Previous Topic: Step 3: Increase the Size of the AUDT MinidiskNext Topic: Step 5: Create Rules Authorizations

Rules Facility GuideInstalling the Rules FacilityStep 4: Add System Security Records and Create Security Groups

Step 4: Add System Security Records and Create Security Groups

You can create the security groups and security group managers for your site.

To create the security groups for your site

  1. Edit the SECURITY CONFIG file by entering: 
    vmsecure config security
  2. Add these records if they are not already there: 
    AUTOEXP warning expiration
DISPRULE {ALL | NORULE | REJECT}

    The AUTOEXP record controls the automatic expiration of user ID logon passwords. The DISPRULE record displays information about the rules that allow or disallow an action, or indicates when no rules are found.

    Note: For more information about the AUTOEXP record and the DISPRULE record, see the Reference Guide.

  3. Add the NORULE record: 
    NORULE ACCEPT

    The NORULE ACCEPT record specifies that if no rule is found concerning the CP commands AUTOLOG, DIAL, LINK, LOGON, SPOOL, STORE HOST, TAG, TRANSFER, and XAUTOLOG, the command is processed as if the Rules Facility were not installed. Later, you may want to change this record to NORULE REJECT.

    Note: For more information about the NORULE record, see the Reference Guide.

  4. Add an ENABLE statement: 
    ENABLE [PWPHRASE] [COUPLE] [RDEVCTRL] [FOR] [TRSOURCE]

    The ENABLE record specifies which of the optional system access capabilities or optional types of rules are in effect.

    Note: For more information about the ENABLE record, see the CA VM:Secure Reference Guide.

  5. Create the security groups for your site. You can optionally specify a user ID for each group that will be the security group manager. Add a GROUP record for each security group, using the following format: 
    GROUP groupname [sgmgrid]

    The variable groupname is any value that is valid on an ACIGROUP record and that satisfies the criteria for a valid CMS file name, and sgmgrid is the user ID who will act as the manager for security group groupname. The sgmgrid variable is optional; however, you may want to designate a security group manager and authorize that person to make rules for the group.

    For example, to create security group FINANCE and allow user ID CARLAT to be the security group manager, you would use the following GROUP record:

    GROUP FINANCE CARLAT

    With the flexible authorization hierarchy of CA VM:Secure, you might want to make your security group managers the same user IDs as your directory managers. To do this, ensure that the user ID specified on the GROUP record has MANAGE authorization in the AUTHORIZ CONFIG file and is represented in the VMSECURE MANAGERS file.

    Note: For more information about defining a directory manager, see the Administration Guide. For more information about using the GROUP record, see the Reference Guide.

  6. Save the changes and exit the file.
  7. Continue to Step 5: Create Rules Authorizations.