Security domain definition
In the role-based security model, a security domain represents the set of objects that users or groups can manage. For example, you can define a domain that contains all objects named with a prefix 'AA'. If you want to specify different security attributes for some or all of your users, you can create additional security domains based on specific matching criteria. You can filter objects by specifying one or more attributes for each security object type. You can include or exclude each attribute from the selection. For example, you can restrict access to a set of objects having the same name or being defined on the same workstation, or both.
You can include multiple security domain definitions in the same text file, along with security role definitions and access control list definitions.
By default, a security domain named ALLOBJECTS is available. It contains all scheduling objects and cannot be renamed nor modified. If you try to rename it, a copy of the domain is created with the new name.
Each security domain definition has the following format and arguments:
Syntax
Each attribute can be included or excluded from the selection using the plus (+) and tilde (~) symbols.securitydomain security_domain_name
[description "description"]
[common [[+|~object_attribute [= value | @[, value | @]...]]]
object_type [[+|~]object_attribute [= value | @[, value | @]...]]
[object_type [[+|~]object_attribute [= value | @[, value | @]...]]]...
end
[securityrole ...]
[accesscontrollist ...]
Arguments
- securitydomain security_domain_name
- Specifies the name of the security domain. The name must start with a letter, and can contain alphanumeric characters, dashes, and underscores. It can contain up to 16 characters.
- description ”description”
- Provides a description of the security domain. The description can contain up to 120 alphanumeric characters. The text must be enclosed within double quotes.
- common [[+|~]object_attribute [= value | @[, value | @]...]]
- Provides object attributes that are common to all the security object types.
- object_type [[+|~]object_attribute [= value | @[, value | @]...]]
- For each object type, specifies the attributes that apply to that object type and the related values. Each attribute can be included or excluded from the selection using the plus (+) and tilde (~) symbols. Wildcard (@) is supported for the attribute value: object_attribute =@ means that all the objects matching the object attribute must be included in the domain. For the use of wildcard (@), see the examples below.
For the attributes that you can specify for each security object type, see Attributes for security object types.
For the values that you can specify for each object attribute, see Specifying object attribute values.
Examples
SECDOM1
and a security
domain named SECDOM2
:
securitydomain SECDOM1
description "Sample Security Domain1"
job cpu = $THISCPU, # The workstation where the user logs on
$MASTER, # The master workstation
$AGENTS, # Any fault tolerant agent
$REMOTES # Any standard agent
cogs@ # Any workstation whose name starts with "cogs"
+ folder = / # Jobs defined in any folder
+ cpufolder = / # Workstations defined in any folder
+ name = A@ # Any job whose name starts with "A"
˜ name = A2@ # but doesn't start with A2
+ jcltype = SCRIPTNAME # Allow only SCRIPTNAME type of job definition
+ jcltype = DOCOMMAND # Allow only DOCOMMAND type of job definition
+ logon = $USER, # Streamlogon is the conman/composer user
$OWNER, # Streamlogon is the job creator
$JCLOWNER, # Streamlogon is the OS owner of the file
$JCLGROUP # Streamlogon is the OS group of the file
~ logon = root, twsuser # The job cannot logon as "root" or "twsuser"
+ jcl = "/usr/local/bin/@" # The jobs whose executable file that is
present in /usr/local/bin
~ jcl = "@rm@" # but whose JSDL definition does not contain the
string "rm"
end
securitydomain SECDOM2
description "Sample Security Domain2"
common cpu=@+name=@
userobj cpu=@ + cpufolder = /
job cpu=@+ folder = / + cpufolder = /
schedule cpu=@+name=AP@+ folder = / + cpufolder = /
resource cpu=@ + folder = / + + cpufolder = /
prompt folder = /
file name=@
cpu cpu=@ + folder = /
parameter cpu=@ + folder = / + cpufolder = /
calendar folder = /
report name=@
eventrule name=@ + folder = /
action provider=@
event provider=@
vartable name=@ + folder = /
wkldapp name=@ + folder = /
runcygrp name=@ + folder = /
lob name=@
folder name=/
end