The VM:Secure RULEMAP, QRULES and CAN commands are useful commands to query rule information without having access to the rules data files. However, none of these commands give the information specific to a requesting user and the target group resources. However, using the commands together in an EXEC can give you this information.
What you are looking for is a way to list all rules authorizing a particular user to group resources, or resources belonging to individual users in that group without having to look at RULES file definitions.
Here is a sample EXEC, QUSRGRP that uses VM:Secure RULEMAP and QRULES command output to get the information you are looking for. RULEMAP MEMBERS is used to get all the members of a particular group and put them in a CMS EXEC file. QRULES is then used with the information in the file to look for the rules.
Input to the EXEC is:
userid - the user ID you are checking on authorization - the command/authorization to check (see CAN command) group - the group members to check /* ************************************************************** */ /* QUSRGRP EXEC queries VM:Secure rules based on the parm list of: */ /* QUSRGRP userid command group */ /* Where: userid is the user you want to query for permission */ /* command is the rules request (for instance: AUTOLOG) */ /* group is the group you are querying on */ /* The question you are answering with this EXEC is: Does user A */ /* have rule authority to do the 'command' to any of the users */ /* that belong to the specified group. */ /* QRULES output gives the rule, using CAN would give return code */ /* output */ /* ************************************************************** */ parse arg userid command group . if userid = '' | command = '' | group = '' then do say 'Input is USERID COMMAND GROUPID, try again' exit 24 end 'VMSECURE RULEMAP MEMBERS ' group ' (EXEC' If rc <> 0 then do say 'Non zero return from VMSECURE RULEMAP MEMBERS ' group exit rc end 'SET CMSTYPE HT' push 'FILE' push 'CHA /&4 &5/&5 &6/* *' push 'TOP' push 'CHA /&3 /&3 &4 / * *' 'XEDIT CMS EXEC A' 'SET CMSTYPE RT' 'EXEC CMS VMSECURE QRULES ' userid command 'ERASE CMS EXEC A' Exit
In the example below, we are checking to see if user CARRIS can AUTOLOG users in GROUP DEVEL. CARRIS belongs to group POOLUSER. The users belonging to group DEVEL are: CPM, DIRENGI, DIRSAPG, DRONE, KIKIDOG, TESTANG, VMSECURE, VMSIDEVL, VMXMAINT and YVONNE.
With a group rule in place for DEVEL we get:
qusrgrp carris autolog devel VMSECURE QRULES CARRIS AUTOLOG CPM VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG DIRENGI VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG DIRSAPG VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG DRONE VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG KIKIDOG VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG TESTANG VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG VMSECURE VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG VMSIDEVL VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG VMXMAINT VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS VMSECURE QRULES CARRIS AUTOLOG YVONNE VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS Ready;
If we take away the GROUP rule and put in some user rules, we get:
qusrgrp carris autolog devel VMSECURE QRULES CARRIS AUTOLOG CPM VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG DIRENGI VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG DIRSAPG VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG DRONE VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG KIKIDOG VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG TESTANG VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG VMSECURE VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG VMSIDEVL VMXACQ0223I Accepted via NORULE default. VMSECURE QRULES CARRIS AUTOLOG VMXMAINT VMXACQ0172I Accepted via user rule: ACCEPT POOLUSER XAUTOLOG (GROUP VMSECURE QRULES CARRIS AUTOLOG YVONNE VMXACQ0172I Accepted via user rule: ACCEPT CARRIS AUTOLOG (NOPASS HISTORY