acl modify

Modifies access control list (ACL) policies.

Requires authentication (administrator ID and password) to use this command.

Syntax

acl modify acl_name delete attribute attribute_name [attribute_value]

acl modify acl_name description description

acl modify acl_name remove any-other

acl modify acl_name remove group group_name

acl modify acl_name remove unauthenticated

acl modify acl_name remove user user_name

acl modify acl_name set any-other [permissions]

acl modify acl_name set attribute attribute_name attribute_value

acl modify acl_name set description description

acl modify acl_name set group group_name [permissions]

acl modify acl_name set unauthenticated [permissions]

acl modify acl_name set user user_name [permissions]

Options

acl_name
Specifies the ACL policy that you want to be modified. The ACL policy must exist, or an error is displayed.

Examples: default-root, test, default-management, and pubs_acl3

delete attribute attribute_name [attribute_value]
Deletes the specified extended attribute name and value from the specified ACL. The attribute must exist, or an error is displayed.

The attribute_value deletes the specified value from the specified extended attribute key in the specified ACL. (Optional)

Examples of extended attribute names and values: 
Dept_No 445
Employee_Name "Diana Lucas"
description description
Sets or modifies the description for the specified ACL. This option is equivalent to the acl modify set description command. Use the acl modify description command instead of the acl modify set description command.

A valid description is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. Spaces are allowed.

If the description contains a space, ensure that you enclose the description in double quotation marks. You can specify an empty string ("") to clear an existing description.

Example of description: "Department number of employee"

permissions
Security Access Manager uses a set of default actions (known as primary action tasks and permissions) that cover a wide range of operations. You can also create your own action tasks and permissions.
A complete list of primary action tasks and their associated permissions includes: 
T Traverse Base
c Control Base
g Delegation Base
m Modify Generic
d Delete Generic
b Browse Base
s Server Admin Generic
v View Generic
a Attach Base
B Bypass POP Base
t Trace Base
r Read WebSEAL
x Execute WebSEAL
l List Directory WebSEAL
N Create Base
W Password Base
A Add Base
R Bypass AuthzRule Base

For more information on actions, see Action groups and actions. For a description of default permissions, see Default permissions in the primary action group.

remove any-other
Removes the ACL entry for the any-other user category from the specified ACL.
remove group group_name
Removes the ACL entry for the specified group from the specified ACL. The group must exist, or an error is displayed.

Examples of group names are Credit, Sales, and Test-group.

remove unauthenticated
Removes the ACL entry for the unauthenticated user category from the specified ACL.
remove user user_name
Removes the ACL entry for the specified user from the specified ACL. The user must exist, or an error is displayed.

Examples of user names are dlucas, sec_master, and "Mary Jones".

set any-other [permissions]
Sets or modifies the ACL entry for the any-other user category in the ACL. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z).
set attribute attribute_name attribute_value
Sets the extended attribute value for the specified extended attribute key in the specified ACL. The attribute must exist, or an error is displayed. If the attribute exists, the attribute value is added as an additional value if the same value does not exist for this attribute. If the same value exists for this attribute, it does not get added again (duplicate values are not allowed), and no error is returned.

The optional attribute_value sets the specified value from the specified extended attribute key in the specified ACL.

Examples of extended attribute names and values: 
Dept_No 445
Employee_name "Diana Lucas"
set description description
Sets or modifies the description for the specified ACL. This option is equivalent to the acl modify description command. Use the acl modify description command instead of the acl modify set description command.
set group group_name [permissions]
Sets or modifies the ACL entry for the specified group in the specified ACL. The group must exist, or an error is displayed.

Examples of group names are Credit, Sales, and Test-group.

Security Access Manager uses a set of default actions that cover a wide range of operations. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z). See set any-other [permissions] for the list of possible permissions.

set unauthenticated [permissions]
Sets or modifies the ACL entry for the unauthenticated user category in the specified ACL.

Security Access Manager uses a set of default actions that cover a wide range of operations. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z). See set any-other [permissions] for examples of permissions.

set user user_name [permissions]
Sets permissions that the user is permitted to perform. The user must exist or an error is displayed.

Examples of user names are dlucas, sec_master, and "Mary Jones".

Security Access Manager uses a set of default actions that cover a wide range of operations. Valid actions, or permissions, are represented by single alphabetic ASCII characters (a-z, A-Z). See set any-other [permissions] for examples of permissions.

Return codes

0
The command completed successfully.
1
The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

Examples

  • The following example sets the any-other user entry in the pubs ACL to have r, the Read (WebSEAL) permission: 
    pdadmin sec_master> acl modify pubs set any-other r
  • The following example sets the sales group entry in the pubs ACL to have the Tr permissions, which are the Traverse and Read (Base) permissions: 
    pdadmin sec_master> acl modify pubs set group sales Tr
  • The following example sets the unauthenticated user entry in the docs ACL to have the r permission, which is the Read (WebSEAL) permission: 
    pdadmin sec_master> acl modify docs set unauthenticated r
  • The following example sets the peter user entry in the pubs ACL to have the Tr permissions, which are the Traverse (Base) and Read (WebSEAL) permissions: 
    pdadmin sec_master> acl modify pubs set user peter Tr
  • The following example sets the kathy user entry in the test ACL to have Tbr permissions, which are the Traverse (Base), Browse (Base) and Read (WebSEAL) permissions. It also sets custom permissions PS for the existing test-group action group. It then displays the results. 
    pdadmin sec_master> acl modify test set user kathy Tbr[test-group]PS

pdadmin sec_master> acl show test

ACL Name: test
Description:
Entries:
User sec_master TcmdbsvaBl
Group ivmgrd-servers Tl
Any-other r
User kathy Tbr[test-group]PS
  • The following example sets the kathy user entry in the test ACL to have Tbr permissions, which are the Traverse (Base), Browse (Base), and Read (WebSEAL) permissions. It then displays the results. 
    pdadmin sec_master> acl modify test set user kathy Tbr

pdadmin sec_master> acl show test

ACL Name: test
Description:
Entries:
User sec_master TcmdbsvaBl
Group ivmgrd-servers Tl
Any-other r
User kathy Tbr

See also

acl attach
acl create