User ID Lists and Authority Lists

Contents
vmx32besp
Contents
You can group authorities or user IDs into lists that you can use in GRANT and WITHHOLD records. These lists allow you to create a single GRANT or WITHHOLD record to authorize or restrict groups of users to the same group of commands. A LIST record, which you use to create lists, uses the following format:
LIST *
listname listitem listitem listitem
 ...
You can create lists of authorities and lists of user IDs for these purposes. A list can contain only one type of element -- it cannot include both authorizations and user ID. However, you can create many lists, some for user IDs and some for authorities.
The list name must begin with an asterisk; the rest of the list name can be no longer than seven characters.
Use a comma as a continuation character to continue list items to the next physical line. You can continue a LIST record up to 4,095 characters, including blanks. For example:
LIST *SALES1 ABBIE DEBBIE GLORIA SILAS ANDREA, ARTHUR HARRY JOHN JOSEPH
User ID Lists
User ID lists let you group user IDs that will have the same command authorizations. LIST records that group user IDs have the following format:
LIST *
listname userid userid userid
  • listname
    The name of the list and
    userid userid userid
    are user IDs you want on the list.
Example:
To put BUDDY, BETH, BRUCE, and CARLAT, your publications managers, on one list named *PUBS, add this record to your AUTHORIZ CONFIG file:
LIST *PUBS BUDDY BETH BRUCE CARLAT
You can then use this list name, *PUBS, in any GRANT or WITHHOLD record where you grant or withhold these four user IDs the authority to certain commands.
You can include a user ID on more than one user ID list if the responsibilities of that user fall into different functional areas.
Authority Lists
Authority lists let you group commands that fit together functionally at your site and that you want to grant or restrict authorization to as a group of activities for several user IDs. LIST records that group commands use the following format:
LIST *
listname authority authority authority
 ...
  • *
    listname
    The name of the command authority list.
  • Authority authority authority
    Each authority for a
    VM:Secure
    command that you want to be on the list.
You cannot include any command parameters or options in an authority list. Each
authority
represents all versions of a command, and can only be a single word.
Example:
Your publications managers must have the authority to use the ADMIN, EDIT, and QUERY commands. You can group these commands in a single list, named *PUBCMDS, by including this record in your AUTHORIZ CONFIG file:
LIST *PUBCMDS ADMIN EDIT QUERY
Including a List In Another List
You can use a list name as an item in another list. This is true for both user ID lists and authority lists.
Example:
The following LIST record defines a list of 12 user IDs -- the 9 that the *SALES1 list names plus JEREMY, LUCAS, and PAUL:
LIST *NONTECH JEREMY LUCAS *SALES1 PAUL
Predefined Variable Lists
VM:Secure
provides lists that represent dynamic groups of user IDs. The user IDs in these lists vary, depending on your configuration. For example, *DIRMGRS represents all of your site’s directory managers. If only CARLAT is a directory manager, that is the only user ID represented by *DIRMGRS. If you later add WOODYB as a directory manager, the variable list *DIRMGRS now represents CARLAT and WOODYB.
You can use these predefined variable lists, shown in the table that follows, in part of a GRANT or a WITHHOLD record and as part of the authorization or as part of the object of the authorization. When they appear in part of the authorization, they narrow the scope of the authorization.
You can use a predefined variable list in any authorization that requires a user ID. Uses are explained in Creating Authorizations with User ID Lists and Authority Lists.
Variable List
Entity Specified
Alternate Forms
*
All user IDs
- - -
*ALL
All user IDs
- - -
*ANY
All user IDs
- - -
*DIRMGRS
All user IDs defined as directory managers in the
VMSECURE
MANAGERS file
- - -
*DIRUSRS
dirmgr
All user IDs that
dirmgr
manages (same as *MANAGEE)
*DIRUSRS OF
dirmgr
dirmgr
’S *DIRUSRS
*GROUP
The ACI group of the user ID that receives the authorization
- - -
*GRPMEMS
group
All user IDs that belong to the security group
group
*GRPMEMS OF
group
group
’S *GRPMEMS
*GRPMGRS
All user IDs specified as security group managers on a GROUP record in the SECURITY CONFIG file
- - -
*GRPS
grpmgr
All security groups that
grpmgr
manages
*GRPS OF
grpmgr
grpmgr’S
*GRPS
*GRPUSRS
grpmgr
All user IDs that belong to security groups that
grpmgr
manages
*GRPUSRS OF
grpmgr
grpmgr
’S *GRPUSRS
*MANAGEE
dirmgr
All user IDs that
dirmgr
manages (same as *DIRUSRS)
*MANAGEE OF
dirmgr
dirmgr
’S *MANAGEE
*NEWUSRS
All user IDs that do not yet exist (allows them to be created)
- - -
*SELF
User ID to whom the authorization on the GRANT record is being given
- - -
 
The variable lists that specify a variable group of user IDs
that belong to a named user
ID
or group
have alternate forms.
These alternate forms are different only to help show the ownership of the variable group to anyone who reads the GRANT record.
Example:1
The following
user ID phrases
are identical. They all mean "all user IDs that directory manager CARLAT manages:"
*DIRUSRS CARLAT *DIRUSRS OF CARLAT CARLAT’S *DIRUSRS
Example:2
You can include these user ID phrases on GRANT records to authorize all user IDs that directory manager CARLAT manages to use a command or a list of commands.
GRANT EDIT TO *DIRUSRS CARLAT GRANT EDIT TO *DIRUSRS OF CARLAT GRANT EDIT TO CARLAT’S *DIRUSRS