Rules Facility Guide › Rules Reference › MEMBER Rule › Description

Description

MEMBER rules are valid only at the system and security group levels. MEMBER rules do not reference a CP command; rather, they control the GROUP command. The GROUP command allows users to change security group membership temporarily. This change is made only for the active user ID, not in the CP object directory or in the CA VM:Secure directory database. The user default security group, the group defined in the ACIGROUP statement in the user’s directory entry, remains unchanged by the GROUP command.

If there is no MEMBER rule that applies to a user request, the command is rejected. The NORULE record in the SECURITY CONFIG file does not apply.

Examples

• The following rule in the FINGROUP security group rules file allows BROCK to invoke the GROUP command to become a temporary member of the security group FINGROUP:

  ACCEPT BROCK MEMBER
  

• The following rules in the FINGROUP security group rules file prevent all users, except BROCK and members of security group ADMINGRP, from invoking the GROUP command to become temporary members of the security group FINGROUP:

  REJECT * MEMBER
  ACCEPT BROCK MEMBER (LOGPASS
  ACCEPT ADMINGRP MEMBER (GROUP LOGPASS
  

  The LOGPASS option prompts BROCK and user IDs in security group ADMINGRP for their logon passwords and verifies them before allowing them temporary membership in security group FINGROUP. The GROUP option specifies that ADMINGRP is a security group name.