you make the changes in the file, you can use the IMPORT command to construct a new, modified password manager database.

GROUPDEF

defines a new ACL group entry.
Syntax
groupdef groupname
Arguments
groupname
the name of a group. The name must be unique and is restricted to 8 characters. All characters must be alphanumeric or underscores. This argument verifies that the groups that are specified on the GROUPMEM command are valid.

GROUPDEL

deletes an ACL group entry.
Syntax 
groupdel groupname !
Arguments
groupname
the name of a group.
!
verifies that you intend to delete the group from the password manager database. If you do not specify !, you are prompted to verify the deletion.

GROUPMEM

updates the ACL group list for a user ID. You can specify up to 32 groups for a user.
Syntax 
groupmem username groupname [groupname|""] [groupname|""] !
Arguments
username
the user ID of an SPD Server user.
groupname
the name of an ACL group. The name must be unique and is restricted to 8 characters. Separate each ACL group name with a space. The first ACL group name that you specify becomes the default ACL group for the user. You can specify up to 32 groups.
Note: If you specify fewer than 32 ACL groups, the utility prompts you for additional ACL groups (up to 32). Enter an exclamation point (!) to indicate to SPD Server that there are no more groups in your groupname declaration.
Note: If you use the groupmem command in batch mode, the syntax enables you to submit 32 groupname arguments. If you want to update the user ID with less than 32 ACL group members, use an exclamation point (!) to indicate to SPD Server that there are no more groups in your groupname declaration.

GROUPS

lists the all the ACL groups that are in the password manager database.
Syntax 
groups

HELP

displays general or command-specific help for the psmgr utility.
Syntax 
help [command]
Arguments
command
a psmgr command. If you specify a command, a short description of the command is displayed. If you issue a HELP command without an operand, a list of all available psmgr commands is displayed.

IMPORT

imports user information from a flat file to the password manager database. The flat file was created with the EXPORT command.
Syntax 
import textfile
Arguments
textfile
the name of the flat file to import. This flat file contains the user definitions to add to the password manager database.
Description
The IMPORT command reads the flat file, interpreting each single line as a record in the password manager database. Typically, the flat file is output from a submitted EXPORT command that was issued on the same password manager database or another password manager database.
If the psmgr utility encounters an identical user name (SPD Server user ID) in the password manager database during the import process, it skips the line. The psmgr utility displays a message that states that the line was skipped.

LIST

lists the contents of the password manager database or a specific user.
Syntax 
list [username]
Arguments
username
the user ID of an SPD Server user. If you do not specify a user ID, the entire password manager database is listed.
Example 
list bar
This example might produce the following listing: 
USER AUTHORIZATION IP ADDRESS
---- ------------- -----------
 bar       7

RESET

resets a password for a user to a new temporary, one-time password. The RESET command can be used to reset a user's password after three consecutive failed attempts to connect to a server. After the third failed attempt, the user ID is no longer enabled. After the password has been reset, the user must change the password before connecting to a server, using either the NEWPASSWD= or the CHANGEPASSWD= LIBNAME option.
Syntax 
reset username newpwd newpwd
Arguments
username
the name (user ID) of an SPD Server user.
newpwd
a new password for the user. The new password can be up to 8 characters in length. The new password must contain at least six characters. At least one character must be numeric, and at least one character must be alphabetic. The argument is repeated to verify the password for accuracy.
Example
reset tom abc123 abc123
This example resets the password for tom .

QUIT

ends the session and exits from psmgr.
Syntax 
quit

Using a File as Input to psmgr

You can create and then send a file of commands to the psmgr utility.
Here is a command file named pscmds: 
groupdef group1
add newuser newpwd1 newpwd1 0 - - group1 - - -
list
quit
The command file contains the group group1 and puts newuser in group1.
To run the psmgr utility using the command file named pscmds as input, use the appropriate syntax.
For UNIX:
psmgr /usr/local/SPDS/site < pscmds
For Windows: 
psmgr d:\spds\site < pscmds
Copyright © SAS Institute Inc. All rights reserved.