You can group attribute values and represent them with a single
value in the rules file. Theseattribute value groupings are
defined in a groupings file within the WLM configuration
directory.
By default, a configuration has no groupings file.
There is no command or management interface to create one. To create and use
attribute value groupings, use the following procedure:
- With root authority, change to the appropriate configuration directory,
as shown in the following example:
- Use your favorite editor to create and edit a file named groupings.
For example:
vi groupings
- Define attributes and their associated values using
the following format:
attribute = value, value, ...
All values must be separated by commas. Spaces are not significant.
Ranges and wild cards are allowed. For example:
trusted = user[0-9][0-9], admin*
nottrusted = user23, user45
shell = /bin/?sh, \
/bin/sh, \
/bin/tcsh
rootgroup=system,bin,sys,security,cron,audit
- Save the file.
- To use attribute groupings within the selection criteria for a
class, edit the rules file.
The attribute
grouping name must be preceded by a dollar sign ($) to include the corresponding
values or the exclamation point (!) to exclude the values. The exclamation
point cannot be used in the members of the group (step
3),
and it is the only modifier that can be used in front of the grouping in this
rules file. In the following example, the asterisk (*) signals a comment line:
*class resvd user group application type tag
classA - $trusted,!$nottrusted - - - -
classB - - - $shell,!/bin/zsh - -
classC - - $rootgroup - - -
- Save the file.
At this point, your classification rules includes attribute value
groupings. When the rules are parsed, if an element beings with a $, the system
looks for that element within the groupings file. If
an element is syntactically invalid or if the groupings file
does not exist, the system displays a warning message and continues processing
other rules.