Queries whether userid1 can issue the CA VM:Tape CATALOG command for volume volser owned by userid2.
Queries whether userid1 can issue the CA VM:Tape LIST command For volumes created on another system in a shared TMC environment.
See the table below for possible kinds of tape.
Queries whether userid1 can issue the CA VM:Tape LIST command for tapes owned by userid2.
Queries whether userid1 can issue the CA VM:Tape MOUNT Command for volumes created on another system in a shared TMC Environment. See the table below for possible kinds of tape.
Queries whether userid1 can use the CA VM:Tape MOUNT command to mount and read or write to a tape owned by userid2. Possible kinds of tape are as follows:
|
Kind of tape |
Meaning |
|---|---|
|
DSN dsname |
Tape with a particular data set name |
|
VOLUME FOREIGN |
Foreign tape (a tape not listed in the CA VM:Tape Tape Management Catalog) This specification is not valid for usage with the SYSTEM parameter. |
|
VOLUME SCRATCH |
Scratch tape This specification is not valid for usage with the SYSTEM parameter. |
|
VOLUME volser |
Particular volume |
Use the CAN command to query the rules database to determine whether a user ID is authorized to perform a specific action using CP, CA VM:Schedule, or CA VM:Tape commands. When searching for an authorization, the CAN command uses the first and most specific applicable rule it encounters in the rules database. It responds by return code so that you can use the CAN command in programs that need to check rules in the rules database. Use of the CAN command is not recorded in the audit data.
The user ID specified in this command may be able to temporarily switch security group membership using the GROUP command. Use the GROUP option of the command to query access rules as if the user ID were a member of a security group other than its default.
To query CA VM:Schedule and CA VM:Tape rules, activate the interfaces between CA VM:Secure and these two products through PRODUCT records in each product configuration file.
The CAN command is identical to the QRULES command except that the CAN command responds by return code and the QRULES command responds by displaying the rule that governs the specified action.
The CAN command is also similar to the MAY command. The difference is that the CAN command queries authorizations in the rules database to use CP, CA VM:Schedule, and CA VM:Tape commands while the MAY command queries authorizations in the AUTHORIZ CONFIG file to use CA VM:Secure commands.
|
Return Code |
Meaning |
|---|---|
|
0 |
An unconditional ACCEPT rule Unconditional rules are those with the NOPASS option specified or implied. |
|
4 |
A conditional ACCEPT rule Conditional rules generally suggest that CA VM:Secure check passwords. |
|
8 |
A NORULE ACCEPT condition This return code is reserved for queries against the CP command rules; queries against CA VM:Schedule and VM:Tape rules do not receive a return code of 8. A NORULE ACCEPT condition generally suggests that CA VM:Secure check passwords. |
|
12 |
A NORULE REJECT condition Queries against CA VM:Schedule, CA VM:Tape, LOGONBY, and GROUP commands receive this return code if no applicable rule is found, regardless of the value on the NORULE record in the SECURITY CONFIG file. |
|
16 |
An explicit REJECT rule |
|
20 |
An ACCEPT rule specifying LOGPASS |
|
24 |
An invalid parameter |
|
28 |
User ID does not exist |
|
40 |
GROUP option not allowed |
|
44 |
Invalid option |
|
100 |
Error reading file |
Examples
vmsecure can normp autolog cliffc
The return code 0 means that NORMP can autolog CLIFFC.
vmsecure can cliffc tag 6670
The return code 8 indicates that the TAG command is permitted based on NORULE ACCEPT.
vmsecure can normp link cliffc 192 rr
The return code 4 indicates that a conditional accept is in effect. The ACCEPT rule that governs the action has neither the NOPASS nor the LOGPASS option. If the read password for the CLIFFC 192 minidisk is not ALL, NORMP is prompted for the password and will be denied the link if he did not supply the correct password.
Note:
|
Copyright © 2014 CA.
All rights reserved.
|
|