Restricting Authorizations

You can restrict authority to use commands by using a combination of GRANT and WITHHOLD records in the AUTHORIZ CONFIG file. In its simplest form, a WITHHOLD record uses the following format:
vmx32besp
You can restrict authority to use commands by using a combination of GRANT and WITHHOLD records in the AUTHORIZ CONFIG file. In its simplest form, a WITHHOLD record uses the following format:
WITHHOLD authority FROM users
By default, user IDs are not allowed to use
VM:Secure
commands. You may want to grant a user ID the authority to use most parameters on a command but not all of them. For commands with many parameters, it may be easier to grant authorization to the whole command and then restrict authorization to a few of its parameters.
Example:1
The ADMIN command has five parameters: MANAGERS, POOL, PROFILE, SKELETON, and SFSMGRS. You want your directory manager WOODYB to perform all configuration functions except SFS administration. You can give him the following authorizations:
GRANT ADMIN MANAGERS TO WOODYB GRANT ADMIN POOL TO WOODYB GRANT ADMIN PROFILE TO WOODYB GRANT ADMIN SKELETON TO WOODYB
Or, you can give him authorization to the ADMIN command and then restrict his use of the SFSMGRS parameters:
GRANT ADMIN TO WOODYB WITHHOLD ADMIN SFSMGRS FROM WOODYB
In addition to restricting authorization to parts of commands, you can use a WITHHOLD record to restrict authorization to one command, even though it appears in an authority list and you already granted a user ID the authorization to that list. For more information, see User ID Lists and Authority Lists.
You can also use a WITHHOLD record to restrict one or more user IDs from using a command even if you granted authorization to a group of user IDs and the user IDs you want to restrict belong to that group.
Example:2
The following GRANT record authorizes all user IDs to use the USER command (*SELF and *ALL are explained in the table Predefined Variable Lists in this section):
GRANT USER *SELF TO *ALL
Example:3
This next record, in combination with the previous GRANT record, prevents user ID TRAINEE from using the USER command, even though TRAINEE is included in the group *ALL:
WITHHOLD USER *SELF FROM TRAINEE
Restrictions take precedence over grant authorization (WITHHOLD records take precedence over GRANT records) regardless of the order in which those records appear in the AUTHORIZ CONFIG file. For example, you include a GRANT record to allow user ID WOODYB to use the ADMIN command, and you also include a WITHHOLD record that prevents WOODYB from using the ADMIN command with the SFSMGRS parameter. The authorization that
VM:Secure
ultimately recognizes is that WOODYB can use the ADMIN command and all of its parameters except the SFSMGRS parameter. This is true if the records appear in the AUTHORIZ CONFIG file either of these two ways:
WITHHOLD ADMIN SFSMGRS FROM WOODYB . . GRANT ADMIN TO WOODYB
or
GRANT ADMIN TO WOODYB . . WITHHOLD ADMIN SFSMGRS FROM WOODYB