Command line security operations

This section describes how to configure access management when not using Central Governance.

In a security configuration that includes a large number of users, it is impractical to manage access to Transfer CFT objects on an individual basis. By including each user in one or more groups, you can control privileges on a more general scale.

This optional command is used to define a user group’s privileges and to assign users to groups.

Users will not have any privileges if they are:

  • Not identified by a SECUSER command
  • Not assigned to a group
  • Assigned to a group for which no privileges have been defined

Syntax

SECGROUP
     MODE =     {REPLACE | CREATE | DELETE},
     ID =     identifier,  
     [ORIGIN =     {BOTH | LOCAL | REMOTE},]
     [PASSWORD =     value,]
     PROFILE =     (profile, profile, ...),
     [USER =     (user, user, ...)]

Description

Use the SECGROUP command to define a user group’s privileges and to assign users to groups.

Parameters

ID = identifier

Group identifier.

This identifier, if present, must be unique. You cannot specify multiple SECGROUP commands with the same ID and origin.

The group identifier must be recognized by the operating system. If this parameter is included, the USER parameter may be omitted.

MODE = {REPLACE | CREATE | DELETE

Operation to be carried out.

  • REPLACE: modifies one or more records, or creates them if they do not exist,
  • CREATE: creates one or more records,
  • DELETE: deletes one or more records

[ORIGIN = {BOTH | LOCAL | REMOTE}]

Origin of the user group: local or remote.

You can use this parameter to assign different profiles to users who can execute both local and remote actions.

Note: the REMOTE origin is not implemented in the current release. CHECK

[PASSWORD = value]

User password.

PROFILE     = (profile, profile, ...)

Explicit list of profiles associated with the group.

The maximum number of profiles is 20.

The * and ? wildcard characters cannot be used when specifying profiles.

[USER     = (user, user, ...)]

List of users belonging to the group.

This parameter enables you to define the group or to add to a group that is already recognized by the operating system.

Users may be either SECUSER command identifiers or user names declared at OS level.

Note If you define individual privileges for a user who belongs to a group, the individual privileges take precedence.

Defining the Default Group: SECGROUP

You can specify default group privileges by creating a SECGROUP command with the DEFAULT identifier (this keyword is predefined in the portable security system).

The security system uses this group when no others can be found in the security database.

For a reminder of how the user search mechanism works, refer to the topic Searching for Privileges.

Syntax

SECGROUP
     MODE =     {REPLACE | CREATE | DELETE},
     ID =     DEFAULT,
     [ORIGIN =     {BOTH | LOCAL | REMOTE},]
     [PASSWORD =     value,]
     PROFILE =     (profile, profile, ...),
     [USER =     (user, user, ...)]

Description

Use the SECGROUP command to define a user group’s default privileges and to assign users to groups.

Parameters

ID = DEFAULT

Identifier of the default group.

MODE = {REPLACE | CREATE | DELETE}

Operation to be carried out:

  • REPLACE: modifies one or more records, or creates them if they do not exist
  • CREATE: creates one or more records
  • DELETE: deletes one or more records

[ORIGIN  = {BOTH | LOCAL | REMOTE}]

Origin of the user group: local or remote.

You can use this parameter to assign different profiles to users who can execute both local and remote actions.

Note: the REMOTE origin is not implemented in the current release. CHECK

[PASSWORD = value]

User password.

PROFILE = (profile, profile, ...)

Explicit list of profiles associated with the group.

The maximum number of profiles is 20.

The * and ? wildcard characters cannot be used when specifying profiles.

[USER = (user, user, ...)]

List of users belonging to the group.

This parameter is used either to define the group or to add to a group that is already recognized by the operating system.

Users may be either SECUSER command identifiers or user names declared at OS level.

Caution: if you define individual privileges for a user who belongs to a group, the individual privileges take precedence.

Example 1

Privileges granted to members of a group

Action definitions

SECDACT     ID     =     UPDATE,
     MODE     =     REPLACE,
     ACTION     =     (READ,MODIFY),
     SCOPE     =     OWNER    

Object definitions

SECDOBJ     ID     =     DPART,
     MODE     =     REPLACE,
     OBJECT     =     CFTPART,
     VALUE     =     P1*

Category definition

SECCATEG     ID     =     CATPART,
     MODE     =     REPLACE,
     DOBJ     =     DPART,
     DACT     =     UPDATE

User profile definition

SECPROF     ID     =     PROF1,
     MODE     =     REPLACE,
     CATEG     =     CATPART

Definition of an individual user

SECUSER     ID     =     U1,
     MODE     =     REPLACE,
     PROFIL     =     PROF1

Group definition

SECGROUP     ID     =     G1,
     MODE     =     REPLACE,
     PROFIL     =     PROF1,
     USER     =     (U1,system_name)

Users who belong to the group called G1 are authorized to apply the VIEW and UPDATE actions to the objects that they have created.

Example 2

Privileges granted to users belonging to a group recognized by the OS

Profile definition

SECPROF     ID     =     USER,    
     MODE     =     REPLACE,
     CATEG     =     (EXECRQST,IDFS)

Group definition

SECGROUP     ID     =     ALLUSERS,
     MODE     =     REPLACE,
     ORIGIN     =     LOCAL,
     USER     =     (USER1,USER2,USER3,USER4),
     PROFIL     =     USER

If the OS recognizes the ALLUSERS group, users belonging to this group are governed by the profile called USER. The individual users USER1, USER2, USER3, USER4 are all assigned to the Transfer CFT USER profile, even if they belong to a different group at operating system.

 

Related Links