CA VM:Director provides two types of information about authorizations:
You can display every GRANT or WITHHOLD record that has a bearing on an authorization by using the LISTAUTH command. The LISTAUTH command displays the GRANT or WITHHOLD record that takes precedence, followed by all GRANT and WITHHOLD records that match but do not matter in the authorization.
You can find out if a user ID can use a command, or a command with a particular parameter, using the MAY command. The MAY command displays the one GRANT or WITHHOLD record that ultimately determines the authorization. The output of the MAY command is a message displayed on the screen and a return code. When used in an EXEC, the return code is not displayed but is used to indicate the result of the authorization query.
Example:
DEBBIE is in the sales directory managers group (list *SALES). The *SALES group is denied the use of the CHGMDISK command through a WITHHOLD record. However, DEBBIE is specifically authorized to use the CHGMDISK command on user IDs in the *MYLIST list by a GRANT record. *MYLIST includes the user ID JIM. Enter the following LISTAUTH command to find all authorizations that affect DEBBIE’s ability to use the CHGMDISK command on user ID JIM:
vmdirect listauth debbie chgmdisk jim
CA VM:Director responds with the following, indicating that two authorizations affect the user IDs and commands you asked about:
REJECTED BY: WITHHOLD CHGMDISK FROM *SALES ACCEPTED BY: GRANT CHGMDISK *MYLIST TO DEBBIE
The response shows the authorizations in the AUTHORIZ CONFIG file that mention DEBBIE, the CHGMDISK command, and user ID JIM, with the affected one listed first.
Next, enter the following MAY command to find whether DEBBIE can use the CHGMDISK command on user ID JIM:
vmdirect may debbie chgmdisk jim
CA VM:Director responds with the following, indicating that DEBBIE cannot use the CHGMDISK command on user ID JIM:
REJECTED BY: WITHHOLD CHGMDISK FROM *SALES
|
Copyright © 2014 CA.
All rights reserved.
|
|