Use the LIST record to create a list of user IDs or authorizations to use on GRANT and WITHHOLD records.
LIST is defined in the AUTHORIZ CONFIG file.
- *listnameDefines a name for the list. The first character must be an asterisk; you can use up to seven alphanumeric characters for the rest of the name.
- useridsConsists of a list of user IDs, separated by blanks that are to belong tolistname. These user IDs will have the same authorizations when you use this list name in a GRANT or WITHHOLD record.
- authwordsConsists of a list of single-word authorizations, separated by blanks that are to belong tolistname. These authorizations will all be granted or withheld from one or more users when you use this list name in a GRANT or WITHHOLD record.
The LIST record is optional. Using LIST records you can:
- Build lists that supplement the special authorizations provided withVM:Secure.
- Nest lists created with one LIST record in lists created by another LIST record.
- Create user ID lists and authority lists in separate LIST records, then use these lists in a GRANT or WITHHOLD record.
Verify any items associated with the LIST record;
VM:Securedoes not validate LIST record items.
For more information about using lists in authorizations, see User ID Lists and Authorization Lists in the section "Authorizations" in the
- When you put a command on a LIST record and grant that list of commands to a user ID, you are giving that user ID authority to use the command over all user IDs. For example, the MANAGE command is one of several commands specified for the *DIRCMDS authorization by the following LIST record, which you then use to grant *DIRCMDS authorization to ELROY, a manager at your site:
The combination of this LIST record and this GRANT record is equivalent to the following record, and means that ELROY can manage anyone:LIST *DIRCMDS MANAGE QUERY PASSWORD GRANT *DIRCMDS TO ELROYGRANT MANAGE OVER *ALL TO ELROY
- In contrast to the previous example, assume the MANAGE command is not part of any authorization list, and, in fact, the authorization *DIRCMDS does not exist. On a GRANT record, give ELROY permission to use the MANAGE command:
This GRANT record is equivalent to the following record, and means that ELROY can manage only his own users:GRANT MANAGE TO ELROYGRANT MANAGE OVER *DIRUSRS OF *SELF TO ELROY
- Define the list called *MYGRP that includes the user IDs USER01, USER02, USER03, and USER04:LIST *MYGRP USER01 USER02 USER03 USER04
- You want all users in the list *MYGRP, defined above, to be able to extract audit records, takeVM:Securebackups, and use the EXTRACT command. Define a list called *MYAUTHS that includes theVM:Securecommands these user IDs should be allowed to use, then grant authority to *MYAUTHS to the user IDs in the list *MYGRP:LIST *MYAUTHS AUDITEXT BACKUP EXTRACT MAY GRANT *MYAUTHS TO *MYGRP