Users logged into multiple groups [continue keyword]
This is an example of a security file where the continue
keyword is used.
This
kind of security file allows a user to inherit authorization from multiple stanzas. The user
gets the accesses for the first matching entry of each stanza that matches the user
definition.
user misusers cpu@ group=mis
###########################################################
# User misusers USER DEFINITION APPLIES TO USERS LOGGED IN TO
# THE MIS GROUP ON ANY WORKSTATION.
#
# User dbusers USER DEFINITION APPLIES TO USERS LOGGED IN TO
# THE DB GROUP ON ANY WORKSTATION.
#
# User default USER DEFINITION APPLIES TO ALL USERS.
#
user misusers cpu=@ group=mis
begin
# OBJECT ATTRIBUTES ACCESS CAPABILITIES
# ---------- ------------ ----------------------
job cpu=@ + name=mis@ + folder = /
+ cpufolder = / access=@
schedule name=mis@ + folder = / + cpufolder = / access=@
parameter name=mis@ + folder = / + cpufolder = / access=@
continue
folder name=/ access=@
user dbusers cpu=@ group=db
begin
# OBJECT ATTRIBUTES ACCESS CAPABILITIES
# ---------- ------------ ----------------------
job cpu=@ + name=db_@ + folder = /
+ cpufolder = / access=@
schedule name=db_@ + folder = /
+ cpufolder = / access=@
parameter name=db_@ + folder = / + cpufolder = / access=@
continue
folder name=/ access=@
user default cpu=@ + logon=@
begin
# OBJECT ATTRIBUTES ACCESS CAPABILITIES
# ---------- ------------ ----------------------
parameter name=@ + folder = / + cpufolder = / access=display
folder name=/ access=@
end
###########################################################
Users that belong only to the mis group get access to all
objects that have a name starting with the mis prefix, as specified
in the user misusers
user definition. In addition,
the user default
user definition gives them display
access to all parameters.
Users that belong only to the db group get access to all
objects that have a name starting with the db_ prefix, as specified
in the user dbusers
user definition. In addition,
the user default
user definition gives them display
access to all parameters.
Users that belong to both the mis and the db groups get access to the objects that
have a name starting with the mis prefix and to the objects that have a name starting with
the db_ prefix, as specified in the user misusers
and in the user
dbusers
user definitions. In addition, the user default
user definition
gives them display access to all parameters. Access to jobs,
job streams, workstations, and parameters is limited to only those defined in the root (/) folder.
You must order definitions from most specific to least specific.
The user default
user definition gives generic accesses,
and must be therefore specified at the end of the file.