Use the GRANT record to authorize users to use
VM:Securecommands, utilities, and screen selections.
There are three forms of GRANT record syntax depending on the authorization being defined.
Use the following GRANT record syntax for
VM:Securecommands,utilities, and screen selections and general authorization (no scope to narrow authorization) for the MAINT MANAGE and ENTRY commands:
GRANTauthority[optional parameters to narrow authority] [OVERtarget-users] TOusers[( GROUP]
Use the following GRANT record syntax to narrow the scope of authorized MAINT MANAGE sub-functions a user can request to manage other users:
GRANT MAINTMAN [OVERtarget-user] [sub-function|USERsub-function] TOusers[(GROUP)]
Use the following GRANT record syntax to narrow the scope of authorized ENTRY subcommands a user can request:
GRANT ENTRY [OVERtarget-users] [subcommand] TOusers[(GROUP)]
GRANT is defined in the AUTHORIZ CONFIG file.
- authoritySpecifies the authorization to use an entire command, a command and some of its parameters, or a list of commands;authoritycan be any of the authorizations in the following tables:
You can also use an authorization with a trailing asterisk (for example, MAN*) to indicate all authorizations that begin with the specified characters. Such authorizations will be flagged by the configuration file editor as unrecognized, but they are still functional.
- Any command or utility authorization, User Selection Menu (USE command) authorization, or Manager Selection Menu (MANAGE command) authorization from the Authorizations to UseVM:SecureCommands and Utilities.
- Any predefined variable list from the Predefined Variable Lists table.
- Any command processing authorization from the Authorizations for Command Processing.
- Any lists you create using LIST records.
- Optional parameters to narrow authorityParameters supported by the authorization that narrow the scope of the authorization.Authorizations for MAINT MANAGE sub-functions and ENTRY subcommands cannot be specified here. You must use the alternative syntax for those commands when you want to narrow the scope of the authorization to specific MAINT MANAGE sub-functions or ENTRY subcommands.
- OVERLimits the scope of theauthority; you can use the word OVER, to make it clear that the authority is valid only for user ID(s) that follow the word OVER, but it is not required.
- target usersSpecifies the user ID or a list of user IDs, over which the authority is granted to theusers.
- Subcommand or Sub-functionThe optional MAINT MANAGE (MAINTMAN) sub-function or ENTRY subcommand you want to give authority to use.
- usersSpecifies a list of user IDs, separated by blanks that receive these authorizations. A trailing asterisk (for example, M*) indicates that all user IDs beginning with the specified characters are authorized.Userscan also be a list of security groups, separated by blanks, that receives these authorizations. A trailing asterisk on a security group name indicates that all members of those groups that begin with the specified characters are authorized.
- GROUPSpecifies that each user is a security group. The record then applies to all user IDs belonging to the named security groups.
- The "Predefined Variables List" and general information in User ID Lists and Authority Lists
Depending on your site’s requirements, authorizations can be simple or complex. For more information, see Administrating Authorizations.
A user ID must be defined in the
VMSECUREMANAGERS file to use manage subfunctions that manipulate DASD. For more information, see Administrating Directory Managers.
- Give user ID VMANAGER every possible authorization to make it a system administrator:GRANT * TO VMANAGER
- Permit BATMAN to use selection 3 (Select User Menu) from the Manager Selection Menu and all selections from the User Selection Menu to manage user IDs assigned to manager ROBIN. BATMAN is not allowed to use any other menu selection from the Manager Selection Menu over these users:GRANT MANSEL03 OVER *DIRUSRS OF ROBIN TO BATMAN GRANT USER OVER *DIRUSRS OF ROBIN TO BATMAN
- Authorize JETHRO, ELLIMAE, and JED to use any selection from the Manager Selection Menu for any user ID other than their own (users cannot use the Manager Selection Menu to manage their own user IDs):GRANT MANAGE *ALL TO JETHRO ELLIMAE JED
- Authorize every user ID to use selections 3, 4, and 6 from the User Selection Menu, but no others. First, add a LIST record to create a list of authorizations to grant, then grant the list to all users:LIST *USRSTUF USESEL03 USESEL04 USESEL06 GRANT *USRSTUF OVER *SELF TO *ALL
- Permit only users TED and MAINT to assign class A privilege through the CLASS command:GRANT CLASS A TO TED MAINT
- Grant manage authority to a list of directory managers. First, add a LIST record to create the list, then grant manage authority to the list:LIST *MGRTEAM TLOOIS BABS JOEP KRISTEN KAYCEEP GRANT MANAGE OVER *DIRUSRS OF *SELF TO *MGRTEAM
- Authorize SCOTTY to use the site-written macro FINDMGR (site-written macros require special authorization):GRANT $FINDMGR TO SCOTTYNote that some keyboards ascribe a different hexadecimal representation to the dollar sign, which, in the U.S., is usually X‘24.’ In the United Kingdom, X‘24’ is the pound sign, so this GRANT record is written:GRANT #FINDMGR TO SCOTTY
- Grant a single MAINT MANAGE sub-function, DISKMOVE, over user ID SPOCK to manager KIRK:GRANT MAINTMAN SPOCK DISKMOVE TO KIRK
- Permit KIRK to issue the MAINT MANAGE command USER sub-function STORAGE over user ID SPOCK.GRANT MAINTMAN SPOCK USER STORAGE TO KIRK
- Permit any member of the group DEVEL to issue the MAINT MANAGE command USER sub-function IPL over user ID SPOCK.GRANT MAINTMAN SPOCK USER IPL TO DEVEL (GROUP
- Permit user SPOCK to issue the ENTRY command for user ID KIRK:GRANT ENTRY KIRK TO SPOCK
- Permit user SCOTTIE to issue only the ENTRY command MAXSTORAGE subcommand for user ID SPOCK:GRANT ENTRY OVER SPOCK MAXSTORAGE TO SCOTTIE
- Permit any member of the groups DEVEL and MAINT to assign a user ID to manager MYNOR:GRANT ASSIGN * MYNOR TO DEVEL MAINT (GROUP
- Permit DAVID to use CHGMDISK for any user ID whose manager belongs to security group SYSTEMS:GRANT CHGMDISK OVER *DIRUSRS OF *GRPMEMS OF SYSTEMS TO DAVID
- Permit MAINT to use the CPFMTXA command:GRANT CPFMTXA TO MAINT