authzrule create

Creates an authorization rule.

Requires authentication (administrator ID and password) to use this command.

Syntax

authzrule create rule_id rule_text [–desc description] [–failreason fail_reason]

Description

You can attach an authorization rule to a protected object. To authorize access to the protected object, the user credential and application context attributes are compared against the rule.

Note: Quotation marks within an authorization rule must be escaped by using the backward slash (\) character.

Options

–desc description

Specifies the description of the authorization rule. (Optional)

A valid description is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. If the description contains a space, ensure that you enclose the description in double quotation marks. You can specify an empty string ("") to clear an existing description.

Example of description: "time-of-day rule for engineering object space"

–failreason fail_reason

Specifies the message that is returned if the rule denies access to a protected object. Consider that the authorization is denied as a result of the evaluation of this rule. However, other authorization checks succeed. In this case, the reason code is returned to the application that makes the authorization check. (Optional)

rule_id

Specifies the name of the authorization rule to create.

A valid authorization rule is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. Spaces are not allowed. The following characters cannot be used in the name of an authorization rule:

! " # & ( ) * + , ; : < > = @ / \ | .

rule_text

Specifies the rule policy that is used to evaluate the rule in XSL format. The rule must be enclosed in double quotation mark (") character. If the rule specifies a double quotation mark as part of the rule text, precede the double quotation mark with a backward slash (\) character. Doing so instructs the system to ignore the double quotation mark.

Return codes

0: The command completed successfully.
1: The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

Example

When providing rule text with the pdadmin utility, enclose the rule text in double quotation marks ("). Double quotation marks embedded within the rule text must be escaped with a backward slash (\) so that they are ignored by the pdadmin utility. The XSL processor treats single and double quotation marks equally for defining text strings. They can be used interchangeably, but they must always be paired appropriately. For example:


pdadmin sec_master> authzrule create testrule1
"<xsl:if test='some_piece_of_ADI =\"any string\"'>!TRUE!</xsl:if>"