Is there a VM:Secure command to find out if a user has rules that allow access to resources belonging to users in a particular group?
search cancel

Is there a VM:Secure command to find out if a user has rules that allow access to resources belonging to users in a particular group?

book

Article ID: 53420

calendar_today

Updated On:

Products

Mainframe VM Product Manager VM:Manager Suite for Linux on Mainframe VM:Manager Suite for z/VM VM SUITE VM:Secure for z/VM

Issue/Introduction

Description:

The VM:Secure RULEMAP, QRULES and CAN commands are useful commands to query rule information without having access to the rules data files. However, none of these commands give the information specific to a requesting user and the target group resources. However, using the commands together in an EXEC can give you this information.

Solution:

What you are looking for is a way to list all rules authorizing a particular user to group resources, or resources belonging to individual users in that group without having to look at RULES file definitions.

Here is a sample EXEC, QUSRGRP that uses VM:Secure RULEMAP and QRULES command output to get the information you are looking for. RULEMAP MEMBERS is used to get all the members of a particular group and put them in a CMS EXEC file. QRULES is then used with the information in the file to look for the rules.

Input to the EXEC is:

userid        - the user ID you are checking on
authorization - the command/authorization to check (see CAN command)
group         - the group members to check 
 
 
/* ************************************************************** */
/* QUSRGRP EXEC queries VM:Secure rules based on the parm list of: */
/* QUSRGRP userid command group                                   */
/* Where: userid is the user you want to query for permission     */
/*        command is the rules request (for instance: AUTOLOG)    */
/*        group is the group you are querying on                  */
/* The question you are answering with this EXEC is: Does user A  */
/* have rule authority to do the 'command' to any of the users    */
/* that belong to the specified group.                            */
/* QRULES output gives the rule, using CAN would give return code */
/* output                                                         */
/* ************************************************************** */ 
parse arg userid command group .
 if userid = '' | command = '' | group = ''
 then do
 say 'Input is USERID COMMAND GROUPID, try again'
 exit 24
 end
 'VMSECURE RULEMAP MEMBERS ' group ' (EXEC'
 If rc <> 0 then do
 say 'Non zero return from VMSECURE RULEMAP MEMBERS ' group
 exit rc
 end
 'SET CMSTYPE HT'
 push  'FILE'
 push  'CHA /&4 &5/&5 &6/* *'
 push 'TOP'
 push  'CHA /&3 /&3 &4 / * *'
 'XEDIT CMS EXEC A'
 'SET CMSTYPE RT'
 'EXEC CMS VMSECURE QRULES ' userid command 
 'ERASE CMS EXEC A'
Exit

In the example below, we are checking to see if user CARRIS can AUTOLOG users in GROUP DEVEL. CARRIS belongs to group POOLUSER. The users belonging to group DEVEL are: CPM, DIRENGI, DIRSAPG, DRONE, KIKIDOG, TESTANG, VMSECURE, VMSIDEVL, VMXMAINT and YVONNE.

With a group rule in place for DEVEL we get:

qusrgrp carris autolog devel
VMSECURE QRULES CARRIS AUTOLOG CPM
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS
VMSECURE QRULES CARRIS AUTOLOG DIRENGI
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG DIRSAPG 
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG DRONE 
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG KIKIDOG
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG TESTANG
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG VMSECURE 
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG VMSIDEVL
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG VMXMAINT
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
VMSECURE QRULES CARRIS AUTOLOG YVONNE
VMXACQ0172I Accepted via group rule: ACCEPT CARRIS AUTOLOG (NOPASS 
Ready;

If we take away the GROUP rule and put in some user rules, we get:

qusrgrp carris autolog devel
VMSECURE QRULES CARRIS AUTOLOG CPM
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG DIRENGI
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG DIRSAPG
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG DRONE
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG KIKIDOG
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG TESTANG
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG VMSECURE
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG VMSIDEVL
VMXACQ0223I Accepted via NORULE default.
VMSECURE QRULES CARRIS AUTOLOG VMXMAINT
VMXACQ0172I Accepted via user rule: ACCEPT POOLUSER XAUTOLOG (GROUP 
VMSECURE QRULES CARRIS AUTOLOG YVONNE
VMXACQ0172I Accepted via user rule: ACCEPT CARRIS AUTOLOG (NOPASS HISTORY

Environment

Release:
Component: VMX
Powered by Wolken Software