Authorization to Use CA VM:Secure Commands and Utilities

The following table describes the authorization a user needs to use CA VM:Secure commands and utilities.
vmx32besp
The following table describes the authorization a user needs to use CA VM:Secure commands and utilities.
Command or Utility
Type of Authorization
Authority
Optional Parameters to Narrow Authority
ABEND
Terminate CA VM:Secure operation abnormally
ABEND
ACITRACE
Dynamically trace ACI security events
ACITRACE
ADDENTRY*
Create a directory entry for a user or profile from an input file or a skeleton file
ADDENTRY
[
entry
]
ADDENTRY*
Create a user ID or profile from an input file
ADDENTRY
entry
NOSKEL**
ADDENTRY*
If the input file creates a minidisk
ADDMDISK
[
entry
]
ADDENTRY*
Create a user ID or profile with a skeleton file
ADDENTRY
entry
SKELETON**
ADDENTRY*
If the skeleton file creates a minidisk
ADDMDISK
[
entry
]
ADDMDISK*
Add a minidisk for a user ID
ADDMDISK
[
entry
]
ADMIN
Use all parameters on the ADMIN command
ADMIN
ADMIN
Edit the
VMSECURE
MANAGERS file
ADMIN MANAGERS**
ADMIN
Edit the
VMSECURE
GLOBALS file
ADMIN GLOBALS**
ADMIN
Edit a subpool entry
ADMIN POOL**
[
poolid
]
ADMIN
Edit the
VMSECURE
POSIX file
ADMIN POSIX**
ADMIN
Edit a directory profile
ADMIN PROFILE**
[
profile
]
ADMIN
Edit a skeleton file
ADMIN SKELETON**
[
skeleton
]
ADMIN
Define or change SFS managers’ enrollment defaults or enrollment limits
ADMIN SFSMGRS**
[
userid
]
ASSIGN
Assign a user ID to a different manager
ASSIGN
[
entry
[
mgrid
]]
AUDITEXT
Extract current audit information
AUDITEXT
CAN
Query the CA VM:Secure rules database
CAN
[
userid
[
parameters
]]
CHANGE
Change a user ID’s name
CHANGE
[
entry
]
CHGENTRY
Change a USER to an IDENTITY or change an IDENTITY to a USER
CHGENTRY
[
entry
]
CHGMDISK*
Move or change a minidisk
CHGMDISK
[
entry
]
With the NOCOPY option
NOCOPY
CHGVOLNM
Change all references to the volser of any DASD volume controlled by CA VM:Secure
CHGVOLNM
[
oldvolser
]
CLASS
Assign a CP privilege class
CLASS
[
class
]
CMD
Use the CMD command to route another command to an Agent product server in a Single System Image environment
CMD
CMS
Execute a CMS or CP command on the CA VM:Secure service virtual machine
CMS
[
word1
...
word15
]
COMPRESS
Defragment disk storage
COMPRESS
[
volser
]
CONFIG
Edit the CA VM:Secure configuration files
CONFIG
CONFIG
Edit the AUTHORIZ CONFIG file
CONFIG AUTHORIZ**
CONFIG
Edit the DASD CONFIG file
CONFIG DASD**
CONFIG
Edit the PRODUCT CONFIG file
CONFIG PRODUCT**
CONFIG
Edit the SECURITY CONFIG file
CONFIG SECURITY**
CONFIG
Edit the CA VM:Secure SFS configuration
CONFIG SFS**
CPFMTXA
Use CPFMTXA command to change allocation on the object directory volume
CPFMTXA
DELENTRY*
Delete an existing user ID or profile
DELENTRY
[
entry
]
Delete a minidisk for a deleted user ID
DELMDISK
[
entry
]
DELETE
Delete file space for an active user ID
DELETE
[
userid
]
DELMDISK*
Delete a user ID’s minidisk
DELMDISK
[
entry
]
DISPLINK
Display links to a user’s minidisks
DISPLINK
[
userid
]
DUPENTRY
Create a new user ID based off an existing user ID
DUPENTRY
[existing [new]]
DUPENTRY
For the template user ID’s minidisks.
DUPMDISK
[
entry
]
DUPENTRY
For the new user ID’s minidisks.
ADDMDISK
[
entry
]
DUPENTRY
No formatting of minidisks.
NOFORMAT
[
entry
[
mgrid
]]
DUPENTRY
To use the MANAGER option.
MANAGER
DUPMDISK*
Create an exact duplicate of an existing minidisk
DUPMDISK
[
entry
]
DUPMDISK*
For the user ID that owns the source minidisk (
sourceuser
)
DUPMDISK
[
entry
]
DUPMDISK*
For the user ID that owns the target minidisk (
targetuser
)
ADDMDISK
[
entry
]
EDIT
Edit a user ID’s directory entry
EDIT
[
entry
]
EDX
Edit a user ID’s directory entry, expanding any INCLUDE statement
EDIT
[
entry
]
END
Terminate CA VM:Secure immediately or after current processes complete
END
END
Terminate CA VM:Secure immediately only
END FORCE**
END
Terminate CA VM:Secure operation only after current processes complete
END NOFORCE**
ENROLL
Enroll a user ID into an SFS file pool
ENROLL
ENTRY
Update or query directory entry contents
ENTRY
[
entry
[
subcommand
]]
EXPIRE
Expire a user ID’s logon password
EXPIRE
[
userid
]
EXTRACT
Extract directory information
EXTRACT
GENACI
Place a user ID in a security group
GENACI
[
userid
[
group
]]
GENHS
Add rules history records to a user ID’s directory entry
GENHS
[
userid
]
GENINCL
Add an INCLUDE statement to a userid’s directory entry
GENINCL
[
userid
[
profile
]]
GETENTRY*
Retrieve current copy of a user ID’s directory entry or a directory profile
GETENTRY
[
entry
]
GETPWEXP
Display user ID password expiration information
GETPWEXP
[
userid
]
GRANT AUTHORITY
Allow a user to grant access to a file space for other users
GRANT AUTHORITY
filespace
[
userid
]
GROUP
Become a temporary member of a new security group
GROUP
[
group
]
HISTORY
Display a user ID’s history records
HISTORY
[
userid
]
IPLDISKX
Convert user IDs whose passwords expired before the Rules Facility was installed to the Rules Facility method of password expiration
IPLDISKX
[
entry
]
JOURNAL
Display password violations and reset password violation count
JOURNAL
JOURNAL
Display password violations
JOURNAL LIST**
[
word1 …word4
]
JOURNAL
Reset a password violation count to zero
JOURNAL RESET**
[
word1 …word4
]
LISTAUTH
Query the authorizations specified in the AUTHORIZ CONFIG file
LISTAUTH
[
userid
[
authwrds
]]
LOCK*
Prevent updates to any object
LOCK
LOCK*
Prevent updates to a CMS file
LOCK FILE**
[
fname
[
ftype
[
fmode
]]
LOCK*
Prevent updates to a user ID
LOCK USER**
[
userid
]
LOCK*
Prevent updates to a profile
LOCK PROFILE**
[
profid
]
LOGMSG
Change any log message
LOGMSG
[
groupname
]
LOGMSG
Create a message to be sent to the user IDs in a specific security group
LOGMSG
groupname
**
LOGMSG
Create a message to be sent to a user whose DIAL procedure did not complete successfully
LOGMSG DIALFAIL**
LOGMSG
Create a message to be sent to a user whose logon procedure did not complete successfully
LOGMSG LOGFAIL**
LOGMSG
Create a message to be sent to a user issuing a request that is subject to the NORULE record in the SECURITY CONFIG file
LOGMSG NORULE**
LOGMSG
Change the system log message
LOGMSG SYSTEM**
MACLOAD
Load a macro to the CA VM:Secure service virtual machine
MACLOAD
MAINT
Perform line-mode user functions
MAINT
[
subfunction
]
MAINT
Perform line-mode management functions
MAINTMAN
[
entry
[
subfunction
]]
MAINT
Perform line-mode user functions for another user ID
MAINTMAN
entry
USER**
[
subfunction
]
MANAGE
Use all selections, 1 through 10, on the Manager Selection Menu (selections withheld are shown as ***not available***.)
MANAGE
[
entry
]
MANAGE
Create user IDs (part of selection 1)
MANAGE *NEWUSRS
MANAGE
Use menu selection 1
MANSEL01
[
entry
]
MANAGE
Create user IDs (part of selection 1)
MANSEL01 *NEWUSRS
MANAGE
Use menu selection 2
MANSEL02
[
entry
]
MANAGE
Use menu selection 3
MANSEL03
USER
[
entry
]
MANAGE
Use menu selection 4
MANSEL04
[
entry
]
MANAGE
Use menu selection 5
MANSEL05
[
entry
]
MANAGE
Use menu selection 6
MANSEL06
[
entry
]
MANAGE
Use menu selection 7
MANSEL07
[
entry
]
MANAGE
Use menu selection 8
MANSEL08
[
entry
]
MANAGE
Use menu selection 9
MANSEL09
[
entry
]
MANAGE
Use menu selection 10
MANSEL10
[
entry
]
MAP
Map a volume
MAP
[
volume
[
parameters
]]
MAY
Query the authorizations specified in the AUTHORIZ CONFIG file
MAY
[
entry
[
authwrds
]]
MDSKSCAN
Scan a user ID’s minidisks
MDSKSCAN
[
entry
]
MODIFY
Modify the SFS allocation for a user ID
MODIFY
[
userid
]
MOVE2SFS
Copy data from a minidisk to SFS
MOVE2SFS
MANAGE
SFSADMIN
[
userid
]
MULTIPLE
Perform user ID maintenance on several user IDs at the same time
MULTIPLE
MULTIPLE
Create several user IDs at the same time
MULTIPLE NEWUSER**
MULTIPLE
Remove several user IDs at the same time
MULTIPLE REMOVE**
[
entry
]
MULTIPLE
Place several user IDs on hold at the same time
MULTIPLE HOLD**
[
entry
]
MULTIPLE
Reactivate several held user IDs at the same time
MULTIPLE ACTIVATE**
[
entry
]
NEWIPL
Change an IPL system name or device in all directory entries to a new IPL system name or device
NEWIPL
NOLOG
Change a user ID’s password to NOLOG
NOLOG
[
userid
]
OVERRIDE
Alter privilege classes without shutting down CA VM:Secure
CPOVERID
PAINT
Change a CA VM:Secure screen
PAINT
[
screen
]
PASSWORD
Set passwords for a user ID
PASSWORD
PASSWORD
Set only randomly generated passwords for a user ID
PASSWORD
userid
RANDOM**
PASSWORD
Set only a specific password for a user ID
PASSWORD
userid
SPECIFIC**
QCPCFG
Display information about the CP component configuration
QCPCFG
QLOCK
Display all CA VM:Secure locks
QLOCK
QPCB
List active CA VM:Secure processes
QPCB
QRULES
Query the rules set up for a user ID
QRULES
[
userid
[
parameters
]]
QSTART
Display the time CA VM:Secure was most recently started
QSTART
QUERY
Displays information about monitored functions
QUERY
[
userid
]
QUERY
Displays account information about a user ID
QUERY ACCOUNT**
[
mgrid
]
QUERY
Display information about a manager's allocation space
QUERY ALLOC**
[
mgrid
]
QUERY
Display a user ID's privilege class
QUERY CLASS**
[
userid
]
QUERY
Display the encryption algorithm used to encrypt or decrypt the directory database
QUERY ENCRYPT**
QUERY
List the names of the file pools that
CA VM:Secure
manages
QUERY FILEPOOL**
QUERY
List user IDs on hold
QUERY HOLD**
[
userid
]
QUERY
List the log messages defined to
CA VM:Secure
QUERY LOGMSG**
[
type
]
QUERY
List user IDs that are directory managers
QUERY MANAGERS**
QUERY
List user IDs whose passwords have not changed for a specified number of days
QUERY PASSWORD**
QUERY
List user IDs' directory entries that include a directory profile
QUERY PRFUSERS**
[
profile
]
QUERY
Display status information about the Servant Facility
QUERY SERVANT**
QUERY
List the names of the file pools and user storage groups from which you can allocate file space
QUERY SFS**
QUERY
List the skeleton files that a manager can use
QUERY SKELETON**
[
mgrid
]
QUERY
List the subpools that a manager can use
QUERY SUBPOOLS**
[
mgrid
]
QUERY
List the user IDs that a manager manages
QUERY USERS**
[
entry
]
QUERY
Display the
CA VM:Secure
release level
QUERY VERSION**
QUERY
Determine status of long-running commands
QUERY WORKUNIT**
[
userid
]
REBUILD
Condenses and defragments the CP object directory
REBUILD
[
userid
]
RECLAIM
Reclaim DASD space from MOVERO minidisks
RECLAIM
REPENTRY*
Replace a directory entry or directory profile
REPENTRY
[
entry
]
REPENTRY*
If the new entry adds a minidisk
ADDMDISK
[
entry
]
REPENTRY*
If the new entry changes a minidisk
CHGMDISK
[
entry
]
REPENTRY*
If the new entry deletes a minidisk
DELMDISK
[
entry
]
RESET
Reset any password violation count
RESET
RESET
Reset AUTOLOG password violation count
RESET AUTOLOG**
[
userid
[
userid
]]
RESET
Reset password violation counts for a terminal
RESET DEVICE**
[
termaddr
]
RESET
Reset CP LINK password violation counts
RESET LINK**
[
userid
[
userid
[
vaddr
]]
RESET
Reset password violation counts for a user
RESET USER**
[
userid
]
RESET
Reset password violation counts for a user that occurred while verifying the password
RESET USERPASS**
[
userid
]
RESET
Reset password violation counts that occurred while trying to create a directory link
RESET VMXLINK**
[
userid
[
userid
[
vaddr
]]
RESET
Reset password violation counts that occurred while xautologging
RESET XAUTOLOG**
[
userid
[
targeted
]]
REVOKE AUTHORITY
Allow a user to revoke access to a file space for other users
REVOKE AUTHORITY
filespace
[
userid
]
RULEMAP
Display all types of rules
RULEMAP
RULEMAP
Display a user’s rules
RULEMAP USER**
[
userid
]
RULEMAP
Display a group’s rules
RULEMAP GROUP**
[
group
]
RULEMAP
Display members of a group
RULEMAP MEMBERS**
[
group
]
RULEMAP
Display all rules for all members of the system
RULEMAP ANY**
[
group
]
RULEMAP
Display rules with specific terminal addresses
RULEMAP TERM**
[
group
]
RULES
Change all rules
RULES
RULES
Change a user’s rules
RULES USER**
[
userid
]
RULES
Change a group’s override or default rules
RULES GROUP**
[
group
]
RULES
Change the SYSTEM OVERRIDE or SYSTEM DEFAULT rules
RULES SYSTEM**
SUBCONFIG
None for menu access
Processing of SUBCONFIGs controlled by USER authorization
See USER
SYSWORD
Query or set the system word
SYSWORD
SYSWORD
Query the system word
SYSWORD QUERY**
SYSWORD
Set the system word
SYSWORD SET**
[token]
TAKEOVER
Force an AGENT server to become the MASTER
TAKEOVER
TRACE
Trace execution of a CA VM:Secure macro
TRACE
[
parameters
]
TRANSFER
Transfer a minidisk from one user ID to another
TRANSFER
[
entry
[
newowner
]]
ULIST
Display information about user IDs
ULIST
[
entry
]
UNLOCK*
Remove a CMS file, profile, or user ID lock
UNLOCK
UNLOCK*
Remove a lock from a CMS file
UNLOCK FILE**
[
fname
[
ftype
[
fmode
]] ]
UNLOCK*
Remove a lock from a profile
UNLOCK PROFILE**
[
profid
]
UNLOCK*
Remove a lock from a user ID
UNLOCK USER**
[
userid
]
USER
Use all selections, 1 through 11, on the User Selection Menu (selections withheld are displayed as ***not available***)
USER
[
userid
]
USER
Use menu selection 1
USESEL01
[
userid
]
USER
Use menu selection 2
USESEL02
[
userid
]
USER
Use menu selection 3
USESEL03
[
userid
]
USER
Use menu selection 4
USESEL04
[
userid
]
USER
Use menu selection 5
USESEL05
[
userid
]
Use menu selection 6
USESEL06
[
userid
]
USER
Use menu selection 7
USESEL07
[
userid
]
USER
Use menu selection 8
USESEL08
[
userid
]
USER
Use menu selection 9
USESEL09
[
userid
]
USER
Use menu selection 10
USESEL10
[
userid
]
USER
Use menu selection 11
USESEL11
[
userid
]
VMXBKP01
Create a USER DIRECT file representing a copy of the CA VM:Secure directory database
BACKUP
MAY
[
userid
[
authority
]]
VMXBKP02
Create a backup copy of the CA VM:Secure directory database using DDR
BACKUP
VMXBKP03
Create a backup copy of the CA VM:Secure directory database using COPYFILE
BACKUP
VMXCPG
Create and configure replacement CP text files for the CA VM:Secure CP component
None required
VMXFEN01
Forward encrypt all passwords in the directory after backing up clear text database
PEF
VMXFEN02
Reversibly encrypt all passwords in the directory after backing up clear text database
PEF
VMXFEN03
Decrypt all passwords in the reversible encrypted database after backing up the encrypted database
PEF
VMXGNR
Generate the CA VM:Secure directory database and converts your CP source directory file into CA VM:Secure database format.
If specified, VMXGNR can also be used to encrypt the directory database
None required
VMXIPL
Write an IPLable program on the IPLDISK minidisk; when the program is initialized, it interacts with CA VM:Secure to update a user ID’s logon password
None required
VMXSRA
Generate a report showing audit data on LOGONBY usage; if the Rules Facility is implemented, also report on the CP commands AUTOLOG, DIAL, LINK, LOGON, SPOOL, STORE HOST, TAG, TRANSFER, and XAUTOLOG
None required
VMXSRB
Generate a report of all audit data captured by CA VM:Secure
None required
*
Part of the Application Programming Interface
**
Cannot be used in LIST records