acl modify
Modifies access control list (ACL) policies.
Requires authentication (administrator ID and password) to use this command.
Syntax
acl modify acl_name delete attribute attribute_name [attribute_value]
acl modify acl_name description description
acl modify acl_name remove any-other
acl modify acl_name remove group group_name
acl modify acl_name remove unauthenticated
acl modify acl_name remove user user_name
acl modify acl_name set any-other [permissions]
acl modify acl_name set attribute attribute_name attribute_value
acl modify acl_name set description description
acl modify acl_name set group group_name [permissions]
acl modify acl_name set unauthenticated [permissions]
acl modify acl_name set user user_name [permissions]
Options
- acl_name
- Specifies the ACL policy that you want to be modified. The ACL
policy must exist, or an error is displayed.
Examples: default-root, test, default-management, and pubs_acl3
- delete attribute attribute_name [attribute_value]
- Deletes the specified extended attribute name and value from the
specified ACL. The attribute must exist, or an error is displayed.
The attribute_value deletes the specified value from the specified extended attribute key in the specified ACL. (Optional)
Examples of extended attribute names and values:Dept_No 445 Employee_Name "Diana Lucas" - description description
- Sets or modifies the description for the specified ACL. This option
is equivalent to the acl modify set description command.
Use the acl modify description command instead
of the acl modify set description command.
A valid description is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. Spaces are allowed.
If the description contains a space, ensure that you enclose the description in double quotation marks. You can specify an empty string ("") to clear an existing description.
Example of description: "Department number of employee"
- permissions
- Security Access Manager uses
a set of default actions (known as primary action tasks
and permissions) that cover a wide range of operations. You can also
create your own action tasks and permissions. A complete list of primary action tasks and their associated permissions includes:
T Traverse Base c Control Base g Delegation Base m Modify Generic d Delete Generic b Browse Base s Server Admin Generic v View Generic a Attach Base B Bypass POP Base t Trace Base r Read WebSEAL x Execute WebSEAL l List Directory WebSEAL N Create Base W Password Base A Add Base R Bypass AuthzRule BaseFor more information on actions, see Action groups and actions. For a description of default permissions, see Default permissions in the primary action group.
- remove any-other
- Removes the ACL entry for the any-other user category from the specified ACL.
- remove group group_name
- Removes the ACL entry for the specified group from the specified
ACL. The group must exist, or an error is displayed.
Examples of group names are Credit, Sales, and Test-group.
- remove unauthenticated
- Removes the ACL entry for the unauthenticated user category from the specified ACL.
- remove user user_name
- Removes the ACL entry for the specified user from the specified
ACL. The user must exist, or an error is displayed.
Examples of user names are dlucas, sec_master, and "Mary Jones".
- set any-other [permissions]
- Sets or modifies the ACL entry for the any-other user category in the ACL. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z).
- set attribute attribute_name attribute_value
- Sets the extended attribute value for the specified extended attribute
key in the specified ACL. The attribute must exist, or an error is
displayed. If the attribute exists, the attribute value is added as
an additional value if the same value does not exist for this attribute.
If the same value exists for this attribute, it does not get added
again (duplicate values are not allowed), and no error is returned.
The optional attribute_value sets the specified value from the specified extended attribute key in the specified ACL.
Examples of extended attribute names and values:Dept_No 445 Employee_name "Diana Lucas" - set description description
- Sets or modifies the description for the specified ACL. This option is equivalent to the acl modify description command. Use the acl modify description command instead of the acl modify set description command.
- set group group_name [permissions]
- Sets or modifies the ACL entry for the specified group in the
specified ACL. The group must exist, or an error is displayed.
Examples of group names are Credit, Sales, and Test-group.
Security Access Manager uses a set of default actions that cover a wide range of operations. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z). See set any-other [permissions] for the list of possible permissions.
- set unauthenticated [permissions]
- Sets or modifies the ACL entry for the unauthenticated user
category in the specified ACL.
Security Access Manager uses a set of default actions that cover a wide range of operations. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z). See set any-other [permissions] for examples of permissions.
- set user user_name [permissions]
- Sets permissions that the user is permitted to perform. The user
must exist or an error is displayed.
Examples of user names are dlucas, sec_master, and "Mary Jones".
Security Access Manager uses a set of default actions that cover a wide range of operations. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z). See set any-other [permissions] for examples of permissions.
Return codes
- 0
- The command completed successfully.
- 1
- The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.
Examples
- The following example sets the any-other user
entry in the pubs ACL to have r,
the Read (WebSEAL) permission:
pdadmin sec_master> acl modify pubs set any-other r - The following example sets the sales group entry
in the pubs ACL to have the Tr permissions,
which are the Traverse and Read (Base) permissions:
pdadmin sec_master> acl modify pubs set group sales Tr - The following example sets the unauthenticated user
entry in the docs ACL to have the r permission,
which is the Read (WebSEAL) permission:
pdadmin sec_master> acl modify docs set unauthenticated r - The following example sets the peter user entry
in the pubs ACL to have the Tr permissions,
which are the Traverse (Base) and Read (WebSEAL) permissions:
pdadmin sec_master> acl modify pubs set user peter Tr - The following example sets the kathy user entry
in the test ACL to have Tbr permissions,
which are the Traverse (Base), Browse (Base) and Read (WebSEAL) permissions.
It also sets custom permissions PS for the existing test-group action
group. It then displays the results.
pdadmin sec_master> acl modify test set user kathy Tbr[test-group]PS pdadmin sec_master> acl show test ACL Name: test Description: Entries: User sec_master TcmdbsvaBl Group ivmgrd-servers Tl Any-other r User kathy Tbr[test-group]PS - The following example sets the kathy user entry
in the test ACL to have Tbr permissions,
which are the Traverse (Base), Browse (Base), and Read (WebSEAL) permissions.
It then displays the results.
pdadmin sec_master> acl modify test set user kathy Tbr pdadmin sec_master> acl show test ACL Name: test Description: Entries: User sec_master TcmdbsvaBl Group ivmgrd-servers Tl Any-other r User kathy Tbr