Reference Guide › Configuration File Reference › GRANT Record

GRANT Record

Use the GRANT record to authorize users to use CA VM:Secure commands, utilities, and screen selections.

GRANT authority [OVER target-users] TO users [( "Options"]
Options:

GROUP

Configuration File

GRANT is defined in the AUTHORIZ CONFIG file.

Definitions

authority

Specifies the authorization to use an entire command, a command and some of its parameters, or a list of commands; authority can be any of the authorizations in the following tables:

• Any command or utility authorization, User Selection Menu (USE command) authorization, or Manager Selection Menu (MANAGE command) authorization from the Authorizations to Use CA VM:Secure Commands and Utilities table in the Administration Guide.
• Any predefined variable list from the Predefined Variable Lists table in the Administration Guide.
• Any command processing authorization from the Authorizations for Command Processing table in the Administration Guide.
• Any lists you create using LIST records.
• For more information about how to use lists, see User ID Lists and Authority Lists in the chapter "Authorizations" in the Administration Guide. For more information about the LIST record, see LIST Record.

  You can also use an authorization with a trailing asterisk (for example, MAN*) to indicate all authorizations that begin with the specified characters. Such authorizations will be flagged by the configuration file editor as unrecognized, but they are still functional.

OVER

Limits the scope of the authority; you can use the word OVER, to make it clear that the authority is valid only for user ID(s) that follow the word OVER.

target users

Specifies the user ID or a list of user IDs, over which the authority is granted to the users.

users

Specifies a list of user IDs, separated by blanks that receive these authorizations. A trailing asterisk (for example, M*) indicates that all user IDs beginning with the specified characters are authorized.

(CA VM:Secure only) Users can also be a list of security groups, separated by blanks, that receives these authorizations. A trailing asterisk on a security group name indicates that all members of those groups that begin with the specified characters are authorized.

GROUP

(CA VM:Secure only) Specifies that each user is a security group. The record then applies to all user IDs belonging to the named security groups.

Description

Depending on your site’s requirements, authorizations can be simple complex. For more information about setting up authorizations, see the chapter "Authorizations" in the Administration Guide. A user ID must be defined in the VMSECURE MANAGERS file to use manage subfunctions that manipulate DASD. See the chapter on directory managers in the Administration Guide for more information.

Example

• Give user ID VMANAGER every possible authorization to make him a system administrator:

  GRANT * TO VMANAGER
  

• Permit BATMAN to use selection 3 (Select User Menu) from the Manager Selection Menu and all selections from the User Selection Menu to manage user IDs assigned to manager ROBIN. BATMAN is not allowed to use any other menu selection from the Manager Selection Menu over these users:

  GRANT MANSEL03 OVER *DIRUSRS OF ROBIN TO BATMAN
  GRANT USER OVER *DIRUSRS OF ROBIN TO BATMAN
  

• Authorize JETHRO, ELLIMAE, and JED to use any selection from the Manager Selection Menu for any user ID other than their own (users cannot use the Manager Selection Menu to manage their own user IDs):

  GRANT MANAGE *ALL TO JETHRO ELLIMAE JED
  

• Authorize every user ID to use selections 3, 4, and 6 from the User Selection Menu, but no others. First, add a LIST record to create a list of authorizations to grant, then grant the list to all users:

  LIST *USRSTUF USESEL03 USESEL04 USESEL06
  GRANT *USRSTUF OVER *SELF TO *ALL
  

• Permit only users TED and MAINT to assign class A privilege through the CLASS command:

  GRANT CLASS A TO TED MAINT
  

• Grant manage authority to a list of directory managers. First, add a LIST record to create the list, then grant manage authority to the list:

  LIST *MGRTEAM TLOOIS BABS JOEP KRISTEN KAYCEEP
  GRANT MANAGE OVER *DIRUSRS OF *SELF TO *MGRTEAM
  

• Authorize SCOTTY to use the site‑written macro FINDMGR (site‑written macros require special authorization):

  GRANT $FINDMGR TO SCOTTY
  

  Note that some keyboards ascribe a different hexadecimal representation to the dollar sign, which, in the U.S., is usually X‘24.’ In the United Kingdom, X‘24’ is the pound sign, so this GRANT record is written:

  GRANT #FINDMGR TO SCOTTY
  

• Grant a single MAINT MANAGE subfunction, DISKMOVE, over user ID SPOCK to manager KIRK:

  GRANT MAINTMAN SPOCK DISKMOVE TO KIRK
  

• (CA VM:Secure only) Permit any member of the groups DEVEL and MAINT to assign a user ID to manager MYNOR:

  GRANT ASSIGN * MYNOR TO DEVEL MAINT (GROUP
  

• (CA VM:Secure only) Permit DAVID to use CHGMDISK for any user ID whose manager belongs to security group SYSTEMS:

  GRANT CHGMDISK OVER *DIRUSRS OF *GRPMEMS OF SYSTEMS TO DAVID
  

• Permit MAINT to use CPFMTXA command:

  GRANT CPFMTXA TO MAINT
  

  This allows MAINT to execute the CPFMTXA command:

  VMSECURE CPFMTXA parameters