NAME

Tivoli::AccessManager::Admin::ACL

SYNOPSIS

use Tivoli::AccessManager::Admin;

my $tam  = Tivoli::AccessManager::Admin->new( password => 'foobar' );
my ($resp,$rc);

# See what ACLs exist
$resp = Tivoli::AccessManager::Admin::ACL->list($tam);
print join("\n", $resp->value);

# Create a new ACL
my $acl = Tivoli::AccessManager::Admin::ACL->new( $tam );
$resp = $acl->create('bob') unless $acl->exist;

my $name = $acl->name;

# Give the group 'jon' permissions in this ACL
$resp = $acl->group(name => 'jons', perms => 'Trx' );

print "The group 'jons' is granted these privileges by acl '$name':\n";
print $resp->value,"\n";

# Give the user "dave" the same access privs
$resp = $acl->user(name => 'dave', perms => 'Trx' );

# Dave was a mistake, lets remove him
$resp = $acl->user(name => 'dave', perms => 'remove' );

# Deny all access to anyother and unauth
$resp = $acl->anyother( perms => "" );
$resp = $acl->unauth( perms => '' );

# list the users specified in the ACL
$resp = $acl->listusers();

# list the groups specified in the ACL
$resp = $acl->listgroups();

# Play with the attributes

# well, that was fun.  What's say we clean up?
$resp = $acl->delete();

# Gain access to a system default ACL
$acl = Tivoli::AccessManager::Admin::ACL->new($tam, 'default-webseal');

# And find out where it is attached
$resp = $acl->find;

DESCRIPTION

Tivoli::AccessManager::Admin::ACL provides the interface to the ACL portion of the TAM Admin API.

CONSTRUCTOR

new( PDADMIN, NAME )

Creates a blessed Tivoli::AccessManager::Admin::ACL object and returns it.

Parameters

PDADMIN

An initialized Tivoli::AccessManager::Admin::Context object. Please note that, after the Tivoli::AccessManager::Admin::ACL object is created, you cannot change the context w/o destroying the object and recreating it.

NAME

The name of the ACL to which the object refers.

Returns

A fully blessed Tivoli::AccessManager::Admin::ACL object.

create(PDADMIN,NAME)

Creates a new ACL. This is different than "new"" in " in that the ACL will be created in the policy database as well.

Parameters

PDADMIN

An initialized Tivoli::AccessManager::Admin::Context object. Please note that, after the Tivoli::AccessManager::Admin::ACL object is created, you cannot change the context w/o destroying the object and recreating it.

NAME

The name of the ACL to create. This parameter is optional, if you instatiated the object with a name. Otherwise, it will croak in a most unappealing fashion.

Returns

If the operational was successful, you will get the new Tivoli::AccessManager::Admin::ACL object. If it wasn't successful, you will get an error message why. If the object already exists, you will get a warning and the Tivoli::AccessManager::Admin::ACL object. And all of this will be embedded in a Tivoli::AccessManager::Admin::Response object.

CLASS METHODS

Class methods behave like instance methods -- they return Tivoli::AccessManager::Admin::Response objects.

list(PDADMIN)

Lists all ACLs.

Parameters

PDADMIN

A fully blessed Tivoli::AccessManager::Admin::Context object.

Returns

The resulting list of ACLs.

METHODS

All of the methods return a Tam::Admin::Response object. See the documentation for that module on how to coax the values out.

The methods, for the most part, follow the same pattern. If the optional parameters are sent, it has the effect of setting the attributes. All methods calls will embed the results of a 'get' in the Tivoli::AccessManager::Admin::Response object.

list

Lists all of the ACLs.

Parameters

none

Returns

A list of all the defined ACLs.

listgroups

Lists all the groups defined in the ACL.

Parameters

None

Returns

A list of the groups defined in the ACL.

listusers

Lists all the users defined in the ACL.

Parameters

None

Returns

A list of the users defined in the ACL.

create([NAME])

"create"" in " can also be used as an instance method.

Parameters

NAME

The name of the ACL to create. This parameter is optional, if you instatiated the object with a name. Otherwise, it will croak in a most unappealing fashion.

Returns

True if the create succeeded, false it failed and a warning if the ACL already existed.

description([STRING])

Sets the description on the ACL

Parameters

STRING

The description to be set. This is an optional parameter

Returns

The current (possible empty) description.

find

Finds where in the object space the ACL has been attached. This is really just a wrapper for Tivoli::AccessManager::Admin::ProtObject. I like an ACL object being able to tell you where it is.

Parameters

None

Returns

A possibly empty list of places the ACL is attached.

delete

Deletes the ACL.

Parameters

None

Returns

True if the operation succeeded, and error and message otherwise.

anyother([perms => STRING])

Sets or gets the permissions for any-other in the ACL. The ACL must exist before calling this method.

Parameters

perms => STRING

If this parameter is set, "anyother" will attempt to set the permissions for any-other to this value.

If the value of this parameter is 'remove', "anyother" will be removed from the ACL.

Returns

The permissions currently allowed by the ACL for any-other.

unauth([perms => STRING])

Sets or gets the permissions for unauth in the ACL. The ACL must exist before calling this method.

Parameters

perms => STRING

If this parameter is set, "unauth" will attempt to set the permissions for unauth to this value.

If the value of this parameter is 'remove', "unauth" will be removed from the ACL.

Returns

A list of all of the actions currently allowed by the ACL for unauthenticated users.

group( name => 'group'[, perms => STRING )

Sets or gets the permissions for the named group in the ACL. The ACL must exist before calling this method.

Parameters

name => group

The name of the group to which the permissions apply. This parameter is mandatory.

perms => STRING

If this parameter is set, "group" will attempt to set the permissions for the group to this value.

If the value of this parameter is 'remove', the named group will be removed from the ACL.

Returns

A list of all of the actions currently allowed by the ACL for the group.

user( name => userid[, perms => STRING )

Sets or gets the permissions for the named user in the ACL. The ACL must exist before calling this method.

Parameters

name => userid

The user id to which the permissions apply. This parameter is mandatory.

perms => STRING

If this parameter is set, "user" will attempt to set the permissions for the user to this value.

If the value of this parameter is 'remove', The user will be removed from the ACL.

Returns

A list of all of the permission currently allowed by the ACL for the user.

attributes([add => { key => [qw/value0 value1/] | 'value0' }, remove => { key => [qw/value0 value1/] | 'value0' }, removekey => [qw/key0 key1] ] )

Adds key/value attributes to an ACL, removes the values and removes the entire key/value pairs. I find these to be the more ... annoying functions.

Parameters

add => { key => [qw/ value0 value1/] | 'value0' }

Causes "attribute" to add any number of key/value pairs to the ACL. As you can have multiple values associated with any given key, you can either use an array reference for multiple values, or a simple scalar if you are playing with only one.

You can, obviously, add multiple keys with the same call. You can also, strangely enough, add the same value to a key multiple times.

remove => { key => [qw/ value0 value1/] | 'value0' }

Removes the specified value(s) from the key. This does not remove the key, simply the values from the key. You will get an error if you try to remove a value that is not defined.

removekey => [qw/key0 key1]

Removes both the attribute and any associated values from the ACL.

Returns

A hash of lists. The hash is keyed off of the attribute names. The values for each attribute are returned as a list -- even if there is only one value.

exist

Lets you know if the ACL exists in the TAM database or not.

Parameters

None

Returns

0 if the ACL does not exist, 1 if it does.

name

Returns the name of the ACL

Parameters

None

Returns

Uhh. The name of the ACL.

ACKNOWLEDGEMENTS

Please read Tivoli::AccessManager::Admin for the full list of acks. I stand upon the shoulders of giants.

BUGS

The documentation is now horribly gobsmacked.

The previous comment is really unhelpful.

The permissions needs to be extended to handle things like [PDWebPI]. It would be better to extend them to be dynamically extendable.

AUTHOR

Mik Firestone <mikfire@gmail.com>

COPYRIGHT

Copyright (c) 2004-2011 Mik Firestone. All rights reserved. This program is free software; you can redistibute it and/or modify it under the same terms as Perl itself.

All references to TAM, Tivoli Access Manager, etc are copyrighted, trademarked and otherwise patented by IBM.