authorize Command Set Accessors Authority to Access Windows Resources

Valid in the native Windows environment
capamsc141
Valid in the native Windows environment
The authorize command maintains the lists of users and groups authorized to access a particular resource. Using authorize, you can change a list to:
  • Permit access to a resource for specific 
    PAM Server Control
    users or groups.
  • Block access to a resource for specific
    PAM Server Control
    users or groups.
  • Change the level of access authority to a resource for specific users or groups.
This command also exists in the AC environment but operates differently.
The following Windows environment classes support ACLs, and can be controlled by the authorize command.
  • COM
  • DISK
  • FILE
  • PRINTER
  • REGKEY
  • SHARE
Classes that do not appear in the list have no access control lists and cannot be controlled by the authorize command.
This command has the following format:
{authorize|auth} classNameresourceName \
[access(accessValue)|deniedaccess(accessvalue)] \ [gid(groupName, ...)] \ [uid(userName, ...)]
  • access(
    accessValue
    )
    Specifies the access authority you want the accessors you identify in the uid or gid parameters to have to the resource.
  • className
    Specifies the name of the class to which
    resourceName
    belongs.
  • deniedaccess(
    accessvalue
    )
    Specifies the negative access authority that you want accessors, who you identify in the uid or gid parameters, to have to the resource.
    The denied
    accessvalue
    can be: all, create, delete, join, modify, none, password, or read.
    You can only use
    accessValue
    with the authorize command, not with authorize-.
  • gid(
    groupName
    )
    Specifies the Windows group or groups whose access authority to the resource you are setting. The value
    groupName
    represents the name of one or more Windows groups. When specifying more than one group, separate the group names with a space or a comma.
  • resourceName
    The name of the resource record to modify or add. When changing or adding more than one resource, enclose the list of resource names in parentheses and separate the resource names with a space or a comma. At least one resource name must be specified.
    PAM Server Control
     processes each resource record independently in accordance with the specified parameters. If an error occurs while processing a resource, 
    PAM Server Control
    issues a message and continues processing with the next resource in the list.
  • uid(
    userName
    )
    Specifies the Windows users whose access authority to the resource you are setting.
    userName
    is the user name of one or more Windows users. When specifying more than one user, separate the user names with a space or a comma. To specify all users who are defined in Windows, specify an asterisk (*) for
    userName
    .