WITHHOLD Record

Contents
vmx32besp
Contents
Use the WITHHOLD record to restrict users from using
VM:Secure
commands, utilities, or screen selections. WITHHOLD records are also used to define exceptions to general authorizations given by GRANT records.
There are three forms of WITHHOLD record syntax depending on the authorization being withheld.
Use the following WITHHOLD record syntax for
VM:Secure
commands, utilities and screen selections and general restriction (no scope to narrow restriction) for the MAINT MANAGE and ENTRY commands.
WITHHOLD
authority [optional parameters to narrow restriction]
[OVER target-users] TO
users
[(GROUP]
Use the following WITHHOLD record syntax to narrow the scope of restricted MAINT MANAGE sub-functions a user can request to manage other users:
WITHHOLD MAINTMAN [OVER
target-users
] [
sub-function
|USER
sub-function
] TO
users
[(GROUP]
Use the following WITHHOLD record syntax to narrow the scope of restricted ENTRY subcommands a user can request.
WITHHOLD ENTRY [OVER
target-users
] [
subcommand
] To
users
[(GROUP]
Configuration File
WITHHOLD is defined in the AUTHORIZ CONFIG file.
Definitions
  • authority
    Specifies the authorization being withheld from an entire command, a command and some of its parameters, or a list of commands;
    authority
    can be any of the authorizations in the following tables:
    • Any command or utility authorization, User Selection Menu (USE command) authorization, or Manager Selection Menu (MANAGE command) authorization from the Authorizations to Use
      VM:Secure
      Commands and Utilities
      table in the
      Administrators
    • Any predefined variable list from the Predefined Variable Lists table in User ID Lists and Authority Lists in
      Administrators
    • Any command processing authorization from the Authorizations for Command Processing
      table in
      Administrators
    • Any lists you create using LIST records
    You can also use an authorization with a trailing asterisk (for example, MAN*) to indicate all authorizations that begin with the specified characters. Such authorizations will be flagged by the configuration file editor as unrecognized, but they are still functional.
  • optional parameters to narrow restriction
    Parameters supported by the authorization that narrow the scope of the restriction.
    Authorizations for MAINT MANAGE sub-functions and ENTRY subcommands cannot be specified here. You must use the alternative syntax for those commands when you want to narrow the scope of the restriction to specific MAINT MANAGE sub-functions or ENTRY subcommands.
  • OVER
    Limits the scope of the
    authority
    ; you can use the word OVER, to make it clear that the authority is invalid for user ID(s) that follow the word OVER but it is not required.
  • target-userid(s)
    Specifies the user ID(s), over which the authority cannot be exercised by users.
  • Subcommand or Sub-function
    The optional MAINT MANAGE (MAINTMAN) sub-function or ENTRY subcommand you want to withhold authority from using.
  • users
    Consists of a list of user IDs, separated by blanks, that are restricted from receiving authorization. A trailing asterisk (for example, M*) indicates that all user IDs beginning with the specified characters are denied authorization.This parameter value can also be a list of security groups, separated by blanks, that are restricted from receiving authorization. A trailing asterisk on a security group name indicates that all security group members of those groups beginning with the specified characters are denied authorization.
  • GROUP
    Specifies that each user is a security group. The record then applies to all user IDs that belong to the named security groups.
Examples
  • Prevent any user ID from being assigned to manager KEVIN:
    WITHHOLD ASSIGN * KEVIN FROM *ALL
  • Prevent any use of the COMPRESS command on any extent of the volume DOSRES:
    WITHHOLD COMPRESS DOSRES FROM *ALL
  • Prevent user BISHOP from issuing the PASSWORD command:
    WITHHOLD PASSWORD FROM BISHOP
  • Prevent your administrators, BRENDA, SALLY, and ROB from issuing the MDSKSCAN command:
    LIST *ADMINS BRENDA SALLY ROB WITHHOLD MDSKSCAN FROM *ADMINS
  • Prevent DAVID from issuing the PASSWORD command for any users that are managed by user MAINT.
    WITHHOLD PASSWORD OVER *DIRUSRS OF MAINT FROM DAVID
  • Prevent DAVID from issuing the PASSWORD command for any users that are managed by anyone in security group SYSTEMS
    WITHOLD PASSWORD OVER *DIRUSRS OF *GRPMEMS OF SYSTEMS FROM DAVID
  • Prevent LOKI from issuing the MAINT MANAGE sub-function REMOVE over user THOR.
    WITHHOLD MAINTMAN OVER THOR REMOVE FROM LOKI
  • Prevent anyone belonging to the security group TESTING from issuing the ENTRY subcommand OPTION for members of the security group DEVEL.
    WITHHOLD ENTRY OVER *GRPMEMS OF DEVEL OPTION FROM TESTING (GROUP
  • Prevent DAVID from issuing the PASSWORD command for any users that are in security group SYSTEMS.
    WITHHOLD PASSWORD OVER *DIRUSRS OF *GRPMEMS OF SYSTEMS FROM DAVID