Creating Authorizations with User ID Lists and Authority Lists

Contents
vmx32besp
Contents
When you have created the lists you need, you can use them on GRANT and WITHHOLD records. For example, instead of creating 12 GRANT records -- three command authorizations (ADMIN, EDIT, QUERY) for each of the four publications manager user IDs listed in User ID Lists -- you create only one. This one record authorizes all user IDs on the *PUBS list to use all commands on the *PUBCMDS list:
GRANT *PUBCMDS TO *PUBS
You can include a user ID list on a GRANT record authorizing those user IDs to use a single command rather than an authority list. For example, you can authorize all user IDs included in the list *NONTECH (as shown in Using a List Name in Another List) to use the EDIT command:
GRANT EDIT TO *NONTECH
You can authorize a single user ID to use all the commands in an authority list. For example, you can authorize REBECCAH to use all commands in the *PUBCMDS list, even though she is not a publications manager:
GRANT *PUBCMDS TO REBECCAH
Creating Authorizations to Use Commands on Only Some Groups of User IDs
You can create authorizations with authority phrases that include predefined variable lists. These authority phrases narrow the scope of the authorization to include particular user IDs. These particular user IDs are
not
the ones granted authority, but are part of the authorization itself.
Example:1
This GRANT record allows the user ID WOODYB to use the ULIST command:
GRANT ULIST TO WOODYB
  • ULIST
    The authority.
  • WOODYB
    The user IDs for the authority.
In contrast, this GRANT record allows the user ID WOODYB to use the ULIST command, but only on user IDs that directory manager CARLAT manages:
GRANT ULIST *DIRUSRS CARLAT TO WOODYB
  • ULIST *DIRUSRS CARLAT
    The authority.
  • WOODYB
    The user IDs for the authority.
Example:2
This GRANT record does the same as the previous one, except the word OF was added to help you or whoever reads the AUTHORIZ CONFIG file to understand the content of these records:
GRANT ULIST *DIRUSRS OF CARLAT TO WOODYB
  • ULIST *DIRUSRS OF CARLAT
    The authority.
  • WOODYB
    The user IDs for the authority.
Example:3
As with authorizing user IDs to use commands on only some user IDs, you can include the words OF and OVER to help describe the intent of these records. These words fit between the command and the user IDs over which this authorization is valid.
Both of the next GRANT records authorize WOODYB to use the ULIST command on user IDs that directory manager CARLAT manages:
GRANT ULIST *DIRUSRS CARLAT TO WOODYB GRANT ULIST OVER *DIRUSRS OF CARLAT TO WOODYB
Pattern Matching in Authorizations
Use a trailing asterisk to indicate all words that start with the specified characters. Use this capability with great care because you can inadvertently grant powerful authorizations to many user IDs.
Example:
The following record gives ULIST authorization over the user IDs that user ID DATAMGR manages to all user IDs that start with the character string DEV:
GRANT ULIST OVER *DIRUSRS OF DATAMGR TO DEV*