pop modify

Modifies protected object policies.

Requires authentication (administrator ID and password) to use this command.

Syntax

pop modify pop_name delete attribute attribute_name [attribute_value]

pop modify pop_name set attribute attribute_name attribute_value

pop modify pop_name set audit-level {all|none|audit_level_list}

pop modify pop_name set description description

pop modify pop_name set ipauth add network netmask level

pop modify pop_name set ipauth anyothernw level

pop modify pop_name set ipauth remove network netmask

pop modify pop_name set qop {none|integrity|privacy}

pop modify pop_name set tod-access {anyday|weekday|day_list}:{anytime|time_spec-time_spec}[:{utc|local}]

pop modify pop_name set warning {yes|no}

Description

The pop modify command modifies a protected object policy (POP). When you use the set ipauth add or set ipauth remove options, you can specify the IP addresses. The values for the network and netmask options are TCP/IP addresses. These IP addresses can be specified by using either version 4 (IPv4) or version 6 (IPv6) notation. Both the network and netmask options must be specified in the same IP version.

Note: When you use IPv6 notation, do not use prefix notation when you specify IP addresses.
When you specify IP addresses, be aware of the following restrictions:
  • For administration commands, IPv4 clients must provide addresses in IPv4 format even with IPv6 servers.
  • For C APIs, IPv4 clients must provide addresses in IPv4 format even with IPv6 servers.
  • For C APIs, IPv6 clients can provide addresses in IPv4 or IPv6 format to IPv6 servers.
  • For Java™ methods, IPv4 and IPv6 clients must provide addresses in IPv4 format to IPv4 servers.
  • For Java methods, IPv4 clients can provide addresses in IPv4 or IPv6 format to IPv6 servers.
For an IPv6 address to be accepted (commands, C APIs, and Java methods), the server must be IPv6. You cannot provide an IPv6 address to an IPv4 server.

The operating system functions that are provided to Security Access Manager have certain limitations. Regardless of C or Java clients, IPv4 addresses must be in IPv4 format when you add addresses to a POP.

Options

delete attribute attribute_name [attribute_value]
Deletes the specified value from the specified extended attribute key in the specified POP. The attribute must exist, or an error is displayed.

The optional attribute_value deletes the specified value from the specified extended attribute key in the specified POP.

Examples of extended attribute names and values: 
Dept_No445
Employee_Name"Diana Lucas"
pop_name
Specifies the name of the protected object policy to be modified. The POP must exist, or an error is displayed.
set attribute attribute_name attribute_value
Sets or modifies the specified value from the specified extended attribute key in the specified POP. If the attribute exists, the attribute value is added as an additional value if the same value does not exist for this attribute. If the same value exists for this attribute, it does not get added again (duplicate values are not allowed), and no error is returned.

The attribute_value sets the specified value from the specified extended attribute key in the specified POP.

Example: "Credit Card"

set audit-level {all|none|audit_level_list}
Sets the audit level for the specified POP. The format of an audit_level_list is a comma-separated list that contains one or more of these audit levels: permit,deny,error,admin.
set description description
Sets the description of the specified POP.

A valid description is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. If the description contains a space, ensure that you enclose the description in double quotation marks. You can specify an empty string ("") to clear an existing description.

Example of description: "Policies of Jenson Corp."

set ipauth add network netmask level
Sets the IP endpoint authentication settings in the specified POP. The values for the network and netmask options are TCP/IP addresses. These IP addresses can be specified by using either version 4 (IPv4) or version 6 (IPv6) addresses. Both the network and netmask options must be specified in the same IP version.
The following values are supported for level:
forbidden
A value that prohibits object access.
integer_values
Application-specific integer values that define the step-up authentication levels. All integer values, except 1000, are supported. For more information about step-up authentication, see the Administering topics in the IBM Knowledge Center.
set ipauth anyothernw level
Sets the anyothernw (any other network setting) for the IP authentication level in the specified POP. If controlling access by IP address is not important, use the anyothernw option to set the authentication level for:
  • All IP addresses, and
  • IP address ranges not listed explicitly in the POP.
The following values are supported for level:
forbidden
A value that prohibits object access.
integer_values
Application-specific integer values that define the step-up authentication levels. All integer values, except 1000, are supported. For more information about step-up authentication, see the Administering topics in the IBM Knowledge Center.
set ipauth remove network netmask
Removes the IP endpoint authentication settings from the specified POP. The values for the network and netmask options are TCP/IP addresses. These IP addresses can be specified by using either version 4 (IPv4) or version 6 (IPv6) notation. Both the network and netmask options must be specified in the same IP version.
set qop {none|integrity|privacy}
Sets the quality of protection level for the specified POP. The following string values are supported:
  • none
  • integrity
  • privacy
set tod-access {anyday|weekday|day_list}:{anytime|time_spec-time_spec}[:{utc|local}]
Sets the time of day range for the specified protected object policy.

The day_list is a comma-separated list of days of the week, each of which is represented by a three-character value (for example, mon,wed,fri). The day_list specifies which days of the week the object can be accessed. If you want to list every day of the week, specify anyday; if you do not want to include the weekend days, specify weekday.

The time_spec format is specified as hhmm and is expressed by using a 24-hour clock (for example, 0900 for 9 a.m. or 1430 for 2:30 p.m.). The default value is not defined, and the optional time zone is local by default. The time_spec value and time zone specify the time of day the object can be accessed.

Note: utc=GMT
set warning {yes|no}
Sets the warning mode for the specified protected object policy. Valid values are yes or no.

Return codes

0
The command completed successfully.
1
The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

Examples

  • This example shows how to modify the description for the POP named test: 
    pdadmin sec_master> pop modify test description "Test POP"
  • This example shows how to turn on the warning mode for the POP named test: 
    pdadmin sec_master> pop modify test set warning yes
  • This example shows how to set the audit level to audit all requests on a protected object that result in successful:
    • Access by using permit.
    • Denial of access by using deny.
    pdadmin sec_master> pop modify test set audit-level permit,deny
  • This example shows how to set an attribute named attr1 with a value of valueA for the POP named pop1: 
    pdadmin sec_master> pop modify pop1 set attribute attr1 valueA

See also

pop attach
pop create