Previous Topic: CA VM:Schedule-Related ParametersNext Topic: CHANGE Command


CA VM:Tape-Related Parameters

CATALOG userid2 volser

Queries whether userid1 can issue the CA VM:Tape CATALOG command for volume volser owned by userid2.

LIST SYSTEM tape

Queries whether userid1 can issue the CA VM:Tape LIST command For volumes created on another system in a shared TMC environment.

See the table below for possible kinds of tape.

LIST userid2

Queries whether userid1 can issue the CA VM:Tape LIST command for tapes owned by userid2.

MOUNT SYSTEM tape { READ|WRITE }

Queries whether userid1 can issue the CA VM:Tape MOUNT Command for volumes created on another system in a shared TMC Environment. See the table below for possible kinds of tape.

MOUNT userid2 tape { READ|WRITE }

Queries whether userid1 can use the CA VM:Tape MOUNT command to mount and read or write to a tape owned by userid2. Possible kinds of tape are as follows:

Kind of tape

Meaning

DSN dsname

Tape with a particular data set name

VOLUME FOREIGN

Foreign tape (a tape not listed in the CA VM:Tape Tape Management Catalog)

This specification is not valid for usage with the SYSTEM parameter.

VOLUME SCRATCH

Scratch tape

This specification is not valid for usage with the SYSTEM parameter.

VOLUME volser

Particular volume

Description

Use the CAN command to query the rules database to determine whether a user ID is authorized to perform a specific action using CP, CA VM:Schedule, or CA VM:Tape commands. When searching for an authorization, the CAN command uses the first and most specific applicable rule it encounters in the rules database. It responds by return code so that you can use the CAN command in programs that need to check rules in the rules database. Use of the CAN command is not recorded in the audit data.

The user ID specified in this command may be able to temporarily switch security group membership using the GROUP command. Use the GROUP option of the command to query access rules as if the user ID were a member of a security group other than its default.

To query CA VM:Schedule and CA VM:Tape rules, activate the interfaces between CA VM:Secure and these two products through PRODUCT records in each product configuration file.

The CAN command is identical to the QRULES command except that the CAN command responds by return code and the QRULES command responds by displaying the rule that governs the specified action.

The CAN command is also similar to the MAY command. The difference is that the CAN command queries authorizations in the rules database to use CP, CA VM:Schedule, and CA VM:Tape commands while the MAY command queries authorizations in the AUTHORIZ CONFIG file to use CA VM:Secure commands.

Return Codes

Return Code

Meaning

0

An unconditional ACCEPT rule

Unconditional rules are those with the NOPASS option specified or implied.

4

A conditional ACCEPT rule

Conditional rules generally suggest that CA VM:Secure check passwords.

8

A NORULE ACCEPT condition

This return code is reserved for queries against the CP command rules; queries against CA VM:Schedule and VM:Tape rules do not receive a return code of 8. A NORULE ACCEPT condition generally suggests that CA VM:Secure check passwords.

12

A NORULE REJECT condition

Queries against CA VM:Schedule, CA VM:Tape, LOGONBY, and GROUP commands receive this return code if no applicable rule is found, regardless of the value on the NORULE record in the SECURITY CONFIG file.

16

An explicit REJECT rule

20

An ACCEPT rule specifying LOGPASS

24

An invalid parameter

28

User ID does not exist

40

GROUP option not allowed

44

Invalid option

100

Error reading file

Examples

Note: