authorize Command Set Access Authorities on a Resource
Valid in the AC environment
capamsc141
Valid in the AC environment
Use the authorize command to change accessors' access authorities to a resource.
This command modifies an access control list associated with a resource. It changes only one entry in an access control list at a time.
When an accessor attempts to access a resource,
Privileged Access Manager
checks the appropriate access control lists to determine the access authority. These access control lists include those that are in the resource record, and can also include access control lists in resource group records. If an accessor is denied access authority in any NACL that covers the resource, the authority is denied, even if the authority is granted in another ACL.The owner of a resource always has all access authorities to the resource. If you want to change the access authority of the user who is the owner, change the resource to have a different owner, for example, the user nobody.
This command also exists in the Windows environment, but operates differently there.
To use the authorize command, you need sufficient authority, which means that one or more of the following must be true:
- You have the ADMIN attribute.
- You have the GROUP-ADMIN attribute for a resource group of which the resource is a member.
- You are the owner of the resource.
- You have modify access authority in the ADMIN class record that corresponds to the resource.
The authorize command has different forms for different sets of classes. These sets are:
- TCP
- HOST, GHOST, HOSTNET, and HOSTNP
- All other classes
This command has the following format for the TCP class:
{authorize|auth} TCP tcpServiceName \ [{access|deniedaccess}(accessType)] \ {[ghost(ghostName [,ghostName]...)] | \ [host(hostName [,hostName]...)] | \ [hostnet(hostNetName [,hostNetName]...)] | \ [hostnp(hostNamePattern [,hostNamePattern]...)]} \ [{gid|uid|xgid|xuid}(accessor [,accessor]...])] ...
This command has the following format for the HOST, GHOST, HOSTNET, and HOSTNP classes:
{authorize|auth} {HOST|GHOST|HOSTNET|HOSTNP} stationName [{access|deniedaccess}(accessType)] \ service({serviceName|serviceNumber|serviceNumberRange})
This command has the following format for all other classes:
{authorize|auth} classNameresourceName \ [{access|deniedaccess}(accessType)] \ [calendar(calendarName)] \ [{unix|nt}]\ [via (pgm ( program [,program]...))] \ { gid | uid | xgid | xuid}(accessor [,accessor...]) ...
- access (accessType)Defines the access authority entry in the resource ACL access control list. This ACL specifies which access authorities are granted to accessors.
- accessTypeDefines the access type in the resource ACL, for example, read or write.
If you omit both the access(accessType) and the deniedaccess(accessType) options to the authorize command,Privileged Access Managerassigns the access that is specified by the implicit access property of the record in the UACC class for the class of resource (for example in the UACC file record if the resource is a file). - calendar(calendarName)Specifies the calendar to use for determining access authority.
- classNameDefines the class to whichresourceNamebelongs.
- deniedaccess(accessType)Changes the access authority in the resource NACL.The NACL specifies which access types are denied to accessors.
- accessTypeSpecifies the access type to be denied, for example, read, or write.
- gid (accessor[,accessor...])Defines one or more internal groups for whom you want to set the access authority.
- ghost(ghostName [,ghostName]...)Defines one or more group hosts for which you want to set access authority to the TCP/IP service.
- host(hostName [,hostName]...)Defines one or more hosts for which you want to set access authority to the TCP/IP service.
- hostnet(hostNetName [,hostNetName]...)Defines one or more HOSTNET records for which you want to set access authority to the TCP/IP service.
- hostnp(hostNamePattern [,hostNamePattern]...)Defines one or more HOSTNP records for which you want to set access authority to the TCP/IP service.
- ntSpecifies whether to add values to the system ACLs in Windows.Valid for the FILE class only.
- resourceNameDefines the resource record whose access control list is being modified.
- service(serviceName|serviceNumber|serviceNumberRange)Defines the services the local host is permitted to provide to the remote host or hosts.serviceNumber |serviceNumberRangeDefines the service number or range.Specify a range as two integers separated by a -(hyphen), for example, 1-99.Limits:An integer in the range 0 to 65535.
- stationNameSpecifies the record name within the indicated class, as follows:
- HOST: Name of single station.
- GHOST: Name of a group of hosts as defined in the database by the ghostcommand.
- HOSTNET: Name of a group of hosts as defined by a set of mask and match values for the IP address.
- HOSTNP: Name of a group of hosts as defined by a name pattern.
- tcpServiceNameSpecifies thePrivileged Access ManagerTCP service record whose access authority you are setting.
- uid (accessor[,accessor...])Defines one or more internal users for whom you want to set the access authority.You can use * to represent all internal users.
- unixSpecifies whether to add values to the system ACLs in UNIX.Valid only on UNIX environments that support ACLs, and only for records in the FILE class.
- via(pgm(programName [,programName]...))Defines one or more programs for conditional program access. The via parameter specifies an entry in the PACL of the resource.programNamespecifies a program that can access the resource. programNamecan contain wildcard characters. If a program matches several entries in a PACL, the entry with the longest non-wildcard match takes precedence.IfprogramNamespecifies a program or shell script that is not defined in the PROGRAM class,Privileged Access Managerautomatically creates a PROGRAM record to protect it.
- xgid (accessor[,accessor...])Defines one or more enterprise groups for whom you want to set the access authority.
- xuid (accessor[,accessor...])Defines one or more enterprise users for whom you want to set the access authority.
Example: Authorize Angela to Read a File
The following selang command authorizes enterprise user Angela to read the file protected by the FILE resource /projects/secrets:
auth FILE /projects/secrets xuid(Angela) access(read)
Example: Authorize Only Angela to Read a File
The following selang commands authorize enterprise user Angela, but nobody else, to read the file protected by the FILE resource /projects/secrets:
auth FILE /projects/secrets xuid(Angela) access(read) auth FILE /projects/secrets defaccess (none) chres FILE /projects/secrets owner(nobody)
On UNIX, if you want
read
privileges to control whether users can perform operations that obtain information about the file (such as ls -l), set the STAT_intercept configuration setting to 1. For more information, see the Reference Guide
.Example: Authorize All Users in a Group to Log in to a Terminal
The following selang command authorizes all members of the enterprise group RESEARCH to log in to the terminal protected by the TERMINAL resource
tty10
:auth TERMINAL tty10 xgid(RESEARCH) access(read)
Example: Authorize Joe to Back up Files
The following selang command authorizes enterprise user Joe to back up the files protected by the GFILE resource secret_files:
auth GFILE secret_files xuid(Joe) \ via(pgm(/bin/backup)) access(read)
For a Windows endpoint, an equivalent command is as follows:
auth GFILE secret_files xuid(Joe) \ via(pgm(C:\WINDOWS\system32\ntbackup.exe)) access(read)
These commands only have an effect if the Joe's access authority is not determined by the ACL or NACL of the resource.