Users logged into multiple groups [continue keyword]

This is an example of a security file where the continue keyword is used. This kind of security file allows a user to inherit authorization from multiple stanzas. The user gets the accesses for the first matching entry of each stanza that matches the user definition.

user misusers cpu@ group=mis

###########################################################
# User misusers USER DEFINITION APPLIES TO USERS LOGGED IN TO 
#	THE MIS GROUP ON ANY WORKSTATION.
#
# User dbusers USER DEFINITION APPLIES TO USERS LOGGED IN TO 
#	THE DB GROUP ON ANY WORKSTATION.
#
# User default USER DEFINITION APPLIES TO ALL USERS.
#

user misusers  cpu=@           group=mis
begin
#  OBJECT     ATTRIBUTES       ACCESS CAPABILITIES
# ----------  ------------     ----------------------
job           cpu=@  + name=mis@   + folder = /
                    + cpufolder = / access=@
schedule      name=mis@  + folder = /  + cpufolder = /  access=@
parameter     name=mis@ + folder = /  + cpufolder = /   access=@
continue
folder        name=/            access=@

user dbusers  cpu=@            group=db
begin
#  OBJECT     ATTRIBUTES       ACCESS CAPABILITIES
# ----------  ------------     ----------------------
job           cpu=@ +  name=db_@  + folder = /
                        + cpufolder = / access=@
schedule      name=db_@   + folder = / 
                        + cpufolder = /  access=@
parameter     name=db_@ + folder = /  + cpufolder = /   access=@
continue
folder        name=/           access=@

user default cpu=@ + logon=@
begin
#  OBJECT     ATTRIBUTES                ACCESS CAPABILITIES
# ----------  ------------              ----------------------
parameter     name=@ + folder = /  + cpufolder = /   access=display
folder        name=/                    access=@
end


###########################################################

Users that belong only to the mis group get access to all objects that have a name starting with the mis prefix, as specified in the user misusers user definition. In addition, the user default user definition gives them display access to all parameters.

Users that belong only to the db group get access to all objects that have a name starting with the db_ prefix, as specified in the user dbusers user definition. In addition, the user default user definition gives them display access to all parameters.

Users that belong to both the mis and the db groups get access to the objects that have a name starting with the mis prefix and to the objects that have a name starting with the db_ prefix, as specified in the user misusers and in the user dbusers user definitions. In addition, the user default user definition gives them display access to all parameters. Access to jobs, job streams, workstations, and parameters is limited to only those defined in the root (/) folder.

You must order definitions from most specific to least specific. The user default user definition gives generic accesses, and must be therefore specified at the end of the file.