Configurable Permission Groups (LSMS Command Class Mgmt)

When the optional LSMS Command Class Management feature is enabled, LSMS supports configurable GUI permission groups in addition to the five non-configurable GUI permission groups (lsmsadm, lsmsuser, lsmsview, lsmsall, and lsmsuext).

The LSMS supports the creation of 128 additional, configurable GUI permission groups that can be used to ensure a specific and secure environment. After creating the new, configurable GUI permission groups, the system administrator can assign users to the appropriate group.

The configurable GUI permission groups control access to GUI commands.

A method to control access to a fixed set of commands is provided. Existing commands, executables, and scripts are classified as follows:

Optional command-line capability for Report Generator (LQL)
This command may be assigned individually, similar to GUI commands, to one or more permission groups.
Root privilege-only commands
These commands are root-only and are not assignable to any permission group.
Other commands owned by lsmsadm
These commands include those used by the LSMS application, those used to control processes, and those for setup and configuration. Commands in this category are grouped as a single set of administration commands. Users may or may not be granted access to this command-line group, in addition to being assigned to the appropriate GUI group.

Some commands in this group, although owned by lsmsadm, are accessible to non-owners for limited operation, such as status. The incorporation of this feature will not have any impact on the current privileges of commands for non-owners.

Example:

To set up a custom environment, system administrators should define the GUI permission groups and populate those groups with the appropriate commands:

Define GUI Permission Groups and Assign Command Privileges
GUI Permission Group	Command Privileges
Custom GUICONFIG	All Configuration Commands
Custom GUIEMS	All EMS-related Commands
Custom GUISUPER	All GUI Commands

Optionally, assign users (for example, Mike, Sally, and Bill) to a specific command-line permission group (in this example, lsmsadm) or GUI permission group.

User Assignment Examples
User	Linux Permission Group	GUI Permission Group
Mike	lsmsadm	Custom GUICONFIG
Joe	lsmsall	Custom GUIEMS
Sally	lsmsadm	lsmsadm
Bill	lsmsadm	Custom GUISUPER

Note: Secure activation is required because this is an optional feature.

After activating this feature, you can create permission groups and assign users to these new groups.

Note: Changes in privileges do not automatically occur upon feature activation.

Permission Group Naming

The LSMS supports the ability to uniquely name each configurable GUI permission group.
A group name can consist of a minimum of one character to a maximum of 40 characters (only alphanumeric characters are permitted).

Permission Group Contents

Each configurable GUI permission group supports any or all of the LSMS GUI commands.
Any GUI command may be associated with multiple GUI permission groups.
The optional LQL command for the Report Generator feature can be placed in GUI permission groups.
The LSMS supports a group containing the current LSMS lsmsadm commands with the exception of Report, Audit, and LQL.

Permission Group Commands

The LSMS enables you to perform the following tasks:

Create and modify GUI permission groups.
Assign a user to a single GUI permission group.
Assign a user access to the command group in addition to a GUI permission group.
Retrieve the names of all permission groups, all the commands permitted within a permission group, and the names of all permission groups that contain a particular command.