How to restrict the name of new user ID's created.
search cancel

How to restrict the name of new user ID's created.

book

Article ID: 52812

calendar_today

Updated On:

Products

VM:Director for z/VM Mainframe VM Product Manager VM:Manager Suite for Linux on Mainframe VM:Manager Suite for z/VM VM SUITE VM:Secure for z/VM

Issue/Introduction

Directory Managers were creating new VM user ID's that did not confirm to the company standard.

Need an automatic method of controlling the naming of new user ID's.

 

Resolution

In this example, VMRMAINT will be able to create user ID's with any name. VMXMGR1 is the user ID that is being restricted when creating VM user ID's with specific names. VMXMGR1 can only create new user IDs that begin with 'CLN'.

Note* VMSECURE is used in the example, but VMDIRECT is implied unless otherwise stated.

You will need to:

  1. Create a NEWUSER user exit REXX exec (basic contents follow) or, modify your current NEWUSER user exit.

  2. Add the NEWUSER EXIT record to the Product Config via the VMSECURE ADMIN CONFIG command

    USEREXIT NEWUSER filename EXEC

  3. Add to the Authorize Config via the VMSECURE ADMIN CONFIG command

    GRANT OVERRIDE NEWUSER TO VMRMAINT

    This record in the Authorize Config will allow VMRMAINT to 'override' the NEWUSER user exit rejection so VMRMAINT can create any user ID name.

  4. Verify that VMXMGR1 does not have authority to override the NEWUSER user exit rejection. Use VMSECURE MAY VMXMGR1 OVERRIDE. The response may be something like : VMXLSA0264I Accepted by: GRANT *ALL TO VMXMGR1. If VMXMGR1 does have an authorization that does accept 'OVERRIDE', the authorizations will need to be changed. For instance, place the following record in the AUTHORIZ CONFIG for VMXMRG1: WITHHOLD OVEERIDE NEWUSER FROM VMXMGR1.

Sample NEWUSER EXEC:

* * * Top of File * * * 
/* test newuser userexit */ 
arg argstring 
trace all 
say 'Arguments to NEWUSER userexit are:' argstring 
/*say 'This is the one with RC=4'*/ 
parse var argstring user user2 acct newmgr command group 
if (substr(strip(user2),1,3)) <> 'CLN' then exit 4 
push 'VMXMGR1' 
exit 0 
* * * End of File * * * 

Here is what VMSMGR1 gets when it tries to add user LALALA VMXMAN0363E User 'LALALA' rejected by installation exit routine.
VMXMAN0099I 'MANAGE' command canceled.
VMXMAN0365I User not defined.