/ 
Tivoli-AccessManager-Admin-1.11
River stage zero No dependents
/ Tivoli::AccessManager::Admin::POP

NAME

Tivoli::AccessManager::Admin::POP

SYNOPSIS

    use Tivoli::AccessManager::Admin;
    my ($pop,$resp,$obj);
    my $pd = Tivoli::AccessManager::Admin->new( password => $pswd);

    # Instantiate a new pop
    $pop = Tivoli::AccessManager::Admin::POP->new($pd, name => 'test');

    # Actually create the POP in the policy db
    $resp = $pop->create();

    # Set its description
    $resp = $pop->description( "POP goes the monkey" );

    # Attach it
    $resp = $pop->attach('/test/monkey');

    # See where it is now attached
    $resp = $pop->find;

    # Detach it now
    $resp = $pop->detach('/test/monkey');

    # Get a full list of POPs
    $resp = Tivoli::AccessManager::Admin::POP->list($pd);

    # Set the level for any other network
    $resp = $pop->anyothernw( 2 );
    # Forbid access from any other network
    $resp = $pop->anyothernw( 'forbidden' );

    # Set an IP auth level for a few networks
    $resp = $pop->ipauth(add => {'192.168.8.0' => {NETMASK => '255.255.255.0',
						   AUTHLEVEL => 1 }.
				 '192.168.9.0' => {NETMASK => '255.255.255.0',
						   AUTHLEVEL => 2}
				}
			);

    # Forbid the entire 10.x.x.x network
    $resp = $pop->ipauth(forbidden => {'10.0.0.0' => {NETMASK=>'255.0.0.0'}});

    # Set the audit level
    $resp = $pop->audit( [qw/all/] );

    # Set the QoP level
    $resp = $pop->qop('privacy');

    # Set Time of Day access
    $resp = $pop->tod( days => [qw/monday tuesday wednesday/],
		       start => '0800',
		       end   => '1800',
		     );

    # Set the warn mode
    $resp = $pop->warnmode(1);

    # Set an extended attribute or two
    $resp = $pop->attributes( add => { foobar => 'baz',
				       silly  => [qw/one two three/] }
			    );
    # Clean up after myself
    $pop->delete;

DESCRIPTION

Tivoli::AccessManager::Admin::POP allows manipulation of POPs via perl.

CONSTRUCTORS

new( PDADMIN[, name => NAME] )

Creates a blessed Tivoli::AccessManager::Admin::POP object. It should be noted that creating the object in perl is not the same thing as creating it in TAM's policy database. See "create" to do that.

Parameters

PDADMIN

An initialized Tivoli::AccessManager::Admin::Context object. This parameter is, as usual, required.

name => NAME

The POP's name. This is technically speaking optional, but it may have some unintentional side effects if not provided. Namely, the object will assume it doesn't exist, which will cause problems when trying to do anything to it.

In short, if you intend on calling "create" you can forget this parameter. Otherwise, include it.

Returns

A blessed Tivoli::AccessManager::Admin::POP object. If there is an error, you will get undef.

create(PDADMIN, name => NAME)

Creates the object in TAM's policy database and returns the blessed reference.

Parameters

PDADMIN

An initialized Tivoli::AccessManager::Admin::Context object. This parameter is required.

name => NAME

The POP's name. When using "create" as a constructor, this parameter is required.

Returns

A Tivoli::AccessManager::Admin::Response object containing the newly created object. I refer you to that module's documentation for digging the value out.

CLASS METHODS

Class methods behave like instance methods in that they all return a Tivoli::AccessManager::Admin::Response object.

list(PDADMIN)

List all of the POPs defined in TAM.

Parameters

PDADMIN

The standard, initialized Tivoli::AccessManager::Admin::Context object.

Returns

The list of all defined POPs.

METHODS

All of the methods return a Tivoli::AccessManager::Admin::Response object unless otherwise explicitly stated. See the documentation for that module on how to coax the values out.

The methods, for the most part, follow the same pattern. If the optional parameters are sent, it has the effect of setting the attributes. All methods calls will embed the results of a 'get' in the Tivoli::AccessManager::Admin::Response object.

create([name => NAME])

Creates a new POP in TAM's policy db. This method can be used as both class and instance method.

Parameters

name => NAME

The name of the new POP. This parameter is only required when you did not use it in the "new" call.

Returns

The success or failure of the create operation.

delete

Deletes the object.

Parameters

None

Returns

The success or failure of the operation. Please note that you really should detach a POP before trying to delete it.

objects( [detach => OBJECTS[, [attach => OBJECTS]] )

Attaches or detaches a POP. Weird little fact. The C API for ACLs does not contain an attach or detach method -- you have to use the methods for the protected objects. POPs have their own attach and detach calls.

If both parameters are used, all of the detaches will be done before attaching.

Parameters

detach => OBJECTS

Detach the POP from the listed objects. OBJECTS can be a list or a single value. It can be either a string (e.g., '/test/monkey') or a Tivoli::AccessManager::Admin::ProtObject object or a mix of them.

attach => OBJECTS

Attach the POP to the listed objects. The same combination of values can be used as listed above.

Returns

The success or failure of the operation. You will also get a list of the current places the POP is attached.

attach OBJECTS[,...]

A convenience method that wraps "objects" with an attach message. See "objects" for a full description of the parameters and returns.

detach OBJECTS[,...]

A convenience method that wraps "objects" with a detach message. See "objects" for a full description of the parameters and returns.

find

Finds and lists everyplace the POP is attached.

Parameters

None

Returns

A possibly empty list of everyplace the POP is attached,

list

"list" can also be used as an instance method, although I personally do not think it makes much sense.

Parameters

None, when used as an instance method.

Returns

A list of all defined POPs.

anyothernw([<NUMBER>|unset|forbidden])

Set the authentication level for any other network.

Parameters

<NUMBER>|unset|forbidden

Sets the authentication level to the provided number, unset or forbidden.

Returns

The success or failure of the operation, along with the current (possibly new) level.

description([STRING])

Sets or gets the POP's description.

Parameters

STRING

The new description. This parameter is optional.

Returns

The POP's description if set, an empty string otherwise.

audit( [BITMASK|[STRING[,STRING...]]] )

Sets the audit level on the POP.

Parameters

BITMASK|STRING|ARRAYREF

The underlying C library uses a bit mask to set the audit level. You can either send this bitmask, a single word that will be translated into a bitmask or a list of words that will be translated into a bit mask.

If the words "all" or "none" appear anywhere in the list, the bitmask will be set as indicated below.

The name to bitmask mapping looks like this:

  • none => 0

  • permit => 1

  • deny => 2

  • error => 4

  • admin => 8

  • all => 15

Returns

The numeric bitmask if evaluated in scalar context; the wordier list if used in list context.

ipauth( [add => HASHREF, remove => HASHREF, forbidden => HASHREF] )

Sets the IP based authentication restrictions.

Parameters

add => HASHREF

Sets the required authentication level for an IP address and/or network. The referant of the hash ref is a hash of hashes, keyed off the IP address. The contents of the subhashes look like:

NETMASK => <NETMASK>

The netmask for the ip address. It should be requested in the quad-dot format (e.g., 255.255.255.0). I should likely be smart enough to handle CIDR notation and what ever IPV6 uses, but I am not.

AUTHLEVEL => <NUMBER>

Required only when adding, this specifies the authentication level for the IP/netmask. There is no default -- I didn't think it safe to guess.

remove => HASHREF

Removes the IP auth restriction from the POP. The referant of the hash ref should look just like it does for adding.

forbidden => HASHREF

Forbids access from some subnet. The referant of the hash ref should look just like it does for adding.

Returns

An array of hashes that look mostly like the parameter hashes. For the record, I dislike this function.

qop( [level] )

Sets the "quality of protection" on the POP.

Parameters

level

The level of protection, it must be one of these three options: none, integrity or privacy. You will need to refer to the WebSEAL Administration Guide for the meaning of those three values.

Returns

The current level of protection.

tod ( days => [array], start => N, end => N, reference => local | UTC )

Returns the current time of day access policy on the POP.

Parameters

days

days should be a reference to an array containing some combination of: mon, tue, wed, thu, fri, sat, sun or any.

If the word 'any' is found anywhere in the array, it will over ride all the others.

start

The beginning of the allowed access time, expressed in 24-hour format. Since perl will try to interpret any number starting with a 0 as an octal number ( leading to annoying problems with 09xx ), you need to either drop the preceding 0 ( eg, 900 ) or specify it as a string ( '0900' ).

end

The end of the allowed access time. See the previous item for the caveats.

UTC|local

Under the covers, start and end are calculated as minutes past midnight. TAM needs to know if you are referencing midnight UTC or midnight local time. The default is 'local'.

Returns

A Tivoli::AccessManager::Admin::Response object, the value of which is a hash with the key/value pairs:

days

An array reference to the days for which the policy is enforced. If the TOD policy is unset, this refers to an empty array.

start

The time of day when access is allowed, expressed in 24-hour format. If the TOD policy is unset, this will be zero.

end

The time of day when access is denied, expressed in 24-hour format. If the TOD policy is unset, this will be zero.

reference

UTC or local. If the policy is unset, this will be local.

warnmode([0|1])

Sets the warnmode on the POP.

Parameters

O | 1

Disble or enable the warn mode.

Returns

The current value

attributes([add => { attribute => value },][remove => { attribute => value },][removekey => attribute])

Adds keys and attributes to the POP, removes values from an attribute and removes a key.

Parameters

add => { attribute => value[,...] }

An anonymous hash pointing to the attributes and the value(s) for that attribute. If you want to set more than one value on the attribute, it must be sent as an anonymous array.

If the attribute does not already exist, it will be created.

remove => { attribute => value[,...] }

Removes the value(s) from the named attribute(s). If you are removing multiple values from an attribute, you must use an anonymous array. Note, this will not remove the attribute, only values from the attribute.

removekey => value[,...]

Removes attributes from the POP. As always, if you want to remove multiple attributes, you need to use an anonymous array.

Returns

A hash containing the defined attributes as the keys and the values. All of the values are returned as anonymous arrays.

exist

Returns true if the POP exists, false otherwise.

2 POD Errors

The following errors were encountered while parsing the POD:

Around line 1291:

You forgot a '=back' before '=head2'

Around line 1348:

=back without =over