Granting Authorizations to Use the GRANT AUTHORITY and REVOKE AUTHORITY Commands

Contents
vmx32besp
Contents
When you authorize user IDs to use the
VM:Secure
GRANT AUTHORITY and REVOKE AUTHORITY commands, specify the two - word command authorization (GRANT AUTHORITY or REVOKE AUTHORITY) followed by the file space for which users can issue the command. You also specify the user IDs of the users who will be issuing the commands.
The authorization is at the file space level. This means that the user is authorized to grant or revoke authority for all files and directories in the specified file space.
You cannot use the GRANT AUTHORITY or REVOKE AUTHORITY authorizations in LIST records.
The GRANT record for the GRANT AUTHORITY and REVOKE AUTHORITY authorizations uses the following structure:
GRANT {GRANT | REVOKE} AUTHORITY 
filespace
 TO "Issuer"
Issuer:
{userid
|
userid_list
}  
  • {GRANT | REVOKE} AUTHORITY
    filespace
    Authority and file space.
  • {
    userids
    |
    userid_list
    }
    Command issuer.
The WITHHOLD record for the GRANT AUTHORITY and REVOKE AUTHORITY authorizations uses the following structure:
WITHHOLD {GRANT | REVOKE} AUTHORITY 
filespace
 TO "Issuer"
Issuer:
{
userid
|
userid_list
}
  • {GRANT | REVOKE} AUTHORITY
    filespace
    Authority and file space.
  • {
    userids
    |
    userid_list
    }
    Command issuer.
By default, the command issuer can grant (or revoke) authority for all users. For example, this GRANT record allows directory manager CARLAT to use the
VM:Secure
GRANT AUTHORITY command to grant access to the ENG:PROJECT file space for everyone:
GRANT GRANT AUTHORITY ENG:PROJECT TO CARLAT
Now that CARLAT is authorized, she can give anyone (FRAISERC is used in this example) read access to the ENG:PROJECT.PROJECT1 directory. To do so, CARLAT enters the following command:
vmsecure
grant authority eng:project.project1 to fraiserc (read
Using Predefined Variable Lists
As with other authorizations, you can use the Predefined Variable Lists in the TO or FROM part of the authorization. For example, the *DIRMGRS list represents all of your site’s directory managers. To prevent all directory managers from using the
VM:Secure
GRANT AUTHORITY command to access data in the ENG:COST file space for all user IDs, add this record to the AUTHORIZ CONFIG file:
WITHHOLD GRANT AUTHORITY ENG:COST FROM *DIRMGRS
*DIRMGRS is the predefined variable list.
For more information about using predefined variable lists, see Predefined Variable Lists.
Specifying a File Space
When you specify a file space on the authorization,
filespace
uses the following form:
filepool
:
userid
The
filepool
and
userid
can each be one of the following:
  • Character string
  • Pattern with a trailing *
  • Predefined variable list
  • Site - defined list represented by a LIST record
The filespace parameter is not a directory ID; a period after the user ID, which usually designates the top-level directory, is not allowed.
Examples:
To allow WOODYB to use the
VM:Secure
GRANT AUTHORITY command to grant access to files and directories in the file spaces of the users he manages in file pools ENG, TEST, and FIN, add the following LIST and GRANT records to the AUTHORIZ CONFIG file:
LIST *POOLS ENG TEST FIN GRANT GRANT AUTHORITY *POOLS:*DIRUSRS OF *SELF TO WOODYB  
  • LIST *POOLS ENG TEST FIN
    Defines a list of file pools.
  • *POOLS
    Site-defined file pool list.
  • *DIRUSRS
    Predefined variable list.
  • *SELF
    Predefined variable list.
To allow CARLAT to grant and revoke authorities in all file pools except the human resources (HR) file pool, add the following records:
GRANT GRANT AUTHORITY *:* TO CARLAT GRANT REVOKE AUTHORITY *:* TO CARLAT WITHHOLD GRANT AUTHORITY HR:* FROM CARLAT WITHHOLD REVOKE AUTHORITY HR:* FROM CARLAT
Note:
For more information, see LIST records in the section "Configuration File Reference" in the
Reference
.