"GRANT NOPASS TO" in AUTHORIZ CONFIG

search cancel

"GRANT NOPASS TO" in AUTHORIZ CONFIG

book

Article ID: 226388

calendar_today

Updated On:

Products

VM:Secure for z/VM

Issue/Introduction

Looking in the manuals for a description of what this actually does.

I assume that this is for commands like LINK and XAUTOLOG.

Then I also assume that EG if a user has a LINK rule with NOPASS and also is listed on a GRANT NOPASS that this is then a 'double' NOPASS that is overkill and not necessary?

Environment

Release : 3.2

Component : VM:Secure for z/VM

Resolution

The AUTHORIZ CONFIG file can contain the following three types of records that are used to identify and set up user authorization for VM:Secure commands:

GRANT
LIST
WITHHOLD

GRANT NOPASS in the AUTHORIZ CONFIG pertains to VMSECURE commands the user is authorized to use. Many VM:Secure commands require users to enter their logon passwords when they issue the command.

To authorize user IDs to use a command without having to enter their logon passwords, give the user IDs NOPASS authorization. In this context, NOPASS is the authorization you are giving to use an entire command, a command and some of its parameters, or a list of commands.

Click on this link for helpful information documented in the VM:Secure Admin guide for "Waiving Password Requirements":

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-with-security/3-2/administrators/administrating-authorizations/granting-authorization-to-a-command-or-utility.html

Additional Information

Additionally, you can configure Rules so you don't have to provide a password when LINKing. You need an ACCEPT NOPASS.

Here's an example for user ID VMANAGER.

Issued command VMSECURE RULES SYSTEM to show this.

ACCEPT VMANAGER LINK * * (NOPASS ACCEPT

ACCEPT VMANAGER XAUTOLOG (NOPASS ACCEPT VMANAGER LOGONBY

With these rules in place, VMANAGER can link to any user's disk and not have to provide a password.

Feedback

thumb_up Yes

thumb_down No