Sample commands to create and manipulate an Access Control List (ACL) follow. Note that ACLs are inherited, but not cumulatively. An ACL placed on the root of a context will be overridden by an ACL placed at a lower level.
acl create acl_name
Example:
pdadmin sec_master> acl create <application_name>_Secure
acl attach object_name acl_name
Examples:
pdadmin sec_master> acl attach /WebSEAL/<servername>.bcbsnc.com-default/<context>/secure <application_name>_Secure
pdadmin sec_master> acl detach /WebSEAL/<servername>.bcbsnc.com-default/<application_name>/secure
acl find acl_name
Example:
pdadmin sec_master> acl find <application_name>_Secure
/WebSEAL/<servername>.bcbsnc.com-default/<application_name>/secure
pdadmin sec_master> acl list
default-webseal
default-root
<application_name>_Secure
default-replica
default-management
acl modify acl_name delete attribute attribute_name [attribute_value]
acl modify acl_name description description
acl modify acl_name remove any-other
acl modify acl_name remove group group_name
acl modify acl_name remove unauthenticated
acl modify acl_name remove user user_name
For unauthenticated access (public), any-other and unauthenticated should have Trx permissions; for group secured access any-other and unauthenticated should have the T permission and the group should have Trx permissions. Authenticated, but group membership irrelevant would have any-other with Trx permissions and unauthenticated with the T permission.
acl modify acl_name set any-other [permissions]
acl modify acl_name set attribute attribute_name attribute_value
acl modify acl_name set description description
Groups are usually associated to an ACL to provide access to group members. Usual permissions are Trx (transit, read, execute). ‘m’ allows Put.
acl modify acl_name set group group_name [permissions]
For unauthenticated access (public), unauthenticated should have Trx permissions; for secured access unauthenticated should have the T permission.
acl modify acl_name set unauthenticated [permissions]
Users can be added to the ACL directly, but this is discouraged. Best practice is to use a group.
acl modify acl_name set user user_name [permissions]