Rules Facility Guide › Security with the Rules Facility › Querying the Rules Database › CAN Command

CAN Command

Use the CAN command to determine whether a user ID is authorized by a rule to perform a specific action. The syntax of the CAN command allows you to phrase your request as a question. Because the response from the CAN command is a return code, you can use the CAN command in programs that require checking of a rule in the rules database.

The general format of the CAN command is as follows:

VMSECURE CAN userid action target (option

userid

Specifies the user ID whose authorization you want to query.

action

Specifies an action for which there is an available rule.

target

Specifies a user ID, terminal address, or tape that will be the recipient of action.

Example:

Consider the following example:

vmsecure can fraiserc autolog liliths

FRAISERC is the user ID whose rules you want to query, the CP AUTOLOG command is the action, and LILITHS is a user ID that would receive the action if FRAISERC were authorized.

The CAN command does not record access queries in the audit data; therefore, do not make CAN authorization generally available.

The actions of this command can be as simple as AUTOLOG, or they can be quite detailed. The detailed format of the CAN command appears in the reference manual.

CAN requires an authorization that covers the parameters of the command whose rule is being queried. For example:

vmsecure can fraiserc autolog liliths

To issue the command above, you would need CAN FRAISERC AUTOLOG LILITHS authorization in the AUTHORIZ CONFIG file. This authorization can be granted explicitly, but it would more likely be covered by general statements like the following, where userid is your user ID:

GRANT CAN FRAISERC TO userid
GRANT CAN TO userid

The principle is that a short authorization always implies authorization for longer versions.

Note that userid might be able to switch security group membership by using the GROUP command. Use the GROUP option of CAN to query access rules if userid could be a member of a security group other than the default.

Examples

• To determine whether user ID FRAISERC can use the LOGONBY Facility (or CP LOGON BY) to logon to user ID LILITHS, enter the following:

  vmsecure can fraiserc logonby liliths
  

  The system responds as follows:

  READY (00000);
  

  A return code of zero means that FRAISERC can log on to LILITHS’s user ID using the keyword BY for the LOGONBY Facility and his password, or using the CP LOGON BY command.

• To determine whether user ID DIANEC can use the TAG command to specify the 6670 node, enter the following:

  vmsecure can dianec tag 6670
  

  The system responds as follows:

  READY (00008);
  

  A return code of 8 indicates that the TAG command would be permitted based on NORULE ACCEPT.

• To determine whether REBECCAH can link to LILITHS’s 192 minidisk with link mode RR, enter the following:

  vmsecure can rebeccah link liliths 192 rr
  

  The system responds as follows:

  READY (00004);
  

  A return code of 4 indicates that a conditional accept is in effect. The ACCEPT rule governing the request has neither the NOPASS nor the LOGPASS option. If the read password for LILITHS’s 192 minidisk is anything but ALL, REBECCAH would be prompted for the password and would be denied the link if she could not supply the correct password.