Modification privileges
-
Can be associated with usercode attributes
-
Enable a user to perform some modification of the file without the capability of controlling the entire USERDATAFILE
The following two modification privileges can be associated with usercode attributes.
-
PU privilege is meaningful only if security-administrator status is enabled. It allows a process with PU privilege (from either a usercode or a code file) to modify the specified attribute for all users on the system. A process with PU privilege can also list all attributes, except PASSWORD, of all users.
-
OWNER privilege allows a nonprivileged user to modify the value of the specified attributes for his or her own entry.
The attribute privileges must be established by a security administrator. Use the PRIVILEGES statement to interrogate or modify the privileges.
When attribute modification privileges have been established, a nonprivileged user can run MAKEUSER and use the MAKEUSER commands appropriate to his or her privilege.
In Changing Nonprivileged Usercode Example, suppose that
-
The system is running with security-administrator status enabled.
-
Usercodes FREDPU and TOM have been established as privileged (PU, not SECADMIN) and nonprivileged respectively.
-
The security administrator has used the PRIVILEGES statement to establish attribute modification privileges for the FAMILY and CHARGECODE attributes, as follows:
PRIVILEGES FAMILY = PU OWNER PRIVILEGES CHARGECODE = PU
Table 55. Changing Nonprivileged Usercode Example
|
User . . . |
Would . . . |
|---|---|
|
TOM |
Be able to enter the following MAKEUSER statement: USER TOM FAMILY = PACK OTHERWISE DISK; Be unable to alter
|
|
FREDPU |
Be able to enter the following MAKEUSER statements: USER TOM CHARGECODE = PRODUCTION; USER FREDPU CHARGECODE = PRODUCTION; USER FREDPU FAMILY = PACK ONLY; Be able to change the FAMILY and CHARGECODE attributes for all users, but would not be able to alter any other attribute |
