Neoview User Management and Security Administration Guide (R2.5)

ManualsBrandsHP ManualsSoftwareHP Neoview Release 2.5 Software

101

102

103

104

105

106

107

108

109

110

ALTER ROLE Command (platform roles, database roles)

This command changes the password and password-expiration attributes of a role. In general,

only a user in the role ROLE.SECMGR can change the password and password-expiration

attributes of a role; for exceptions, see “Changing a Platform Role Password” (page 106).

You can change the password without changing the password expiration attributes, or vice versa.

Any parameter omitted from the command is left unchanged.

NOTE: Predefined roles, such as ROLE.SECMGR and SUPER.SUPER, are created so that their

passwords never expire. Although this command permits you to change the password expiration

attributes for predefined roles, HP recommends that you not do so.

Syntax

[.SEC] ALTER ROLE [ rolename]{,NEW-PASSWORD [newpassword],OLD-PASSWORD [oldpassword],EXPIRY-DAYS [days],EXPIRY-DATE [date]}

Parameters

• rolename is one of the following database or platform roles: ROLE.DBA, ROLE.MGR,

ROLE.SECMGR, SUPER.SUPER. (Only HP Support can change the passwords of other

roles.) Alphabetic characters in a rolename are case-insensitive.

• newpassword is the new password to be assigned and must comply with the password

quality criteria specified in the current system security policy (described in “Viewing and

Updating the Password Quality and Control Policies” (page 44). If you include the keyword

but omit the value, NCI prompts you for the password, asks you to confirm the value by

entering it for a second time, and does not echo your input to the screen.

NOTE: NCI allows you to enter a password of up to 64 bytes in length. However, a

password of this length might or might not enable the user to log on later. The maximum

length of a valid password is dependent on the security policies configured on your Neoview

platform:

— If the platform is configured to use 1024-bit keys, the limit is 53 characters.

— If the platform is configured to use 2048-bit keys, the limit is 64 characters.

— If the security policy requires certain users to present a role password, in addition to

an individual password, on order to log on:

◦ For a locally authenticated database user or platform user needing to present a role

password, the maximum total length of the individual and role passwords together

is 52 bytes in the case of 1024-bit encryption and 128 bytes in the case of 2048-bit

encryption.

◦ For a remotely authenticated database user needing to present a role password,

the maximum total length of the individual and role passwords together is 52 bytes

in the case of 1024-bit encryption and 180 bytes in the case of 2048-bit encryption.

• oldpassword is the current password for the role and must be included if the security

policy (described in “Viewing and Updating the Power Role Management Policies” (page 48))

requires you to provide the current password in order to change the password of the specified

role.

• days is the number of days, from the time the password is changed, after which it expires.

Any integer value is valid. If you omit this parameter, it retains its previous value. If you

specify zero as the value, any previous value is cleared.

• date is the date on which the password expires. If the platform grace period for password

changes is zero, then the ability for this username to log on is suspended. Otherwise,

username can log on for the number of days specified by the grace period, provided the

110 User and Role Management