Reference Guide › Command Reference › GENACI Command

GENACI Command

Use the GENACI command to assign a user ID to or remove a user ID from an ACI security group. The GENACI command is valid only if the Rules Facility is installed at your site and only for active user IDs.

GENACI userid [groupname | *]

Authorizations

When the GENACI command is used in a CMS EXEC, the issuing user ID should have NOPASS GENACI authorization in the AUTHORIZ CONFIG file. This authorization prevents the issuer from being prompted for a password for each change.

Definitions

userid

Specifies the user ID to assign to or remove from a security group. The user ID must be an active user ID.

groupname

Is the name of the security group to which to assign the user ID. This group name must be a valid CMS filename or an asterisk. An asterisk indicates that the GROUP user exit will provide the group name.

The groupname is required if you are assigning the user ID to a security group; it is not allowed if you are removing the user ID from a security group.

Description

If you use the GENACI command to assign a user ID to a security group, the ACIGROUP statement includes on it the name of the ACI security group you specify in the GENACI command, effectively adding that user to that security group.

A user ID can belong to only one security group at a time. If you assign the user ID to a security group and the user ID already belongs to one, the GENACI command replaces the ACIGROUP statement currently in that user directory entry with the one defined by this GENACI command. If the user ID did not already belong to a security group, the GENACI command simply adds the ACIGROUP statement defined by this GENACI command to that user directory entry.

If you remove a user ID from a security group, the GENACI command removes the ACIGROUP statement from that user directory entry.

The GENACI command always calls the GROUP user exit. This user exit is designed to:

• Restrict your ability to remove ACI groups as appropriate
• Validate the group name you specify according to site standards
• Specify the ACI group to use when you specify an asterisk

If you specify an asterisk for the ACI group name and the GROUP user exit is not defined in the PRODUCT CONFIG file, a message displays indicating that an invalid group name was specified. If you specify any ACI group name, or omit it completely, and the GROUP user exit is not defined in the PRODUCT CONFIG file, the ACI group name is added or removed, as appropriate.

The security group you specify on this command must be defined on a GROUP record in the SECURITY CONFIG file.

Users can become members of another security group temporarily by using the GROUP command.

Examples

• To add user ID FRASIERC to ACIGROUP PSYCH, enter:

  vmsecure genaci frasierc psych
  

• To add the same ACIGROUP statement to several directory entries, do the following:
  1. Create an EXEC file named CMS EXEC:

     vmsecure query users (manager carlat exec
     

  2. Modify the EXEC created by the QUERY command:

     copyfile cms exec a (spec
     

     CMS prompts:

     ENTER SPECIFICATION LIST:
     

     Enter in upper case to add the group name PSYCH:

     1‑15 1 /PSYCH/ 17
     

  3. Enter:

     cms vmsecure genaci
     

• To remove user ID FRASIERC from ACIGROUP PSYCH and add him to ACIGROUP PATRON, enter:

  vmsecure genaci frasierc patron
  

Note:

• For information about temporarily switching security groups, see GROUP Command.
• For a complete description of the GROUP user exit, see GROUP User Exit.