Previous Topic: Single System Image ConsiderationsNext Topic: CA VM:Schedule-Related Parameters

Reference GuideCommand ReferenceCAN Command

CAN Command

Use the CAN command to query the CA VM:Secure rules database for authorizations for a user ID. You must have the Rules Facility installed to use this command.

The CAN command syntax and function is identical to the QRULES command. The differences in output are as follows:

The syntax for CAN command is as follows:

CAN userid1 {"ParmA" [("Options"] | "ParmB"}

ParmA:

  AUTOLOG  userid2
| COUPLE {lanowner lanname | SYSTEM vswitchname}
| DIAG88
| DIAGD4
| FOR userid2
| GROUP    groupid
| LINK     userid2 vaddr [linkmode]
| LOGONBY  userid2
| PASSCHNG
| RDEVCTRL device [{node | *} [READONLY]]
| SPOOL    userid2
| STORE    [termaddr]
| TAG      node
| TRANSFER userid2
| TRSOURCE
| VALIDATE userid2
| XAUTOLOG userid2

ParmB:

  DIAL termaddr [dialaddr [node]]
| LOGON termaddr [node]

Options:

GROUP groupname

You can query additional authorizations if CA VM:Schedule is installed on your system and the interface is enabled:

CAN userid1 {"Parms"} ["Options"]


Parms:

  CANCEL userid2 request 
| QUERY userid2 request
| SCHEDULE userid2 request

Options:

GROUP groupname

You can query additional authorizations if CA VM:Tape is installed on your system and the interface is enabled:

CAN userid1 {"Parms"} [("Options"


Parms:

  CATALOG userid2 volser 
| LIST userid2
| LIST SYSTEM "TapeParms"
| MOUNT userid2 "TapeParms" {READ | WRITE}
| MOUNT SYSTEM "TapeParms" {READ | WRITE} 

TapeParms:

  VOLUME {volser | SCRATCH | FOREIGN}
| DSN datasetname

Options:

GROUP groupname

If CA VM:Tape is sharing a TMC with the CA 1 Tape Management System, you can query authorizations for volumes that were not created on VM through CA VM:Tape:

CAN userid1 {"Parms"} [("Options"

Parms:

  LIST SYSTEM tape
| MOUNT SYSTEM tape { READ | WRITE }

Options:

GROUP groupname

Definitions

userid1

The user ID whose authorization is being checked.

AUTOLOG userid2

Queries whether userid1 can issue the CP AUTOLOG command for userid2.

COUPLE {lanowner lanname | SYSTEM vswitchname}

Queries whether userid1 can issue the CP COUPLE command for the lanname owned by lanowner, or the virtual switch named vswitchname.

DIAL termaddr [dialaddr [node]]

Queries whether the device at the specified terminal address can DIAL to userid1. For more information about terminal addresses, see Terminal Addresses.

Possible values for the termaddr command parameter are:

termaddr

Meaning

realterm

Address of a real terminal device, represented by four hexadecimal digits. (Example: 0024)

LDEV ldevid

Address of a logical device, represented by four hexadecimal digits. (Example: LDEV 0123)

IPADDR ipaddress

IPv4 address of a TN3270 connected terminal, represented by the standard dotted IP address form. An IPv4 address is four decimal numbers separated by periods. Each decimal number must be in the range 0 through 255. Leading zeros are not permitted (for example, use 1, not 001). (Example: IPADDR 10.0.89.51)

IPv6 address of a TN3270 connected terminal represented by 8 groups of 4 hexadecimal digits. The standard shorthand representations of an IPv6 address are also accepted.

NETID netid

Name of an SNA or VTAM logical unit, represented by up to eight characters.

(Example: NETID WEST0016)

You can optionally specify the DIAL command dial address for userid1 as dialaddr, a four‑digit hexadecimal address.

DIAG88

Queries whether userid1 can issue DIAGNOSE x'88' subcode x'08' to validate a logon password.

DIAGD4

Queries whether userid1 can issue DIAGNOSE X’D4’ to set alternate (surrogate) user IDs.

FOR

Queries whether userid1 can issue a CP FOR command to execute a command on userid2.

GROUP groupid

Queries whether userid1 can become a member of groupid using the CA VM:Secure GROUP command.

LINK userid2 vaddr [linkmode]

Queries whether userid1 can issue the CP LINK command to link to the minidisk of userid2, vaddr. You can also specify a linkmode for this link.

LOGON termaddr [node]

Queries whether userid1 can log on from the device at the specified terminal address. For possible values for termaddr, see the DIAL parameter for this command.

LOGONBY userid2

Queries whether userid1 can log on to the target userid2 using either the CA VM:Secure LOGONBY Facility or the CP LOGON BY command.

PASSCHNG

Queries whether userid1 can change a password phrase.

RDEVCTRL device [{node | *} [READONLY]]

Queries when userid1 can access the real device. The request can be more specific by specifying node and READONLY.

SPOOL userid2

Queries whether userid1 can issue the CP SPOOL command to direct spool files to userid2.

STORE [termaddr]

Queries whether userid1 can issue the CP STORE HOST command. You can further restrict the query by specifying a terminal address from which the command may be entered. For possible values for termaddr, see the DIAL parameter for this command.

TAG node

Queries whether userid1 can issue the CP TAG command for the specified node.

TRANSFER userid2

Queries whether userid1 can issue the CP TRANSFER command to transfer spool files to or from userid2.

TRSOURCE

Queries whether a userid with class C command privileges can issue a CP TRSOURCE command.

VALIDATE userid2

Queries whether userid1 can issue DIAGNOSE X ‘A0’ subcode X’’04’ to validate a logon password for userid2. This form is only valid for traditional passwords.

XAUTOLOG userid2

Queries whether userid1 can issue the CP XAUTOLOG command for userid2.

[GROUP groupname]

Specifies a different security group for userid1; the command queries rules as if userid1 were in groupname. You can use this option with all parameters except DIAL and LOGON.