Rules Facility Guide › Authorizations for the Rules Facility › Authorizations for Security Group Managers

Authorizations for Security Group Managers

Security group managers can create and change rules for their own user IDs and for user IDs in their security groups. A security group manager is different from a directory manager in that a directory manager is authorized to manage directory entries for a group of user IDs, while a security group manager manages users’ rules files.

At some sites, the directory manager for each user ID is also the security group manager for that user ID. In this case, the user ID specified on the GROUP record has MANAGE authorization in the AUTHORIZ CONFIG file and is represented in the VMSECURE MANAGERS file.

Note: For complete information about using the GROUP record, see the Reference Guide.

You give the security group managers authorization to use a subset of the Rules Facility commands on the group members. You can use user ID lists and command authority lists to give many authorizations at a time. You can also use the predefined variable lists (for example, *GRPMEMS and *GROUP) to grant authority to many group managers, group members, and groups.

The following examples show typical rules authorizations for security group managers:

• Create a list of the rules commands to be used by security managers:

  LIST	 *RULEMGR CAN GENACI GROUP HISTORY QRULES,
  		RULEMAP
  

  Then, to authorize CARLAT (a security group manager) to use the commands in the list *RULEMGR for all members of the group PUBS, add the following records to the AUTHORIZ CONFIG file:

  GRANT *RULEMGR OVER *GRPMEMS OF PUBS TO CARLAT
  

  To authorize CARLAT to use the RULES USER command for all members of the group PUBS, add the following records to the AUTHORIZ CONFIG file:

  GRANT RULES USER OVER *GRPMEMS OF PUBS TO CARLAT
  

  To authorize all security group managers to use the commands in the list *RULEMGR on all members of the group PUBS, add this GRANT record to the AUTHORIZ CONFIG file:

  GRANT *RULEMGR OVER *GRPMEMS OF PUBS TO *GRPMGRS
  

  Then, to authorize all security group managers to use the RULES USER command for all members of the group PUBS, add this GRANT record to the AUTHORIZ CONFIG file:

  GRANT RULES USER OVER *GRPMEMS OF PUBS TO *GRPMGRS
  

• Let the group managers CARLAT and WOODYB write user rules for their own security group members (indicated by *GRPUSRS OF *SELF):

  GRANT RULES USER OVER *GRPUSRS OF *SELF TO CARLAT WOODYB
  

• Let users REBECCAH and LILITHS write group rules for their security group (indicated by *GROUP):

  GRANT RULES GROUP OVER *GROUP TO REBECCAH LILITHS
  

• Let CARLAT update the individual user rules for the security group SECGRP1:

  GRANT RULES USER OVER *GRPMEMS OF SECGRP1 TO CARLAT
  

• Let CARLAT update the group rules for all security groups that WOODYB manages (indicated by *GRPS):

  GRANT RULES GROUP OVER *GRPS OF WOODYB TO CARLAT
  

• Let CARLAT update the user rules for members of any security group that REBECCAH manages (indicated by *GRPUSRS):

  GRANT RULES USER OVER *GRPUSRS OF REBECCAH TO CARLAT
  

• Let all security group managers use the QCPCFG command to query the CP component configuration:

  GRANT QCPCFG TO *GRPMGRS
  

• Let ERNIEP use the GROUP command to become a member of the SECGRP1 group:

  GRANT GROUP TO ERNIEP
  

  You will also need to write a rule in SECGRP1’s group rules for ERNIEP to become a member.