In this section: |
A user is authorized to perform an operation only if that user is assigned with a role that has been granted the required permission for that operation. Users and their roles are configured in the authentication realm. When a realm authenticates a user, it creates a Principal that contains all of the security roles for the user. The list of roles that have been granted a particular permission is called an Access Control List (ACL). Assigning roles to users and granting permissions to roles is the responsibility of the security officer.
To execute an iSM command, a user must have the ism.admin role assigned or have another role assigned that has been granted the permission required for that command. The names of the specific permissions for iSM commands are built into the server.
The set acl command grants a permission to a role, that is, it adds a role to an ACL.
For example, to issue the start command, a user must have the required permission. The ACL for the start command is named cmdstart. For more information, see iSM Commands and Corresponding ACL Names. In this scenario, a security officer has decided that a user with the permission starter can issue the start command. The ACL for the stop command is named cmdstop. In addition, the security officer has decided that the permission starter can also stop. To accomplish this, once when the server is installed, the security officer (with administrative authority) must issue the following commands:
set acl cmdstart starter
set acl cmdstop starter
At some point the security officer may decide to grant a user with the permission, startonly, the ability to start a channel, but not to stop a channel. The security officer issues the following command:
set acl cmdstart startonly
Next, the security officer creates an authentication realm. For more information on the authentication realm, see Realm Based Authentication.
For this example, a properties realm is defined (users.properties), which is commonly used for simple situations. The security officer creates two users, each with a name and password. Tom (password=tomspassword) can start and stop channels, but Fred (password=fredspassword) can only start channels.
The security officer adds the following settings to the properties realm (users.properties):
tom=tomspassword tom.role0=starter fred=fredspassword fred.role0=startonly
Additionally, the security officer decides that Tom can also run process flows from the command line. The security officer issues the following command:
set acl cmdflow flower
The security officer also adds the following line to the properties file:
tom.role1=flower
The roles of the command handler are listed in the following table.
|
Command |
ACL Name |
|---|---|
|
Enqueue |
cmdflow |
|
Flow |
cmdflow |
|
Pull |
cmdpull |
|
Refresh |
cmdrefresh |
|
Remote |
cmdremote |
|
Run |
cmdrun |
|
Set acl |
cmdsetacl |
|
Set policy |
cmdsetpolicy |
|
set property |
cmdsetproperty |
|
Set register |
cmdsetregister |
|
Shell (or !) |
cmdsys |
|
Start |
cmdstart |
|
Stop |
cmdstop |
| iWay Software |