Administration Guide › Authorizations › Sample Authorizations › Authorizations for Directory Managers

Authorizations for Directory Managers

Directory manager authorizations are usually the most complicated authorizations to give. Often you want to give different kinds of authorization to different directory managers.

We recommend that authorizations for directory managers enable them to use all selections from the Manager Selection Menu on only the user IDs they manage. This authorization is given by adding the following record to the AUTHORIZ CONFIG file:

GRANT MANAGE OVER *DIRUSRS OF *SELF TO *DIRMGRS

Because selection 3 on the Manager Selection Menu accesses the User Selection Menu, you also need to add the following GRANT record to allow directory managers to use it:

GRANT USER OVER *DIRUSRS OF *SELF TO *DIRMGRS

CA VM:Director provides authorizations for the Manager Selection Menu and for each of its selections separately. All Manager Selection Menu selections are authorized with the MANAGE authorization. Authorizations to individual selections are listed in the table, Authorization to Use CA VM:Director Commands and Utilities, in this chapter.

The following extended examples will help you create the authorizations you want.

Example:1

Authorizing your directory managers for Sales and for Shipping to use different commands on the user IDs they manage:

1. Create two lists of directory managers for your site.
   • List 1, *SALEMGR, includes directory managers in Sales
   • List 2, *SHIPMGR, includes directory managers in Shipping

     LIST *SALEMGR SILAS DAN GLORIA ALICIA
     LIST *SHIPMGR SCOTT LONNIE WENDY GARY
     

2. Create two lists of command authorities, one for each set of directory managers. The lists include the authorities for commands that each group of directory managers will use most often: *SALECMD for directory managers in Sales, and *SHIPCMD for directory managers in Shipping:

   LIST *SALECMD CHANGE MANAGE USER ULIST
   LIST *SHIPCMD CHGMDISK MANAGE USER CLASS EXPIRE
   

3. Give the directory managers authorization to use the commands over only the users they manage:

   GRANT *SALECMD OVER *DIRUSRS OF *SELF TO *SALEMGR
   GRANT *SHIPCMD OVER *DIRUSRS OF *SELF TO *SHIPMGR
   

   Alternatively, give the directory managers authorization to use the commands for all users:

   GRANT *SALECMD TO *SALEMGR
   GRANT *SHIPCMD TO *SHIPMGR
   

4. Allow the directory managers to create new users:

   GRANT *NEWUSRS TO *SALEMGR
   GRANT *NEWUSRS TO *SHIPMGR
   

5. Prevent DAN, who is authorized by the *SALECMD list, from using Manager Selection Menu selection 6 (moving a minidisk for the user IDs he manages):

   WITHHOLD MANSEL06 FROM DAN
   

6. Let SILAS, one of the directory managers in Sales, use the PASSWORD command over users on the *SHIPMGR list:

   GRANT PASSWORD OVER *DIRUSRS OF *SHIPMGR TO SILAS
   

7. Let SILAS, one of the directory managers in Sales, use the MANAGE command on the user IDs that LONNIE manages:

   GRANT MANAGE OVER LONNIE’S *MANAGEE TO SILAS
   

   or

   GRANT MANAGE OVER *DIRUSRS OF LONNIE TO SILAS
   

8. Allow all directory managers to create new user IDs:

   GRANT MANAGE OVER *NEWUSRS TO *DIRMGRS
   

9. Allow all directory managers to manipulate user IDs they manage:

   GRANT MANAGE OVER *DIRUSRS OF *SELF TO *DIRMGRS
   

Example:2

Giving full authorization to a menu and then withholding individual selections.

You want to authorize each directory manager to perform all management tasks except defining or reactivating a user ID (selection 1; MANSEL01) for any user ID. You want to give MANSEL01 authorization only to MARY:

1. Create a list, *DMAN, of all directory managers, except for MARY, at your site:

   LIST *DMAN JOHN MARK JANET MIKE PETE ALICE AMY
   

2. Give the directory managers and MARY authority to use all selections on the Manager Selection Menu:

   GRANT MANAGE TO *DMAN MARY
   

3. Allow MARY to create new users:

   GRANT MANAGE *NEWUSRS TO MARY
   

4. Withhold selection 1 on the Manager Selection Menu from directory managers except for MARY:

   WITHHOLD MANSEL01 FROM *DMAN
   

Example:3

Authorizing each program manager to move minidisks for any user IDs on the system:

1. Put all program managers in the *PRGMRS list:

   LIST *PRGMRS MAC DAVE JIM
   

2. Authorize your program managers to use only selection 6 from the Manager Selection Menu for any user ID:

   GRANT MANSEL06 OVER *ALL TO *PRGMRS
   

Example:4

Authorizing your program managers to use the User Selection Menu and to edit directory comments and review directory entries for any user IDs on the system:

1. Put all commands for program managers (the commands for Manager Selection Menu selections 3, 7, and 8) in one list, *PRGCMD:

   LIST *PRGCMD MANSEL03 MANSEL07 MANSEL08 USER
   

2. Authorize your program managers to use the commands in list *PRGCMD for any user ID:

   GRANT *PRGCMD OVER *ANY TO *PRGMRS
   

   or

   GRANT *PRGCMD TO *PRGMRS