setauthpol

The setauthpol command modifies policy attributes that apply to a specific type of authentication policy, changing the contents of the policy. To change attributes that are independent of the policy type, use the chauthpol command.

With the setauthpol command, you can map external users and groups to one or more authority groups and to a user resource scope. Only users with security administrator authority can map a user ID or group to the security administrator group role. Users with security administrator authority cannot be mapped to any other group role. A user with administrator authority can map a user ID, or group, to any group role except security administrator.

Note: The setauthpol command cannot be run from the Embedded DS CLI window.

Using the setauthpol command, storage administrators with global resource scope authority can enable or disable a local administrator for the authentication policy. The local administrator is a specified user account in the local security repository who can log in to the system when a given remote user directory policy is configured and the remote user directory server is not accessible.

Depending on the policy type and the action that is selected, all of the other parameters can vary in meaning. For this reason, the syntax diagrams and the parameter descriptions are separated by policy types and actions. If a parameter is not found under a specific policy type, then it does not apply to that policy type.

Notes:
  • You must have administrator or security administrator authority and a user resource scope of '*' in the current policy to use this command.
  • If an external user belongs to several external groups that map to more than one user resource scope, other than DEFAULT, the user cannot log on unless there is also a mapping between the external user and one specific user resource scope.
  • The previous parameters -groupmap and -usermap, used with the addmap, rmmap, and setmap actions, are now deprecated but are still valid for use in commands. The new parameters -extgroup, -extuser, and -dsgroup replace the deprecated parameters, and cannot be used in the same command line with them.
  • Multi-Factor Authentication policy, RSA supports mappings for users but does not support mappings for group.

Read syntax diagramSkip visual syntax diagram setauthpol  -action  setauthserver  addmap  rmmap  rmallmap  setmap  setsasuser  settruststore  setlocaladmin  setusrbasedn  setbinduser  setbindpass  setuserdnph  setgroupdnph  setgroupbasedn  setusernameattr  setgroupnameattr  setgroupmemberattr  setusernamefilter  setgroupnamefilter  setrsa  setrsauser  addrsauser  rmrsauser  setrsagroup  addrsagroup  rmrsagroup  setrsaaccessid  setrsaaccesskey

Each of the following sections shows the options for one of the listed -action parameters:

-action setauthserver
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setauthserver  -loc  loc1  [,loc2...]  -servertarget ldaprsa pol_name  "-"
-action addmap
Read syntax diagramSkip visual syntax diagram setauthpol  -action  addmap  -extgroup extgrp1[,extgrp2…]  -extuser extusr11[,extusr2…]  -dsgroup dsgrp1[,dsgrp2…]  -scope user_resource_scope  pol_name  "-"
-action rmmap
Read syntax diagramSkip visual syntax diagram setauthpol  -action  rmmap  -extgroup extgrp1[,extgrp2…]  -extuser extusr1[,extusr2…]  -dsgroup dsgrp1[,dsgrp2…]  -scope user_resource_scope  pol_name  "-"
-action rmallmap
Read syntax diagramSkip visual syntax diagram setauthpol  -action rmallmap  -extgroup extgrp1[,extgrp2…]  -extuser extusr1[,extusr2…]  -dsgroup dsgrp1[,dsgrp2…]  -scope user_resource_scope  pol_name  "-"
-action setmap
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setmap  -extgroup extgrp1[,extgrp2…]  -extuser extusr1[,extusr2…]  -dsgroup dsgrp1[,dsgrp2…]  -scope user_resource_scope  pol_name  "-"
-action setsasuser
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setsasuser  -username  name  -pw  password  pol_name  "-"
-action settruststore
Read syntax diagramSkip visual syntax diagram setauthpol  -action  settruststore  -pw  password  -loc  loc1  -servertarget ldaprsa pol_name  "-"
-action setlocaladmin
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setlocaladmin  -username  name  -enable  -disable  pol_name  "-"
-action setusrbasedn
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setusrbasedn  -userbasedn user_base_dn pol_name  "-"
-action setbinduser
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setbinduser  -binduser  bind_user  pol_name  "-"
-action setbindpass
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setbindpass  -bindpass  bind_pass  pol_name  "-"
-action setuserdnph
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setuserdnph  -userdnph  bind_placeholder  pol_name  "-"
-action setgroupdnph
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setgroupdnph  -groupdnph  bind_group_placeholder  pol_name  "-"
-action setgroupbasedn
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setgroupbasedn  -groupbasedn  group_base_dn pol_name  "-"
-action setusernameattr
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setusernameattr  -usernameattr  user_name_attribute pol_name  "-"
-action setgroupnameattr
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setgroupnameattr  -groupnameattr  group_name_attribute pol_name  "-"
-action setgroupmemberattr
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setgroupmemberattr  -groupmemberattr  group_member_attribute pol_name  "-"
-action setusernamefilter
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setusernamefilter  -usernamefilter  user_name_filter pol_name  "-"
-action setgroupnamefilter
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setgroupnamefilter  -groupnamefilter  group_name_filter pol_name  "-"
-action setrsa
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setrsa  -enable  -disable  pol_name  "-"
-action setrsauser
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setrsauser  -extuser extusr1[,extusr2…]  -enable  -disable  pol_name  "-"
-action addrsauser
Read syntax diagramSkip visual syntax diagram setauthpol  -action  addrsauser  -extuser extusr1[,extusr2…]  -enable  -disable  pol_name  "-"
-action rmrsauser
Read syntax diagramSkip visual syntax diagram setauthpol  -action  rmrsauser  -extuser extusr1[,extusr2…]  pol_name  "-"
-action setrsagroup
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setrsagroup  -extgroup extgrp1[,extgrp2…]  -enable  -disable  pol_name  "-"
-action addrsagroup
Read syntax diagramSkip visual syntax diagram setauthpol  -action  addrsagroup  -extgroup extgrp1[,extgrp2…]  -enable  -disable  pol_name  "-"
-action rmrsagroup
Read syntax diagramSkip visual syntax diagram setauthpol  -action  rmrsagroup  -extgroup extgrp1[,extgrp2…]  pol_name  "-"
-action setrsaaccessid
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setrsaaccessid  -rsaaccessid  rsa_access_id pol_name  "-"
-action setrsaaccesskey
Read syntax diagramSkip visual syntax diagram setauthpol  -action  setrsaaccesskey  -rsaaccesskey  rsa_access_key pol_name  "-"

Action parameters

-action setauthserver
(Required) The authentication server that is used in the policy.
-action addmap
(Required) Adds to the mappings of external users or groups in the storage system authority group roles.
Note: Either the -extgroup or -extuser (or both) parameters can be used with either the -dsgroup or -scope (or both) parameters to add a mapping between the specified mapping pairs.
-action rmmap
(Required) Removes either all or specific mappings of external users or groups from the storage system authority group roles.
Note: Either the -extgroup or -extuser (or both) parameters can be used with either the -dsgroup or -scope (or both) parameters to remove the mapping between the specified mapping pairs. Any existing mappings that are not part of the specified parameters are not removed.
-action rmallmap
(Required) Removes multiple mappings of storage system authority group roles and user resource scope from external users or groups.
Note: Any, or all, of the -extgroup, -extuser, -dsgroup, or -scope parameters can be used to remove all mapping pairs with any of the specified parameters. Any existing mappings that are not part of the specified parameters are not removed.
-action setmap
(Required) Maps external users or groups to storage system authority group roles. If previous mappings are defined, the setmap action replaces them. Use the addmap action to add new mappings without replacing previous versions. All unspecified roles are unchanged.
Note: Either the -extgroup or -extuser (or both) parameters can be used with either the -dsgroup or -scope (or both) parameters to set the mapping between the specified mapping pairs. Any existing mappings for the specified keyword pairs are replaced by the specified mapping.
-action setsasuser
(Required) The storage authentication service (SAS) user. Available for SAS authentication only.
-action settruststore
(Required) The location of the truststore file. You must specify the password to check the integrity of the keystore data, and to set the truststore.
In the location of truststore files, user should manually generate a Java Keystore(.jks) file containing
  • the server certificate for RSA server while setting up RSA authentication policy using settruststore action parameter.
  • the server certificate for LDAP server while setting up LDAP authentication policy using settruststore action parameter.
  • the server certificate for RSA server and LDAP server while setting up RSA+LDAP authentication policy using settruststore action parameter.
-action setlocaladmin
(Required) A storage administrator with global resource scope authority can set a local administrator for the authentication policy. The local administrator is specified as the user account in the local security repository who can log in to the system when a given remote user directory policy is configured and the remote user directory server is not accessible.
-action setuserbasedn
(Required) The base distinguished name (DN) for user lookup. Available for LDAP authentication only.
-action setbinduser
(Required) The bind user name. Available for LDAP authentication only.
-action setbindpass
(Required) The password for the bind user. Available for LDAP authentication only.
-action setuserdnph
(Required) The placeholder for the bind user DN. Available for LDAP authentication only.
-action setgroupdnph
(Required) The placeholder for the bind group DN. Available for LDAP authentication only.
-action setgroupbasedn
(Required) The base distinguished name (DN) for group lookup. Available for LDAP authentication only.
-action setusernameattr
(Required) The name attribute for user lookup. Available for LDAP authentication only.
-action setgroupnameattr
(Required) The group name attribute for group lookup. Available for LDAP authentication only.
-action setgroupmemberattr
(Required) The group member attribute for group lookup. Available for LDAP authentication only.
-action setusernamefilter
(Required) The attributes for a user name filter. Enter a placeholder value such as {0} or {USERNAME}. Available for LDAP authentication only.
-action setgroupnamefilter
(Required) The attributes for a group name filter. Enter a placeholder value such as {0} or {GROUPNAME}. Available for LDAP authentication only.
-action setrsa
(Required) Disable or re-enable RSA authentication. Only applies to RSA+LDAP authentication policy type. If RSA authentication is disabled, LDAP authentication is still required. If RSA authentication is re-enabled, all existing RSA mappings are preserved.
-action setrsauser
(Required) Disable or re-enable RSA authentication for a user in the policy. Only applies to RSA+LDAP authentication policy type. If previous RSA SecurID users are defined, the setrsauser action replaces them. Use the addrsauser action to add new RSA SecurID users without replacing previous versions. If RSA SecurID authentication is disabled, LDAP authentication is still required.
-action addrsauser
(Required) Adds RSA SecurID users and disable or enable RSA authentication. Only applies to RSA+LDAP authentication policy type. If RSA SecurID authentication is disabled, LDAP authentication is still required.
-action rmrsauser
(Required) Removes RSA SecurID users in the policy. Only applies to RSA+LDAP authentication policy type.
-action setrsagroup
(Required) Disable or re-enable RSA authentication for a group in the policy. Only applies to RSA+LDAP authentication policy type. If previous RSA SecurID groups are defined, the setrsagroup action replaces them. Use the addrsagroup action to add new RSA SecurID groups without replacing previous versions. If RSA SecurID authentication is disabled, LDAP authentication is still required.
-action addrsagroup
(Required) Adds RSA SecurID groups and disable or enable RSA authentication. Only applies to RSA+LDAP authentication policy type. If RSA SecurID authentication is disabled, LDAP authentication is still required.
-action rmrsagroup
(Required) Removes RSA SecurID groups in the policy. Only applies to RSA+LDAP authentication policy type.
-action setrsaaccessid
(Required) Authentication identifier required for sending API authentication requests to RSA SecurID server. Available for RSA or RSA+LDAP authentication only.
Note: This is sensitive data that should be stored securely and shared only with other administrators.
-action setrsaaccesskey
(Required) Unique Key required for sending API authentication requests to RSA SecurID server. Available for RSA or RSA+LDAP authentication only.
Note: This is confidential data that should be stored securely and shared only with other administrators.
The following table includes all the valid combinations of actions and parameters and their effects on the storage system. One or more options from parameter group 1 must be specified. If any options are listed in parameter group 2, one or more of those options must also be specified.
Table 1. setauthpol action and parameter combinations
Action Parameter group 1 Parameter group 2 Effects
addmap
-extgroup extgrp1[,extgrp2]
-extuser extusr1[,extusr2]
-dsgroup dsgrp1[,dsgrp2]
-scope user_resource_scope
Add mapping to existing maps
rmmap
-extgroup extgrp1[,extgrp2]
-extuser extusr1[,extusr2]
-dsgroup dsgrp1[,dsgrp2]
-scope user_resource_scope
Remove mapping from existing maps
rmallmap
-extgroup extgrp1[,extgrp2]
-extuser extusr1[,extusr2]
-dsgroup dsgrp1[,dsgrp2]
-scope user_resource_scope
  Remove specified values from all existing maps
setauthserver -loc loc1[,loc2]   Set location of authentication server
setmap
-extgroup extgrp1[,extgrp2]
-extuser extusr1[,extusr2]
-dsgroup dsgrp1[,dsgrp2]
-scope user_resource_scope
Specify mapping to replace existing maps
setsasuser -username name -pw password Set SAS user name and password
settruststore -loc loc1 -pw password Set location and password of trust store file
setlocaladmin -username name -enable or -disable Set the local administrator account of the specified authentication policy to enable or disable.
setuserbasedn -userbasedn user_base_dn   Set the base distinguished name (DN) for user lookup.
setbinduser -binduser bind_user   Set the bind user name.
setbindpass -bindpass bind_password   Set the password for the bind user.
setuserdnph -userdnph bind_placeholder   Set the placeholder for the bind user DN.
setgroupdnph -groupdnph bind_group_placeholder   Set the placeholder for the bind group DN.
setgroupbasedn -groupbasedn group_base_dn   Set the base distinguished name (DN) for group lookup.
setusernameattr -usernameattr user_name_attribute   Set the name attribute for user lookup.
setgroupnameattr -groupnameattr group_name_attribute   Set the name attribute for group lookup.
setgroupmemberattr -groupmemberattr group_member_attribute   Set the member attribute for group lookup.
setusernamefilter -usernamefilter user_name_filter   Set the attributes for a user name filter.
setgroupnamefilter -groupnamefilter group_name_filter   Set the attributes for a group name filter.
setrsa -username name -enable or -disable Enable or disable MFA for the direct LDAP policy.
setrsauser -extuser extusr1[,extusr2] -enable or -disable Enable or disable RSA SecurID for a user in the policy.
addrsauser -extuser extusr1[,extusr2] -enable or -disable Adds RSA SecurID users to the authentication policy and enables or disables the user.
rmrsauser -extuser extusr1[,extusr2]   Removes a RSA SecurID user from the authentication policy.
setrsagroup -extgroup extgrp1[,extgrp2] -enable or -disable Enable or disable RSA SecurID for a group in the policy.
addrsagroup -extgroup extgrp1[,extgrp2] -enable or -disable Adds RSA SecurID groups to the authentication policy and enables or disables the group.
rmrsagroup -extgroup extgrp1[,extgrp2]   Removes a RSA SecurID group from the authentication policy.
setrsaaccessid -rsaaccessid rsa_access_id   Set the authentication identifier required for sending API authentication requests to RSA SecurID server.
setrsaaccesskey -rsaaccesskeyrsa_access_key   Set the unique key required for sending API authentication requests to RSA SecurID server.

Parameters, sorted by the selected action

Parameters for -action setauthserver:

-loc loc1[,loc2...]
(Optional) The URL location of the authentication servers. loc1 and loc2 are URLs specified as an IPv4, IPv6, or DNS-named IP address. Multiple locations are separated by commas without spaces.

SAS servers use the HTTPS protocol and port number 16311, both of which are specified in the URL. For example, https://9.11.236.10:16311/TokenService/services/Trust.

LDAP servers use the LDAP protocol if TLS is not used (ldap://hostname:port) and the LDAPS protocol if TLS is used (ldaps://hostname:port).

-servertarget ldap | rsa
(optional) Specifies the type of the authentication server to test. Inputs are either RSA or LDAP. If the user specifies RSA, the attributes for RSA authentication will be set. If the user specifies LDAP, the attributes for LDAP authentication will be set. Available only for RSA+LDAP authentication policy.
ldap
Remote authentication through a direct connection to an LDAP repository.
rsa
The RSA authentication type provides Multi-Factor Authentication with RSA Authentication Manager Servers.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setmap:

-extgroup extgrp1[,extgrp2…]
(Optional) Maps storage system authentication group roles (-dsgroup) and/or a user resource scope (-scope) to a specified list of external authentication group names (extgrp). Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1,ESS_ds2
-extuser extusr1[,extusr2…]
(Optional) Maps storage system authentication group roles (-dsgroup) and/or a user resource scope (-scope) to the specified list of external authentication user names (-extuser). Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Example: fred,sally
-dsgroup dsgrp1[,dsgrp2…]
(Optional) Lists storage system authentication group roles (dsgrp) that consist of one or more of the following role names: "admin", "secadmin", "op_storage", "op_volume", "op_copy_services", "monitor", "no_access" "ibm_engineering", and "ibm_service". Multiple role names are separated with commas without spaces.
Note: The "ibm_engineering" and "ibm_service" roles cannot be combined with other existing roles. The DSCLI allows users to have multiple roles, but currently the only combination allowed is "op_volume" + "op_copy_services."
Example: op_volume,op_copy_services
-scope user_resource_scope
(Optional) The user resource scope, which must meet the following criteria:
  • Must be 1 - 32 characters long
  • The characters are limited to upper and lowercase, alphabetic, numeric, and the special characters, dash ( - ), underscore ( _ ), and period (. ). You can also define the scope as a single asterisk ( * ).

The default scope is * for users in the administrator and security administrator authority groups, and PUBLIC for users in all other authority groups.

Example: Product_A

Note: The user resource scope is matched to one or more resource group IDs that are assigned to resource groups. If the resource group ID of a resource group matches the user resource scope, the user is authorized to issue Copy Services requests to a logical volume, LSS, or LCU that is assigned to the resource group. To issue a Copy Services request to establish a volume pairing, an LSS-pairing, or LCU-pairing, you must be authorized to access the source volume, source LSS, or source LCU, respectively. To issue a Copy Services request that operates on an LSS or LCU or has a session parameter, you must be authorized to access that LSS or LCU.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action addmap:

-extgroup extgrp1[,extgrp2…]
(Optional) Maps storage system authentication group roles (-dsgroup) and user resource scope (-scope) to a specified list of external authentication group names (extgrp). Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1,ESS_ds2
-extuser extusr1[,extusr2…]
(Optional) Maps storage system authentication group roles (-dsgroup) and user resource scope (-scope) to the specified list of external user (-extuser). Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Note: Use of this parameter is not recommended for maintenance reasons.
Example: fred,sally
-dsgroup dsgrp1[,dsgrp2…]
(Optional) Lists storage system authentication group roles (dsgrp) that consist of one or more of the following role names: "admin", "secadmin", "op_storage", "op_volume", "op_copy_services", "service", "monitor", and "no_access". Multiple role names are separated with commas without spaces.
Example: op_volume,op_copy_services
-scope user_resource_scope
(Optional) The user resource scope, which must meet the following criteria:
  • Must be 1 - 32 characters long
  • The characters are limited to upper and lower case alphabetic, numeric, and the special characters, dash ( - ), underscore ( _ ), and period ( . ). You can also define the scope as a single asterisk ( * ).

The default scope is * for users in the administrator authority group, and PUBLIC for users in all other authority groups.

Example: Product_A

Note: The user resource scope is matched to one or more resource group IDs that are assigned to resource groups. If the resource group ID of a resource group matches the user resource scope, the user is authorized to issue Copy Services requests to a logical volume, LSS, or LCU that is assigned to the resource group. To issue a Copy Services request to establish a volume pairing, an LSS-pairing, or LCU-pairing, you must be authorized to access the source volume, source LSS, or source LCU, respectively. To issue a Copy Services request that operates on an LSS or LCU or has a session parameter, you must be authorized to access that LSS or LCU.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action rmmap:

-extgroup extgrp1[,extgrp2…]
(Optional) Unmaps storage system authentication group roles (-dsgroup) and user resource scope (-scope) from a specified list of external authentication group names (extgrp). Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1,ESS_ds2
-extuser extusr1[,extusr2…]
(Optional) Unmaps storage system authentication group roles (-dsgroup) and user resource scope (-scope) from the specified list of external users (-extuser). Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Note: Use of this parameter is not recommended for maintenance reasons.
Example: fred,sally
-dsgroup dsgrp1[,dsgrp2…]
(Optional) Lists storage system authentication group roles (dsgrp) that consist of one or more of the following role names: "admin", "secadmin", "op_storage", "op_volume", "op_copy_services", "service", "monitor", and "no_access". Multiple role names are separated with commas without spaces.
Example: op_volume,op_copy_services
-scope user_resource_scope
(Optional) The user resource scope, which must meet the following criteria:
  • Must be 1 - 32 characters long
  • The characters are limited to upper and lowercase alphabetic, numeric, and the special characters, dash ( - ), underscore ( _ ), and period ( . ). You can also define the scope as a single asterisk ( * ).

The default scope is * for users in the administrator authority group, and PUBLIC for users in all other authority groups.

Example: Product_A

Notes:
  1. The user resource scope is matched to one or more resource group IDs that are assigned to resource groups. If the resource group ID of a resource group matches the user resource scope, you are authorized to issue Copy Services requests to a logical volume, LSS, or LCU that is assigned to the resource group. To issue a Copy Services request to establish a volume pairing, an LSS-pairing, or LCU-pairing, you must be authorized to access the source volume, source LSS, or source LCU, respectively. To issue a Copy Services request that operates on an LSS or LCU or has a session parameter, you must be authorized to access that LSS or LCU.
  2. When a scope mapping is removed from a -extuser or -extgroup, the default scope will still apply.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action rmallmap:

-extgroup extgrp1[,extgrp2…]
(Optional) Removes all maps with the specified external groups. Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1,ESS_ds2
-extuser extusr1[,extusr2…]
(Optional) Removes all maps with the specified external users. Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Note: Use of this parameter is not recommended for maintenance reasons.
Example: fred,sally
-dsgroup dsgrp1[,dsgrp2…]
(Optional) Removes all maps with the specified storage system groups. Storage system authentication group roles (dsgrp) consist of one or more of the following role names: "admin", "secadmin", "op_storage", "op_volume", "op_copy_services", "service", "monitor", and "no_access". Multiple role names are separated with commas without spaces.
Example: op_volume,op_copy_services
-scope user_resource_scope
(Optional) Removes all maps with the specified scope. The user resource scope must meet the following criteria:
  • Must be 1 - 32 characters long
  • The characters are limited to upper and lower case alphabetic, numeric, and the special characters, dash ( - ), underscore ( _ ), and period ( . ). You can also define the scope as a single asterisk ( * ).

The default scope is * for users in the administrator authority group, and PUBLIC for users in all other authority groups.

Example: Product_A

Notes:
  1. The user resource scope is matched to one or more resource group IDs that are assigned to resource groups. If the resource group ID of a resource group matches the user resource scope, you are authorized to issue Copy Services requests to a logical volume, LSS, or LCU that is assigned to the resource group. To issue a Copy Services request to establish a volume pairing, an LSS-pairing, or LCU-pairing, you must be authorized to access the source volume, source LSS, or source LCU, respectively. To issue a Copy Services request that operates on an LSS or LCU or has a session parameter, you must be authorized to access that LSS or LCU.
  2. When a scope mapping is removed from a -extuser or -extgroup, the default scope still applies.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setlocaladmin:

-username name
(Optional) A user name in the local security repository. Only a storage administrator with global resource scope can be specified as the local administrator for a remote authentication policy.
-enable
(Optional) Enables the local administrator of the authentication policy.
-disable
(Optional) Disables the local administrator of the authentication policy.

The -disable parameter is not valid when specified with the -enable or -username parameters.

pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for an SAS policy type, sorted by the selected action

Parameters for -action settruststore:

-pw password
(Optional) The truststore password.
-loc loc1
(Optional) The local truststore file location. Only one truststore location can be specified. loc1 is the full path name of the file that is stored on the local system.
Example: c:\mystore\trust.dat
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setsasuser:

-username name
(Optional) The user name that is used internally by SAS (Storage Authentication Service). Only one user name can be specified.
-pw password
(Optional) The user name password that is used internally by SAS.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for LDAP authentication, sorted by the selected action

Parameters for -action setbinduser:

-binduser name
(Optional) The bind user name. Use -binduser null to remove a value.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setbindpass:

-bindpass password
(Optional) The password for the bind user. Use -bindpass null to remove a value.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setuserdnph:

-userdnph bind_placeholder
(Optional) The placeholder for the bind user DN. You must use either of the placeholders {USERNAME} or {0}, but you cannot use both placeholders in a string.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setgroupdnph:

-groupdnph bind_group_placeholder
(Optional) The placeholder for the bind group DN. You must use either of the placeholders {GROUPNAME} or {0}, but you cannot use both placeholders in a string.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setuserbasedn:

-userbasedn user_base_dn
(Optional) The base distinguished name (DN) for user lookup.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setgroupbasedn:

-groupbasedn group_base_dn
(Optional) The base distinguished name (DN) for group lookup.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setusernameattr:

-usernameattr user_name_attribute
(Optional) The name attribute for user lookup. Use -usernameattr null to remove a value.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setgroupmemberattr:

-groupmemberattr group_name_attribute
(Optional) The group name attribute for group lookup. Use -groupmemberattr null to remove a value.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setusernamefilter:

-usernamefilter user_name_filter
(Optional) The attributes for a user name filter. Enter a placeholder value such as {0} or {USERNAME}. Use -usernamefilter null to remove a value.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setgroupnamefilter:

-groupnamefilter group_name_filter
(Optional) The attributes for a group name filter. Enter a placeholder value such as {0} or {GROUPNAME}. Use -groupnamefilter null to remove a value.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for RSA or RSA+LDAP authentication policy type, sorted by the selected action

Parameters for -action setrsa:

-username name
(Optional) Sets a name for a user to the specified list of remote authentication user names. Use -username null to remove a value.
-enable
(Optional) Enables the multifactor authentication for a direct LDAP policy.
-disable
(Optional) Disables the multifactor authentication for a direct LDAP policy.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setrsauser:

-extuser extusr1[,extusr2…]
(Optional) Sets the name for a user to the specified list of external authentication user names (-extuser). Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Example: fred,sally
-enable
(Optional) Enables the RSA SecurID authentication for a user.
-disable
(Optional) Disables the RSA SecurID authentication for a user.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action addrsauser:

-extuser extusr1[,extusr2…]
(Optional) Adds the name for a user to the specified list of external authentication user names (-extuser). Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Example: fred,sally
-enable
(Optional) Enables the RSA SecurID authentication for a user.
-disable
(Optional) Disables the RSA SecurID authentication for a user.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action rmrsauser:

-extuser extusr1[,extusr2…]
(Optional) Removes the name of a user from the specified list of external authentication user names (-extuser). Multiple user names are separated with commas without spaces. All unspecified external users are unchanged.
Example: fred,sally
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setrsagroup:

-extgroup extgrp1[,extgrp2…]
(Optional) Sets the name for a group to the specified list of external authentication group names (-extgroup). Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1, ESS_ds2
-enable
(Optional) Enables the RSA SecurID authentication for a group.
-disable
(Optional) Disables the RSA SecurID authentication for a group.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action addrsagroup:

-extgroup extgrp1[,extgrp2…]
(Optional) Adds the name for a group to the specified list of external authentication group names (-extgroup). Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1, ESS_ds2
-enable
(Optional) Enables the RSA SecurID authentication for a group.
-disable
(Optional) Disables the RSA SecurID authentication for a group.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action rmrsagroup:

-extgroup extgrp1[,extgrp2…]
(Optional) Removes the name of a group from the specified list of external authentication group names (-extgroup). Multiple group names are separated with commas without spaces. All unspecified external groups are unchanged.
Example: ESS_ds1, ESS_ds2
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setrsaaccessid:

-rsaaccessid rsa_access_id
(Optional) Authentication identifier required for sending API authentication requests to RSA SecurID server. Sets the authentication identifier as rsa_access_id in RSA SecurID server.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Parameters for -action setrsaaccesskey:

-rsaaccesskey rsa_access_key
(Optional) Unique Key required for sending API authentication requests to RSA SecurID server. Sets the unique key rsa_access_key that is required for sending API requests to RSA SecurID server.
pol_name | -
(Required) The name of the authentication policy. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Example 1: Creating a mapping between the external group 'Admins' and the storage system administrator role.

dscli> setauthpol –action addmap –extgroup Admins 
–dsgroup admin

Example 2: Removing all mappings between the external group 'Dept54' and all internal storage system groups and/or scope.

dscli> setauthpol –action rmallmap –extgroup Dept54

Example 3: Using the setauthpol command to modify the contents of the policy.

dscli> setauthpol –action rmallmap –extgroup Dept54

Example 4: Using action parameters for LDAP authentication.

dscli> setauthpol –action setuserbasedn –userbasedn o=ibm.com myLDAPPol
dscli> setauthpol –action setbinduser –binduser uid=001016666,c=mx,ou=bluepages,O=IBM.COM myLDAPPol
dscli> setauthpol –action setbindpass –bindpass 123456 myLDAPPol
dscli> setauthpol –action setuserdnph –userdnph {USERNAME}@ibm.com myLDAPPol
dscli> setauthpol –action setgroupdnph –groupdnph groupdnph=cn={0},cn=groups,o=company,0=com myLDAPPol
dscli> setauthpol –action setgroupbasedn –groupbasedn o=group myLDAPPol
dscli> setauthpol –action setusernameattr –usernameattr mail myLDAPPol
dscli> setauthpol –action setgroupnameattr –groupnameattr cn myLDAPPol
dscli> setauthpol –action setgroupmemberattr –groupmemberattr uniquemember myLDAPPol
dscli> setauthpol –action setusernamefilter –usernamefilter (mail={xyz}) myLDAPPol
dscli> setauthpol –action setgroupnamefilter –groupnamefilter (&(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames))(cn={0})) myLDAPPol

Example 5: Using action parameters to disable and re-enable RSA in an RSA+LDAP authentication policy

dscli> setauthpol –action setrsa –disable nldapol
dscli> setauthpol –action setrsa –enable nldapol