How to restrict the name of new user ID's created?

Document ID : KB000052812
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Directory Managers were creating new VM user ID's that did not confirm to the company standard. The customer needed an automatic method of controlling the naming of new user ID's.

Solution:

In this example, VMRMAINT will be able to create user ID's with any name. VMXMGR1 is the user ID that is being restricted when creating VM user ID's with specific names. VMXMGR1 can only create new user IDs that begin with 'CLN'.

Note* VMSECURE is used in the example, but VMDIRECT is implied unless otherwise stated.

You will need to:

  1. Create a NEWUSER user exit REXX exec (basic contents follow) or, modify yourcurrent NEWUSER userexit.

  2. Add the NEWUSER EXIT record to the Product Config via the VMSECURE ADMIN CONFIG command

    USEREXIT NEWUSER filename EXEC

  3. Add to the Authorize Config via the VMSECURE ADMIN CONFIG command

    GRANT OVERRIDE NEWUSER TO VMRMAINT

    This record in the Authorize Config will allow VMRMAINT to 'override' the NEWUSER userexit rejection so VMRMAINT can create any user ID name.

  4. Verify that VMXMGR1 does not have authority to override the NEWUSER userexit rejection. Use VMSECURE MAY VMXMGR1 OVERRIDE. The response may be something like : VMXLSA0264I Accepted by: GRANT *ALL TO VMXMGR1. If VMXMGR1 does have an authorization that does accept 'OVERRIDE', the authorizations will need to be changed. For instance, place the following record in the AUTHORIZ CONFIG for VMXMRG1: WITHHOLD OVEERIDE NEWUSER FROM VMXMGR1.

Sample NEWUSER EXEC:

* * * Top of File * * * 
/* test newuser userexit */ 
arg argstring 
trace all 
say 'Arguments to NEWUSER userexit are:' argstring 
/*say 'This is the one with RC=4'*/ 
parse var argstring user user2 acct newmgr command group 
if (substr(strip(user2),1,3)) <> 'CLN' then exit 4 
push 'VMXMGR1' 
exit 0 
* * * End of File * * * 

Here is what VMSMGR1 gets when it tries to add user LALALA VMXMAN0363E User 'LALALA' rejected by installation exit routine.
VMXMAN0099I 'MANAGE' command canceled.
VMXMAN0365I User not defined.