You can change security constraint assignments for a user in a MODIFY USER statement. When you specify a security constraint that is:
- Not currently assigned to the user, the constraint is added to any existing constraints.
- Already assigned to the user, the new specifications replace the existing specifications.
- Already assigned to the user, followed by the keyword NULL, the constraint assignment is dropped from the user.
For example:
MODIFY USER
Joe_Smith AS
CONSTRAINT = Classification_Level
(TopSecret, Unclassified DEFAULT),
CONSTRAINT = Classification_Country (NULL)
CONSTRAINT = Classification_Job (Analyst) ;
where:
Syntax Element | Description |
---|---|
Classification_Level(TopSecret, Unclassified DEFAULT) | Raises the user classification level by replacing a previously assigned Secret clearance with TopSecret, while retaining the DEFAULT Unclassified level. |
Classification_Country (NULL) | Drops the Classification_Country constraint assignment that was previously assigned to the user. |
Classification_Job (Analyst) | Adds the new hierarchical category Classification_Job, and assigns the Analyst classification level. |
A new or changed security constraint assignment takes effect at the next user logon.