Administrating Authorizations

You can divide responsibilities among users by carefully granting user IDs the authority to use different commands. (By default, authorization to use any cacc command is withheld from all users.) You can authorize a user ID to issue commands on behalf of itself and other user IDs. To help you create and customize user authorizations, cacc also provides predefined lists of user IDs and special processing authorizations.
vmx32besp
You can divide responsibilities among users by carefully granting user IDs the authority to use different commands. (By default, authorization to use any
CA VM:Secure
command is withheld from all users.) You can authorize a user ID to issue commands on behalf of itself and other user IDs. To help you create and customize user authorizations,
CA VM:Secure
also provides predefined lists of user IDs and special processing authorizations.
You need to determine the level of authorization you want to grant each user. Before you set up authorizations for your system, consider the following guidelines:
  • Grant the
    CA VM:Secure
    system administrator authorization to use all commands and menu selections.
  • Grant directory managers authorization to use a particular command, group of commands, or menu selection.
    By carefully planning these authorizations, you can delegate many of the daily directory and disk space management tasks to the directory managers. Plan these authorizations carefully to cover all aspects of your site’s VM installation.
  • Grant general users authorization to use those commands and menu selections that enable them to manage their own virtual machine. Users can then perform tasks such as maintaining their own system password and controlling access to their minidisks by others.
    For example, for users in the Technical Support group, you may want to authorize them to use all selections on the User Selection Menu. For the users in the Purchasing group, you can prevent them from using certain selections from the User Selection Menu by withholding that authorization.
You give user IDs authorization to use commands by adding GRANT records to the AUTHORIZ CONFIG file. In its simplest form, a GRANT record uses the following format:
GRANT authority TO 
users
The
authority
can be as simple as authorization to use an entire command, a command and some of its parameters, or a list of commands. The variable,
users
,
is a user ID or list of user IDs to be granted authorization.
For complete format information for the GRANT record, see GRANT Record in the section "Configuration File Reference" in
Reference
.
You deny users authorization to use commands by adding WITHHOLD records to the AUTHORIZ CONFIG file. In its simplest form, a WITHHOLD record uses the following format:
WITHHOLD authority FROM 
users
The
authority
can be an authorization to deny use of an entire command, a command and some of its parameters, or a list of commands. The variable,
users
,
is a user ID or list of user IDs from which to withhold authorization.
For complete format information for the WITHHOLD record, see WITHHOLD Record in the section "Configuration File Reference" in
Reference
.
Define user ID lists and authority lists that let you authorize many people for many commands in the list by adding LIST records to the AUTHORIZ CONFIG file. A LIST record uses the following format:
LIST 
*listname
 
listitem
 ...
listitem
The variable *
listname
specifies the name of the list. The asterisk is required. Each
listitem
can be either a user ID or a command. For example, you can create a list of user IDs in the Technical Support department and then create another list that specifies the commands that the Technical Support department is authorized to use.
For complete format information for the LIST record, see LIST Record in the section "Configuration File Reference" in
Reference
.