Querying Authorizations

Contents
vmx32besp
Contents
VM:Secure
provides two types of information about authorizations:
  • All records pertaining to an authorization about which you want information
    You can display every GRANT or WITHHOLD record that has a bearing on an authorization by using the LISTAUTH command. The LISTAUTH command displays the GRANT or WITHHOLD record that takes precedence, followed by all GRANT and WITHHOLD records that match but do not matter in the authorization.
  • A user ID’s ability to use a command
    You can find out if a user ID can use a command, or a command with a particular parameter, using the MAY command. The MAY command displays the one GRANT or WITHHOLD record that ultimately determines the authorization. The output of the MAY command is a message displayed on the screen and a return code. When used in an EXEC, the return code is not displayed but is used to indicate the result of the authorization query.
Example:
DEBBIE is in the sales directory managers group (list *SALES). The *SALES group is denied the use of the CHGMDISK command through a WITHHOLD record. However, DEBBIE is specifically authorized to use the CHGMDISK command on user IDs in the *MYLIST list by a GRANT record. *MYLIST includes the user ID JIM. Enter the following LISTAUTH command to find all authorizations that affect DEBBIE’s ability to use the CHGMDISK command on user ID JIM:
vmsecure
listauth debbie chgmdisk jim
VM:Secure
responds with the following, indicating that two authorizations affect the user IDs and commands you asked about:
REJECTED BY: WITHHOLD CHGMDISK FROM *SALES ACCEPTED BY: GRANT CHGMDISK *MYLIST TO DEBBIE
The response shows the authorizations in the AUTHORIZ CONFIG file that mention DEBBIE, the CHGMDISK command, and user ID JIM, with the affected one listed first.
Next, enter the following MAY command to find whether DEBBIE can use the CHGMDISK command on user ID JIM:
vmsecure
may debbie chgmdisk jim
VM:Secure
responds with the following, indicating that DEBBIE cannot use the CHGMDISK command on user ID JIM:
REJECTED BY: WITHHOLD CHGMDISK FROM *SALES
Special Authorization Queries
To check whether you can use a particular command or what authorizations affect you, use the LISTAUTH and the MAY commands. You also use these commands to check any other user’s ability to use a command or all users’ ability to use a command.
The LISTAUTH and the MAY commands provide special words to replace the user ID and the authority you are querying:
  • Use the words I, ANYUSR (or SOMEUSR), or EVERYUSR to specify the user ID you are querying
  • Use the words ANYCMD (or SOMECMD), EVERYCMD, ANYWRD (or SOMEWRD), or EVERYWRD to specify the authority you are querying
For more information about using the special authorization queries available, see LISTAUTH Command and MAY Command in the section "Command Reference" in
Reference
.
Querying Authorizations Given to Lists of User IDs or for Lists of Commands
You can query the authorizations of all user IDs in a list of user IDs and you can query the authorizations user IDs have to all commands in a list of commands.
Example:
Your AUTHORIZ CONFIG file contains the following record, which defines the list *SALES to include user IDs GEORGE, SILAS, and GLORIA:
LIST *sales george silas gloria
The following command finds all authorizations that allow any user to NOLOG user IDs GEORGE, SILAS, and GLORIA (
every
member of *SALES):
vmsecure
listauth anyusr nolog *sales