Saturday, March 5, 2011

How to Configure Access Control Lists (ACLs)

Sample commands to create and manipulate an Access Control List (ACL) follow.  Note that ACLs are inherited, but not cumulatively.  An ACL placed on the root of a context will be overridden by an ACL placed at a lower level.
acl create acl_name
Example:
pdadmin sec_master> acl create <application_name>_Secure
acl attach object_name acl_name
Examples:
pdadmin sec_master> acl attach /WebSEAL/<servername>.bcbsnc.com-default/<context>/secure <application_name>_Secure
pdadmin sec_master> acl detach /WebSEAL/<servername>.bcbsnc.com-default/<application_name>/secure
acl find acl_name
Example:
pdadmin sec_master> acl find <application_name>_Secure
/WebSEAL/<servername>.bcbsnc.com-default/<application_name>/secure
pdadmin sec_master> acl list
default-webseal
default-root
<application_name>_Secure
default-replica
default-management
acl modify acl_name delete attribute attribute_name [attribute_value]
acl modify acl_name description description
acl modify acl_name remove any-other
acl modify acl_name remove group group_name
acl modify acl_name remove unauthenticated
acl modify acl_name remove user user_name
For unauthenticated access (public), any-other and unauthenticated should have Trx permissions; for group secured access any-other and unauthenticated should have the T permission and the group should have Trx permissions.  Authenticated, but group membership irrelevant would have any-other with Trx permissions and unauthenticated with the T permission.
acl modify acl_name set any-other [permissions]
acl modify acl_name set attribute attribute_name attribute_value
acl modify acl_name set description description
Groups are usually associated to an ACL to provide access to group members.  Usual permissions are Trx (transit, read, execute).  ‘m’ allows Put.
acl modify acl_name set group group_name [permissions]
For unauthenticated access (public), unauthenticated should have Trx permissions; for secured access unauthenticated should have the T permission.
acl modify acl_name set unauthenticated [permissions]
Users can be added to the ACL directly, but this is discouraged.  Best practice is to use a group.
acl modify acl_name set user user_name [permissions]