GRANT Record

Contents
vmx32besp
Contents
Use the GRANT record to authorize users to use
VM:Secure
commands, utilities, and screen selections.
There are three forms of GRANT record syntax depending on the authorization being defined.
Use the following GRANT record syntax for
VM:Secure
commands,utilities, and screen selections and general authorization (no scope to narrow authorization) for the MAINT MANAGE and ENTRY commands:
GRANT
authority
[
optional parameters to narrow authority
] [OVER
target-users
] TO
users
[( GROUP]
Use the following GRANT record syntax to narrow the scope of authorized MAINT MANAGE sub-functions a user can request to manage other users:
GRANT MAINTMAN [OVER
target-user
] [
sub-function
|USER
sub-function
] TO
users
[(GROUP)]
Use the following GRANT record syntax to narrow the scope of authorized ENTRY subcommands a user can request:
GRANT ENTRY [OVER
target-users
] [
subcommand
] TO
users
[(GROUP)]
Configuration File
GRANT is defined in the AUTHORIZ CONFIG file.
Definitions
  • authority
    Specifies the authorization to use an entire command, a command and some of its parameters, or a list of commands;
    authority
    can be any of the authorizations in the following tables:
    • Any command or utility authorization, User Selection Menu (USE command) authorization, or Manager Selection Menu (MANAGE command) authorization from the Authorizations to Use
      VM:Secure
      Commands and Utilities
      table
      .
    • Any predefined variable list from the Predefined Variable Lists table
      .
    • Any command processing authorization from the Authorizations for Command Processing
      table
      .
    • Any lists you create using LIST records.
    You can also use an authorization with a trailing asterisk (for example, MAN*) to indicate all authorizations that begin with the specified characters. Such authorizations will be flagged by the configuration file editor as unrecognized, but they are still functional.
  • Optional parameters to narrow authority
    Parameters supported by the authorization that narrow the scope of the authorization.
    Authorizations for MAINT MANAGE sub-functions and ENTRY subcommands cannot be specified here. You must use the alternative syntax for those commands when you want to narrow the scope of the authorization to specific MAINT MANAGE sub-functions or ENTRY subcommands.
  • OVER
    Limits the scope of the
    authority
    ; you can use the word OVER, to make it clear that the authority is valid only for user ID(s) that follow the word OVER, but it is not required.
  • target users
    Specifies the user ID or a list of user IDs, over which the authority is granted to the
    users.
  • Subcommand or Sub-function
    The optional MAINT MANAGE (MAINTMAN) sub-function or ENTRY subcommand you want to give authority to use.
  • users
    Specifies a list of user IDs, separated by blanks that receive these authorizations. A trailing asterisk (for example, M*) indicates that all user IDs beginning with the specified characters are authorized.
    Users
    can also be a list of security groups, separated by blanks, that receives these authorizations. A trailing asterisk on a security group name indicates that all members of those groups that begin with the specified characters are authorized.
  • GROUP
    Specifies that each user is a security group. The record then applies to all user IDs belonging to the named security groups.
Description
Depending on your site’s requirements, authorizations can be simple or complex. For more information, see Administrating Authorizations.
A user ID must be defined in the
VMSECURE
MANAGERS file to use manage subfunctions that manipulate DASD. For more information, see Administrating Directory Managers.
Example
  • Give user ID VMANAGER every possible authorization to make it a system administrator:
    GRANT * TO VMANAGER
  • Permit BATMAN to use selection 3 (Select User Menu) from the Manager Selection Menu and all selections from the User Selection Menu to manage user IDs assigned to manager ROBIN. BATMAN is not allowed to use any other menu selection from the Manager Selection Menu over these users:
    GRANT MANSEL03 OVER *DIRUSRS OF ROBIN TO BATMAN GRANT USER OVER *DIRUSRS OF ROBIN TO BATMAN
  • Authorize JETHRO, ELLIMAE, and JED to use any selection from the Manager Selection Menu for any user ID other than their own (users cannot use the Manager Selection Menu to manage their own user IDs):
    GRANT MANAGE *ALL TO JETHRO ELLIMAE JED
  • Authorize every user ID to use selections 3, 4, and 6 from the User Selection Menu, but no others. First, add a LIST record to create a list of authorizations to grant, then grant the list to all users:
    LIST *USRSTUF USESEL03 USESEL04 USESEL06 GRANT *USRSTUF OVER *SELF TO *ALL
  • Permit only users TED and MAINT to assign class A privilege through the CLASS command:
    GRANT CLASS A TO TED MAINT
  • Grant manage authority to a list of directory managers. First, add a LIST record to create the list, then grant manage authority to the list:
    LIST *MGRTEAM TLOOIS BABS JOEP KRISTEN KAYCEEP GRANT MANAGE OVER *DIRUSRS OF *SELF TO *MGRTEAM
  • Authorize SCOTTY to use the site-written macro FINDMGR (site-written macros require special authorization):
    GRANT $FINDMGR TO SCOTTY
    Note that some keyboards ascribe a different hexadecimal representation to the dollar sign, which, in the U.S., is usually X‘24.’ In the United Kingdom, X‘24’ is the pound sign, so this GRANT record is written:
    GRANT #FINDMGR TO SCOTTY
  • Grant a single MAINT MANAGE sub-function, DISKMOVE, over user ID SPOCK to manager KIRK:
    GRANT MAINTMAN SPOCK DISKMOVE TO KIRK
  • Permit KIRK to issue the MAINT MANAGE command USER sub-function STORAGE over user ID SPOCK.
    GRANT MAINTMAN SPOCK USER STORAGE TO KIRK
  • Permit any member of the group DEVEL to issue the MAINT MANAGE command USER sub-function IPL over user ID SPOCK.
    GRANT MAINTMAN SPOCK USER IPL TO DEVEL (GROUP
  • Permit user SPOCK to issue the ENTRY command for user ID KIRK:
    GRANT ENTRY KIRK TO SPOCK
  • Permit user SCOTTIE to issue only the ENTRY command MAXSTORAGE subcommand for user ID SPOCK:
    GRANT ENTRY OVER SPOCK MAXSTORAGE TO SCOTTIE
  • Permit any member of the groups DEVEL and MAINT to assign a user ID to manager MYNOR:
    GRANT ASSIGN * MYNOR TO DEVEL MAINT (GROUP
  • Permit DAVID to use CHGMDISK for any user ID whose manager belongs to security group SYSTEMS:
    GRANT CHGMDISK OVER *DIRUSRS OF *GRPMEMS OF SYSTEMS TO DAVID
  • Permit MAINT to use the CPFMTXA command:
    GRANT CPFMTXA TO MAINT