ts-shell user authorization file syntax
Authorizations for ts-shell users to connect
to target systems are granted through a user authorization file.
- Authorization statements
- Comment lines, which start with a number sign (#)
- Blank lines
<users> = <list_type>:<targets> where: - <users>
- specifies who is authorized to establish connections. <users> can be an individual Linux™ user ID or a Linux user group. To distinguish users from groups, groups are prefixed with an at sign (@).
- <list_type>:<targets>
- specifies the target systems to which connections are authorized.
Target systems can be specified as a comma-separated list, in a list
file, or as a regular expression.
- list:
- is followed by a comma-separated list of individual z/VM® user IDs. Consider this method for specifying a few individual target systems.
- file:
- is followed by a file path to a configuration file that contains a list of z/VM user IDs, each on a separate line. Consider this method to
specify numerous target systems.Tip: Lists of z/VM user IDs can be extensive. If you have access to the z/VM user directory,you can use the vmur, grep, and cut commands to create a list from the z/VM user IDs.
- regex:
- is followed by a regular expression that matches z/VM user IDs. Consider this method to specify target systems that follow a naming convention.
Examples
- The following authorization statement permits user
aliceto connect to target systems LXGUEST1, LXGUEST3, LXGUEST5, LXGUEST7, and LXGUEST9.alice = list:lxguest1,lxguest3,lxguest5,lxguest7,lxguest9 - The following authorization statement permits all users in group
testgrpto connect to the target systems listed in a file /etc/iucvterm/auth/test-systems.list.@testgrp = file:/etc/iucvterm/auth/test-systems.list - The following authorization statement permits user
bobto connect to the target systems: LXGUEST0, LXGUEST2, LXGUEST4, LXGUEST6, and LXGUEST8.bob = regex:lxguest[02468]
You can have multiple authorizations for the same user. Multiple authorizations can result from multiple authorization statements for the same user. Multiple authorizations can also result from authorization statements for groups of which the user is a member.
For a particular user, you can mix explicit authorizations of types list or file but you cannot mix either of these explicit authorizations with regular expressions. The first type of authorization that is found for a user, explicit or regular expression, sets the authorization type for this user. Further authorizations of the same type are accumulated. Authorizations of the other type are ignored.
The following example assumes
that both user alice and user bob are
members of group users:
@users = list:lxguest0,lxguest1,lxguest2
alice = list:lxguest1,lxguest3,lxguest5,lxguest7,lxguest9
bob = regex:lxguest[02468] For user alice,
the group and individual authorizations accumulate to LXGUEST0, LXGUEST1,
LXGUEST2, LXGUEST3, LXGUEST5, LXGUEST7, and LXGUEST9.For user bob,
the regular expression is ignored and the authorizations are for LXGUEST0,
LXGUEST1, and LXGUEST2 as defined for the group.