Previous Topic: authorize Command—Set Access Authorities on a ResourceNext Topic: check Command—Determine a User's Access Authority


authorize- Command—Remove Access Authorities from a Resource

Valid in the AC environment

Use the authorize‑ command to remove accessors from the access control lists (ACLs) of a resource.

Note: This command also exists in the native Windows environment but operates differently there.

You need the same access authority to use the authorize- command as you do to use the authorize command.

The authorize- command has different formats for different sets of classes. These sets are:

This command has the following format for the TCP class:

{authorize-|auth-} TCP tcpServiceName \
{gid |uid |xgid |xuid } (accessorName [,accessorName]...)\
[host(hostName [,hostName]...)] \
[ghost(ghostName [,ghostname]...)] \
[hostnet(hostNetName [,hostNetName]...)] \
[hostnp(hostNamePattern [,hostNamePattern]...)]

This command has the following format for the HOST, GHOST, HOSTNET, and HOSTNP classes:

{authorize-|auth-} className stationName \
service({serviceName | serviceNumber |serviceNumberRange})

This command has the following format for all remaining classes:

{authorize-|auth-} className resourceName \
[{access-|deniedaccess-}]\
[calendar(calendarName)] \
{gid |uid |xgid |xuid } (accessorName [,accessorName]...)
access-

Specifies that the command should remove accessors from the resource ACL (which grants access authorities), rather than from the NACL.

If neither access- or deniedaccess- are specified, the command removes the accessors from both ACLs.

calendar(calendarName)

Removes the calendar specified for determining access authority.

className

Specifies the name of the class to which resourceName belongs.

deniedaccess-

Specifies that the command should remove accessors from the resource NACL (which denies access authority), rather than from the ACL.

gid (accessor [,accessor]...)

Defines one or more internal groups whose entries are to be removed. Separate each accessor with a comma or space.

ghost(ghostName)

Specifies the name of an object in class GHOST.

host(hostName)

Specifies the name of an object in class HOST.

hostnet(hostNetName)

Specifies the name of an object in class HOSTNET.

hostnp(hostNamePattern)

Specifies a pattern defined in class HOSTNP.

nt

Specifies whether to remove values from the system ACLs in Windows.

Valid for the FILE class only.

resourceName

Specifies the name of the resource record whose access control list is being modified. Specify only one resource record.

service(serviceName|serviceNumber|serviceNumberRange)

Defines the services you want to remove from an ACL.

stationName

Specifies the record name within the indicated class, as follows:

  • HOST—Name of single station.
  • GHOST—Name of a group of hosts as defined in the database by the ghost command.
  • HOSTNET—Name of a group of hosts as defined by a set of mask and match values for the IP address.
  • HOSTNP—Name of a group of hosts as defined by a name pattern.

For hosts that cannot be resolved, specify the IP address range.

serviceNumber |serviceNumberRange

Defines the service number or range.

Specify the range as two integers separated by a -(hyphen), for example, 1-99.

Limits: An integer in the range 0 to 65535

uid (accessor [,accessor]...)

Defines one or more internal users whose entries are to be removed. Separate each accessor with a comma or space.

You can use uid(*) to specify all internal users.

unix

Specifies whether to remove add from the system ACLs in UNIX.

Valid only on UNIX environments that support ACLs, and only for records in the FILE class.

xgid (accessor [,accessor]...)

Defines one or more enterprise users whose entries are to be removed. Separate each accessorName with a comma or space.

xuid (accessor [,accessor]...)

Defines one or more enterprise groups whose entries are to be removed. Separate each accessor with a comma or space.

Example: Remove a group authority to access a file

The following command removes the group research from both the ACL and NACL of the file covered by the resource /products/new:

auth- FILE /products/new xgid(research)

The research group now has the default access to the file.

More information:

chres Command—Modify Resource Records

ch[x]usr Command—Change User Properties

authorize Command—Set Access Authorities on a Resource

authorize Command—Set Accessors' Authority to Access Windows Resources

authorize- Command—Remove Accessors' Authority to Access Windows Resources

ch[x]grp Command—Change Group Properties