QRULES Command

Reference Guide › Command Reference › QRULES Command

QRULES Command

Use the QRULES command to query the CA VM:Secure rules database for user authorizations.

The syntax and function are identical to the CAN command. The differences in output are as follows:

The QRULES command output displays the relevant rule(s) governing the action, whereas the CAN command responds by return code.
For query of rules that do not involve an ACIGROUP, the meaning of the output of the QRULES and CAN commands are identical. For query of rules that involve an ACIGROUP, the meaning of the QRULES and CAN commands may not be identical. The QRULES command defaults to the default ACIGROUP in the directory. The CAN command uses the current group setting if the user ID is logged on. If the user ID is not logged on, then the CAN command uses the default ACIGROUP.

Description

The QRULES command lets you determine whether a user ID is authorized to perform a specific action using CP, CA VM:Schedule, and CA VM:Tape commands. It responds with the rule that governs the specified action.

Examples

To determine whether user ID GEORGE can autolog user ID MARTHA, enter:
```
vmsecure qrules george autolog martha
```
The response indicates that the governing rule is the NORULE default rule:
```
ACCEPTED VIA NORULE DEFAULT
```
To determine whether user ID JAMES can transfer files to user ID DOLLEY, enter:
```
vmsecure qrules james transfer dolley
```
The response indicates that DOLLEY’s user rule for SPOOL commands accepts all SPOOL and TRANSFER commands:
```
ACCEPTED VIA USER RULE: ACCEPT * SPOOL
```
To determine whether user ID SYSOPER can link to the TEKDBASE 191 minidisk when SYSOPER is a member of default security group OPERATNS, enter:
```
vmsecure qrules sysoper link tekdbase 191
```
The response indicates that SYSOPER cannot perform the link based on a group level rule:
```
REJECTED VIA GROUP RULE: REJECT OPERATNS LINK (GROUP HISTORY
```
To determine whether user ID SYSOPER can link to the TEKDBASE 191 minidisk if SYSOPER were a member of security group SUPPORT, enter:
```
vmsecure qrules sysoper link tekdbase 191 (group support
```
The response indicates that if SYSOPER were a member of the security group SUPPORT, SYSOPER can perform the link successfully:
```
ACCEPTED VIA NORULE DEFAULT
```

Note: For command syntax and parameter descriptions of the CAN and QRULES commands, see the CAN Command. To use the QRULES command, substitute the word QRULES for the word CAN wherever it occurs in the text.