authorize Command Set Accessors Authority to Access Windows Resources
Valid in the native Windows environment
capamsc141
Valid in the native Windows environment
The authorize command maintains the lists of users and groups authorized to access a particular resource. Using authorize, you can change a list to:
- Permit access to a resource for specificPrivileged Access Managerusers or groups.
- Block access to a resource for specificPrivileged Access Managerusers or groups.
- Change the level of access authority to a resource for specific users or groups.
This command also exists in the AC environment but operates differently.
The following Windows environment classes support ACLs, and can be controlled by the authorize command.
- COM
- DISK
- FILE
- PRINTER
- REGKEY
- SHARE
Classes that do not appear in the list have no access control lists and cannot be controlled by the authorize command.
This command has the following format:
{authorize|auth} classNameresourceName \
[access(accessValue)|deniedaccess(accessvalue)] \ [gid(groupName, ...)] \ [uid(userName, ...)]
- access(accessValue)Specifies the access authority you want the accessors you identify in the uid or gid parameters to have to the resource.
- classNameSpecifies the name of the class to whichresourceNamebelongs.
- deniedaccess(accessvalue)Specifies the negative access authority that you want accessors, who you identify in the uid or gid parameters, to have to the resource.The deniedaccessvaluecan be: all, create, delete, join, modify, none, password, or read.You can only useaccessValuewith the authorize command, not with authorize-.
- gid(groupName)Specifies the Windows group or groups whose access authority to the resource you are setting. The valuegroupNamerepresents the name of one or more Windows groups. When specifying more than one group, separate the group names with a space or a comma.
- resourceNameThe name of the resource record to modify or add. When changing or adding more than one resource, enclose the list of resource names in parentheses and separate the resource names with a space or a comma. At least one resource name must be specified.Privileged Access Managerprocesses each resource record independently in accordance with the specified parameters. If an error occurs while processing a resource,Privileged Access Managerissues a message and continues processing with the next resource in the list.
- uid(userName)Specifies the Windows users whose access authority to the resource you are setting.userNameis the user name of one or more Windows users. When specifying more than one user, separate the user names with a space or a comma. To specify all users who are defined in Windows, specify an asterisk (*) foruserName.