REVOKE AUTHORITY Command

Reference Guide › Command Reference › REVOKE AUTHORITY Command

REVOKE AUTHORITY Command

Use the REVOKE AUTHORITY command to revoke access to SFS directories or files from users.

REVOKE AUTHORITY "Resource" FROM {"Who"} [("Options"]

Resource:

[filename filetype] dirid

Who:

  userid
| ALL
| PUBLIC
| nickname

Options:

[KEEPDirread | KEEPNewread | KEEpread | NEWauth | RWAuth] 
[TYPe | NOType]
[STACK [FIFO | LIFO]]
[FIFO]
[LIFO]

Note: Options can be entered in any order.

The CA VM:Secure REVOKE AUTHORITY command syntax is identical to the syntax of the CMS REVOKE AUTHORITY command.

Note: For more information about parameters and options for the REVOKE AUTHORITY command, see the IBM CMS Commands and Utilities Reference for your release of VM.

Authorizations

Enroll the CA VM:Secure service virtual machine as an SFS administrator in the DMSPARMS configuration file of every file pool for which the REVOKE AUTHORITY command will be issued. CA VM:Secure does not need to manage the file pool.

You must have REVOKE AUTHORITY authorization through a GRANT record in the CA VM:Secure AUTHORIZ CONFIG file.

Description

The CA VM:Secure REVOKE AUTHORITY command allows you to remove authorization from a user ID to access certain files and directories. You can also use this command to downgrade a user’s authority. The REVOKE AUTHORITY command can only revoke authorities previously established with either the CA VM:Secure GRANT AUTHORITY command or the CMS GRANT AUTHORITY command.

After verifying that the issuing user ID is authorized to perform the REVOKE AUTHORITY command for the target user IDs (including all user IDs in a nickname list), CA VM:Secure passes the REVOKE AUTHORITY command to CMS.

CA VM:Secure generates an audit record (1080) for each user ID specified on the command. If a nickname is specified, CA VM:Secure generates an audit record for every user ID defined in the nickname list.

Nickname Resolution

When you specify a nickname for userid, CA VM:Secure first uses information in your NAMES file to determine the local user. If there are user IDs that CA VM:Secure cannot resolve using the NAMES file, it then uses the DMSJNE routine to resolve the remaining unresolved user IDs. DMSJNE is an optional customer‑written routine that returns a local user ID for the supplied user ID and nodeid. If your site uses DMSJNE and it is not available, or if CA VM:Secure cannot resolve any of the user IDs, the REVOKE AUTHORITY command terminates with a return code of 328.

Examples

You previously granted all users the authority to read the TEST RESULTS file in the VMSYSU:ENG.TOOLS directory. To prevent all users from reading the TEST RESULTS file, enter:
```
vmsecure revoke authority test file vmsysu:eng.tools from all
```
You want to prevent FRAN from reading or writing any files created in the future in the VMSYSU:ENG.TOOLS directory, and allow him to only look at names of files in that directory. You also want to remove read and write authorizations to the files in that directory. Enter:
```
vmsecure revoke authority vmsysu:eng.tools from fran (newauth keepread
vmsecure revoke authority * * vmsysu:eng.tools from fran
```
You want to change WOODYB’s authorization from WRITE to READ for all files in the VM:EMP.INFO directory. You also want to let him read any new files created in the future. Enter:
```
vmsecure revoke authority vm:emp.info from woodyb (keepread keepnewread
vmsecure revoke authority * * vm:emp.info from woodyb (keepread
```

Return Codes and Error Messages

The table, REVOKE AUTHORITY Command: Return Codes and Error Messages, lists return codes and error messages for the REVOKE AUTHORITY command.

The REVOKE AUTHORITY command may also generate CMS messages.

Note: For more information about these messages, use the CMS help or see the IBM messages and codes documentation.

REVOKE AUTHORITY Command: Return Codes and Error Messages

The following table describes the return code and the associated error message:

Return Code	Message Number	Text
24	1117E	REVOKE IS NOT A CA VM:Secure COMMAND
38	0038E	MISSING PARAMETER
39	0039E	INVALID PARAMETER parameter
76	0076S	USER ERROR code COPYING FILE nickname_file
99	0099I	REVOKE COMMAND CANCELED
221	0221E	MISSING OPTION OPERAND
265	0265E	NOT AUTHORIZED FOR: REVOKE filepool userid
328	0328E	INVALID USERID userid
543	0543E	THE SERVANT FACILITY IS NOT CURRENTLY TURNED ON
586	0586E	ERROR code STARTING SERVANT
625	0625E	TOO MANY SERVANTS IN USE, COMMAND CANNOT BE EXECUTED
7063	7063E	EXTRANEOUS PARAMETER(S) parameters
7065	7065E	FILE POOL filepoolid NOT RESPONDING TO REQUESTS

Note:

To authorize a user ID to read from or write to files and directories in SFS, see GRANT AUTHORITY Command.
For more information about the audit record produced by the REVOKE AUTHORITY command, see AUDITEXT Command.
For information about the REVOKE AUTHORITY authorization, see the chapter "Authorizations" in the Administration Guide.
For complete descriptions of all messages listed in this section, see the Message Reference Guide
For detailed information about the parameters and options on the REVOKE AUTHORITY command, see the IBM CMS command reference documentation
For information about coding the DMSJNE routine, see the IBM SFS and CRR planning, administration, and operation documentation.
For information about other CMS messages generated by the REVOKE AUTHORITY command, see the IBM messages and codes documentation.