Granting Authorizations to Use Commands on Only Some User IDs

You have several means of narrowing the scope of an authorization so that it is valid only when the user ID to whom you are granting the authority uses the command on certain user IDs.
vmx32besp
You have several means of narrowing the scope of an authorization so that it is valid only when the user ID to whom you are granting the authority uses the command on certain user IDs.
Contents
Working with GRANT Records
This GRANT record allows WOODYB to use the EDIT command to change everyone’s directory entries:
GRANT EDIT TO WOODYB
You want to authorize WOODYB to edit only NORMP’s directory entry. You can do that by giving WOODYB a narrow authorization for the EDIT command, specifying NORMP as the only user ID on which WOODYB can use the command:
GRANT EDIT NORMP TO WOODYB
You can include the word OVER to describe these narrow authorizations if it helps you or whoever reads the AUTHORIZ CONFIG file to understand the intent of these records. The word fits between the command and the user ID or user IDs over which this authority is valid.
Example:
Both of the following GRANT records authorize WOODYB to use the EDIT command on NORMP’s directory entry:
GRANT EDIT NORMP TO WOODYB GRANT EDIT OVER NORMP TO WOODYB
OVER does not change the meaning of the record for
VM:Secure
. You can use OVER only on those commands that pertain to a user ID. OVER has no meaning if used in an authorization for a command that pertains to the system or parts of the system. For example, you cannot use OVER when granting authorization to the MAP command.
Working with GRANT AUTHORITY and REVOKE AUTHORITY Authorizations
Use the optional word OVER with GRANT AUTHORITY to narrow the scope of user IDs to which another user ID can grant accesses. If you do not specify OVER,
VM:Secure
treats the authorization as if you specified OVER *ALL, meaning the target of the command authorization can be anyone.
Examples:
  • This GRANT record allows WOODYB to grant access to the ENG:MISC file space for all users:
    GRANT GRANT AUTHORITY ENG:MISC TO WOODYB
  • However, you want to authorize WOODYB to grant access for only FRAISERC. You can do that by giving WOODYB a narrow authorization for the GRANT AUTHORITY command, specifying the word OVER and FRAISERC as the only user ID over which WOODYB can use the command:
    GRANT GRANT AUTHORITY ENG:MISC OVER FRAISERC TO WOODYB
  • Using the above authorization, WOODYB can give FRAISERC write access to the ENG:MISC.GENERAL directory. WOODYB enters the following command:
    vmsecure
    grant authority eng:misc.general to fraiserc (write
Specifying User IDs
When specifying the word OVER on the GRANT AUTHORITY and REVOKE AUTHORITY authorizations, use the following forms of
userid
to indicate the user or group of users over which the command issuer can issue the command:
OVER 
userid
For
userid
, you can specify the following values:
  • Single user ID
  • Nickname
  • Predefined variable list
  • Site-defined list represented by a LIST record
  • Keyword user IDs
Specifying Keyword User IDs
You can also use the PUBLIC and ALL keyword user IDs after the OVER parameter. These keywords can be used only on the GRANT AUTHORITY and REVOKE AUTHORITY command authorizations.
  • PUBLIC Keyword User ID
    You can use the PUBLIC keyword user ID for both the GRANT AUTHORITY and REVOKE AUTHORITY command authorizations. The PUBLIC keyword user ID indicates all user IDs that can connect to the file pool. PUBLIC does not imply a specific user ID.
  • ALL Keyword User ID
    You can use the ALL keyword user ID for only the REVOKE AUTHORITY command authorization. The ALL keyword authorization indicates all users for a file or directory.
Examples
  • Authorize WOODYB to use the GRANT AUTHORITY command for the files and directories in the QA:FORMS file space for all users that can connect to that file pool. Add this GRANT record to the
    VM:Secure
    AUTHORIZ CONFIG file:
    GRANT GRANT AUTHORITY QA:FORMS OVER PUBLIC TO WOODYB
  • Authorize WOODYB to use the REVOKE AUTHORITY command to revoke authority from all users for the directories in the QA:FORMS file space. Add this GRANT record to the
    VM:Secure
    AUTHORIZ CONFIG file:
    GRANT REVOKE AUTHORITY QA:FORMS OVER ALL TO WOODYB
  • Allow CARLAT to grant authority to all users who can connect to the TCOM:SPEC and TCOM:DESIGN file spaces. Also, authorize CARLAT to use the REVOKE AUTHORITY command to remove authority from all users for the TCOM:PERSONAL file space. Add the following records to the
    VM:Secure
    AUTHORIZ CONFIG file:
    GRANT GRANT AUTHORITY TCOM:SPEC OVER PUBLIC TO CARLAT GRANT GRANT AUTHORITY TCOM:DESIGN OVER PUBLIC TO CARLAT GRANT REVOKE AUTHORITY TCOM:PERSONAL OVER ALL TO CARLAT
  • Allow all directory managers (represented by the *DIRMGRS predefined variable list) to grant access to any users they manage to any of the managed user’s file spaces in SYSUSE and HR file pools. Add the following records to the
    VM:Secure
    AUTHORIZ CONFIG file:
    LIST *FPOOLS SYSUSE HR GRANT GRANT AUTHORITY *FPOOLS:*DIRUSRS OF *SELF OVER  *DIRUSRS OF *SELF TO *DIRMGRS