General users can create and change rules that pertain to their own user ID and minidisks.
For example, create a list of the rules commands to be used by general users:
LIST *RULEUSR GROUP HISTORY RULEMAP
Then, to authorize all users to use the commands in the *RULEUSR list on their own user ID, you would add this GRANT record:
GRANT *RULEUSR OVER *SELF TO *ALL
To restrict the authorizations so that users can use the commands only on their own user ID, use the *SELF predefined variable. For example, to let all users use the CAN command to query their own authorizations, add this GRANT record to the AUTHORIZ CONFIG file:
GRANT CAN OVER *SELF TO *ALL
You can also give users authorization to use the USER parameter on both the RULES command (authorization RULES USER) and the RULEMAP command (authorization RULEMAP USER). Because these are multiple word authorizations, you cannot specify them on a LIST record; you must give these authorizations individually:
GRANT RULES USER OVER *SELF TO *ALL
GRANT RULEMAP USER OVER *SELF TO *ALL
The CAN and QRULES commands, which determine the exact rule governing a specific request, do not record access queries in the audit data. If your site needs to audit all system actions, you may want to authorize your users to use the RULEMAP command, for which invalid access attempts are written to the journal.
|
Copyright © 2014 CA.
All rights reserved.
|
|