Security domain definition

In the role-based security model, a security domain represents the set of objects that users or groups can manage. For example, you can define a domain that contains all objects named with a prefix 'AA'. If you want to specify different security attributes for some or all of your users, you can create additional security domains based on specific matching criteria. You can filter objects by specifying one or more attributes for each security object type. You can include or exclude each attribute from the selection. For example, you can restrict access to a set of objects having the same name or being defined on the same workstation, or both.

You can include multiple security domain definitions in the same text file, along with security role definitions and access control list definitions.

By default, a security domain named ALLOBJECTS is available. It contains all scheduling objects and cannot be renamed nor modified. If you try to rename it, a copy of the domain is created with the new name.

Each security domain definition has the following format and arguments:


Each attribute can be included or excluded from the selection using the plus (+) and tilde (~) symbols.

securitydomain security_domain_name
   [description "description"]
      [common [[+|~object_attribute [= value | @[, value | @]...]]]
      object_type [[+|~]object_attribute [= value | @[, value | @]...]]
      [object_type [[+|~]object_attribute [= value | @[, value | @]...]]]...

[securityrole ...]

[accesscontrollist ...]


securitydomain security_domain_name
Specifies the name of the security domain. The name must start with a letter, and can contain alphanumeric characters, dashes, and underscores. It can contain up to 16 characters.
description ”description
Provides a description of the security domain. The description can contain up to 120 alphanumeric characters. The text must be enclosed within double quotes.
common [[+|~]object_attribute [= value | @[, value | @]...]]
Provides object attributes that are common to all the security object types.
object_type [[+|~]object_attribute [= value | @[, value | @]...]]
For each object type, specifies the attributes that apply to that object type and the related values. Each attribute can be included or excluded from the selection using the plus (+) and tilde (~) symbols. Wildcard (@) is supported for the attribute value: object_attribute =@ means that all the objects matching the object attribute must be included in the domain. For the use of wildcard (@), see the examples below.

For the attributes that you can specify for each security object type, see Attributes for security object types.

For the values that you can specify for each object attribute, see Specifying object attribute values.


The following example defines a security domain named SECDOM1 and a security domain named SECDOM2:

securitydomain SECDOM1   
description "Sample Security Domain1"
job       cpu =   $THISCPU, # The workstation where the user logs on
                  $MASTER,  # The master workstation
                  $AGENTS,  # Any fault tolerant agent
                  $REMOTES  # Any standard agent
                  cogs@     # Any workstation whose name starts with "cogs" 
         + folder = /  # Jobs defined in any folder
         + cpufolder = /  # Workstations defined in any folder
        + name =  A@        # Any job whose name starts with "A"
        ˜  name =  A2@       # but doesn't start with A2
        + jcltype = SCRIPTNAME # Allow only SCRIPTNAME type of job definition
        + jcltype = DOCOMMAND  # Allow only DOCOMMAND type of job definition
        + logon =   $USER,  # Streamlogon is the conman/composer user
                    $OWNER, # Streamlogon is the job creator
                    $JCLOWNER, # Streamlogon is the OS owner of the file
                    $JCLGROUP  # Streamlogon is the OS group of the file
        ~  logon =   root, twsuser  # The job cannot logon as "root" or "twsuser"
        + jcl   =   "/usr/local/bin/@"  # The jobs whose executable file that is 
			present in /usr/local/bin
        ~  jcl   =  "@rm@" # but whose JSDL definition does not contain the 
			string "rm"

securitydomain SECDOM2
description "Sample Security Domain2"
    common      cpu=@+name=@
    userobj     cpu=@  + cpufolder = /
    job         cpu=@+ folder = / + cpufolder = /   
    schedule    cpu=@+name=AP@+ folder = / + cpufolder = /    
    resource    cpu=@ + folder = / +  + cpufolder = /
    prompt      folder = /   
    file        name=@ 
    cpu         cpu=@  + folder = /
    parameter   cpu=@  + folder = /  + cpufolder = /
    calendar    folder = /
    report      name=@ 
    eventrule   name=@ + folder = /
    action      provider=@
    event       provider=@
    vartable    name=@  +  folder = /
    wkldapp     name=@  +  folder = /
    runcygrp    name=@  +  folder = / 
    lob         name=@ 
    folder      name=/