You can create authorizations with authority phrases that include predefined variable lists. These authority phrases narrow the scope of the authorization to include particular user IDs. These particular user IDs are not the ones granted authority, but are part of the authorization itself.
Example:1
This GRANT record allows the user ID WOODYB to use the ULIST command:
GRANT ULIST TO WOODYB
The authority.
The user IDs for the authority.
In contrast, this GRANT record allows the user ID WOODYB to use the ULIST command, but only on user IDs that directory manager CARLAT manages:
GRANT ULIST *DIRUSRS CARLAT TO WOODYB
The authority.
The user IDs for the authority.
Example:2
This GRANT record does the same as the previous one, except the word OF was added to help you or whoever reads the AUTHORIZ CONFIG file to understand the content of these records:
GRANT ULIST *DIRUSRS OF CARLAT TO WOODYB
The authority.
The user IDs for the authority.
Example:3
As with authorizing user IDs to use commands on only some user IDs, you can include the words OF and OVER to help describe the intent of these records. These words fit between the command and the user IDs over which this authorization is valid.
Both of the next GRANT records authorize WOODYB to use the ULIST command on user IDs that directory manager CARLAT manages:
GRANT ULIST *DIRUSRS CARLAT TO WOODYB GRANT ULIST OVER *DIRUSRS OF CARLAT TO WOODYB
|
Copyright © 2014 CA.
All rights reserved.
|
|