Access Control List MIB

An access control list (ACL) specifies who and what is authorized to access Oracle Tuxedo system objects. The Access Control List MIB enables a system manager to administer Tuxedo security by authenticating users, setting permissions, and controlling access. It defines the objects controlled by the ACL facility. These MIB objects are grouped into three major categories.

The Access Control List MIB consists of the following groups.

 

Group Name	Description
tuxTAclGrpTable	ACL group
tuxTAclPermTable	ACL permissions
tuxTAclPrinTbl	ACL principal (users or domains)

For Tuxedo security, define application security options in the Domain group. This group lets you specify a user identity and security type used by your Tuxedo application. The users and remote domains in an application that need authentication and authorization are collectively known as principals. The managed objects for getting or setting the values of principals are defined in the tuxTAclPrinTbl group. The managed objects for getting or setting the values of ACL groups are defined in the tuxTAclGrpTable. The Access Control List MIB, as a whole, specifies the principals and access control lists for Tuxedo applications services, application queues, and events. You can define these ACL permissions for service, event, and application queue names. The managed objects that enable you to do define the ACL permissions are defined in the tuxTAclPermTable group. All these ACL MIB groups and their objects are described in the following sections.

tuxTAclGrpTable

The tuxTAclGrpTable group contains objects that represent groups of Tuxedo application users and domains. The following table lists the managed objects that are part of the tuxTAclGrpTable group. To create a new row in the table, it is necessary to issue a SET request for a non-existing row.

 

Object Name	Object ID
tuxTAclGrpName	.1.3.6.1.4.1.140.300.11.1.1.1.1
tuxTAclGrpId	.1.3.6.1.4.1.140.300.11.1.1.1.2
tuxTAclGrpState	.1.3.6.1.4.1.140.300.11.1.1.1.3

tuxTAclGrpName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

Logical name of the group. A group name is a string of printable characters and cannot contain a pound sign, comma, colon, or newline.

Note:

This object can be set only during row creation.

tuxTAclGrpId

Syntax

INTEGER (0..16384)

Access

read-write

Description

Group identifier associated with this user. A value of 0 indicates the default group other. If the group identifier is not specified at creation time, it defaults to the next available (unique) identifier greater than 0.

tuxTAclGrpState

Syntax

INTEGER { valid(1), invalid(2) }

Access

read-write

Description

The values for GET and SET operations are as follows:

GET: valid(1)

A GET operation retrieves configuration information for the selected tuxTAclGrpTable instance(s). The following state indicates the meaning of a tuxTAclGrpState returned in response to a GET request. States not listed are not returned.

valid(1)

tuxTAclGrpTable instance is defined and inactive. Note that valid(1) is the only valid state for this class. ACL groups are never active.

SET: invalid(2)

A SET operation updates configuration information for the selected tuxTAclGrpTable instance. The following state indicates the meaning of a tuxTAclGrpState set in a SET request. States not listed might not be set.

invalid(2)

Delete tuxTAclGrpTable instance for application. Successful return removes the instance from the table.

tuxTAclPermTable

The tuxTAclPermTable group indicates what groups are allowed to access Tuxedo system entities. These entities are named by a string. The names currently represent service names, event names, and application queue names. To create a new row in this table, it is necessary to issue a SET request for a non-existing row that specifies at least the values for tuxTAclPermName and tuxTAclPermType.

 

Object Name	Object ID
tuxTAclPermName	.1.3.6.1.4.1.140.300.11.2.1.1.1
tuxTAclPermType	.1.3.6.1.4.1.140.300.11.2.1.1.2
tuxTAclPermGrpIds	.1.3.6.1.4.1.140.300.11.2.1.1.3
tuxTAclPermState	.1.3.6.1.4.1.140.300.11.2.1.1.4

tuxTAclPermName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

The name of the entity for which permissions are being granted. The name can represent a service name, an event name, and/or a queue name. An ACL name is a string of printable characters and cannot contain a colon, pound sign, or newline.

Note:

This object can be set only during row creation.

tuxTAclPermType

Syntax

INTEGER { enq(1), deq(2), service(3), postevent(4) }

Access

read-write

Description

The type of the entity for which permissions are being granted.

Note:

This object can be set only during row creation.

tuxTAclPermGrpIds

Syntax

DisplayString (SIZE(0..800))

Access

read-write

Description

A comma-separated list of group identifiers (numbers) that are permitted access to the associated entity.

tuxTAclPermState

Syntax

INTEGER { valid(1), invalid(2) }

Access

read-write

Description

The values for GET and SET operations are as follows:

GET: valid(1)

A GET operation retrieves configuration information for all selected entities. The following state indicates the meaning of a tuxTAclPermState returned in response to a GET request. States not listed are not returned.

valid(1)

tuxTAclPermState instance is defined. Note that valid(1) is the only valid state for this class. ACL permissions are never active.

SET: invalid(2)

A SET operation updates configuration information for the selected tuxTAclPermState instance. The following state indicates the meaning of a tuxTAclPermState set in a SET request. States not listed might not be set.

invalid(2)

Delete tuxTAclPermState instance for application. State change allowed only when in the valid(1) state. Successful return leaves the object in the invalid(2) state.

Note:

The tuxTAclPermTable instance refers to all groupids related to a particular tuxTAclPermName in the table.

tuxTAclPrinTbl

The tuxTAclPrinTbl group contains objects that represent users or domains that can access a Tuxedo application and the group with which they are associated. To join the application as a specific user, it is necessary to present a user-specific password. To create a new row in this table, it is necessary to issue a SET request for a non-existing row (instance).

 

Object Name	Object ID
tuxTAclPrinName	.1.3.6.1.4.1.140.300.11.3.1.1.1
tuxTAclCltName	.1.3.6.1.4.1.140.300.11.3.1.1.2
tuxTAclPrinId	.1.3.6.1.4.1.140.300.11.3.1.1.3
tuxTAclPrinGrp	.1.3.6.1.4.1.140.300.11.3.1.1.4
tuxTAclPrinPasswd	.1.3.6.1.4.1.140.300.11.3.1.1.5
tuxTAclPrinState	.1.3.6.1.4.1.140.300.11.3.1.1.6

tuxTAclPrinName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

Logical name of the user or domain (a principal). A principal name is a string of printable characters and cannot contain a pound sign, colon, or newline.

Note:

This object can be set only during row creation.

tuxTAclCltName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

The client name associated with the user. It generally describes the role of the associated user and provides a further qualifier on the user entry. If the client name is not specified at creation time, the default is the wildcard asterisk (*). A client name is a string of printable characters and cannot contain a colon or newline.

tuxTAclPrinId

Syntax

INTEGER (1..131072)

Access

read-write

Description

Unique user identification number. If not specified at creation time, it defaults to the next available (unique) identifier greater than 0.

Note:

This object can be set only during row creation.

tuxTAclPrinGrp

Syntax

INTEGER (0..16384)

Access

read-write

Description

Group identifier associated with this user. A value of 0 indicates the default group other. If the group identifier is not specified at creation time, the default value 0 is assigned.

tuxTAclPrinPasswd

Syntax

DisplayString

Access

read-write

Description

The clear-text authentication password for the associated user. Note that the system automatically encrypts this information on behalf of the administrator.

tuxTAclPrinState

Syntax

INTEGER { valid(1), invalid(2) }

Access

read-write

Description

The values for GET and SET operations are as follows:

GET: valid(1)

A GET operation retrieves configuration information for the selected tuxTAclPrinTbl instance(s). The following state indicates the meaning of tuxTAclPrinState:

valid(1)

tuxTAclPrinTbl instance is defined and inactive. Note that valid(1) is the only valid state for this class. ACL principals are never active.

SET: invalid(2)

A SET operation updates configuration information for the selected tuxTAclPrinTbl instance. The following state indicates the meaning of a tuxTAclPrinState set in a SET request. States not listed might not be set.

invalid(2)

Delete tuxTAclPrinTbl instance for application. State change is allowed only when in the valid(1) state. Successful return leaves the object in the invalid(2) state.