Chapter 7. Access Control List MIB


An access control list (ACL) is a list that specifies who and what is authorized to access TUXEDO system objects. The ACL MIB enables a system manager to administer TUXEDO security through authenticating users, setting permissions, and controlling access. The ACL MIB defines the objects controlled by the ACL facility. These MIB objects are grouped into three major categories. The following table lists groups that comprise the ACL MIB.

Group Name Description

tuxTAclGrpTable

ACL group

tuxTAclPermTable

ACL permissions

tuxTAclPrinTbl

ACL principal (users or domains)

For TUXEDO security, define application security options in the Domain group. This group lets you specify a user identity and security type used by your TUXEDO application. The users and remote domains in an application that need authentication and authorization are collectively known as principals. The managed objects for getting or setting the values of principals are defined in the tuxTAclPrinTbl group. The managed objects for getting or setting the values of ACL groups are defined in the tuxTAclGrpTable. The ACL MIB, as a whole, specifies the principals and access control lists for TUXEDO applications services, application queues, and events. You can define these ACL permissions for service, event, and application queue names. The managed objects that enable you to do this are defined in the tuxTAclPermTable group. All of these ACL MIB groups and their objects are described in the following sections.

tuxTAclGrpTable

The tuxTAclGrpTable group represents groups of TUXEDO application users and domains. The following table lists the managed objects that are part of the tuxTAclGrpTable group. To create a new row in the table, it is necessary to issue a SET request for a non-existing row.

Variable Name Object ID

tuxTAclGrpName

.1.3.6.1.4.1.140.300.11.1.1.1.1

tuxTAclGrpId

.1.3.6.1.4.1.140.300.11.1.1.1.2

tuxTAclGrpState

.1.3.6.1.4.1.140.300.11.1.1.1.3

tuxTAclGrpName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

Logical name of the group. A group name is a string of printable characters and cannot contain a pound sign, comma, colon, or newline.

Note: This object can be set only during row creation.

tuxTAclGrpId

Syntax

INTEGER (0..16384)

Access

read-write

Description

Group identifier associated with this user. A value of 0 indicates the default group other. If not specified at creation time, it defaults to the next available (unique) identifier greater than 0.

tuxTAclGrpState

Syntax

INTEGER { valid(1), invalid(2) }

Access

read-write

Description

The values for GET and SET operations are as follows:

GET: valid(1)
A GET operation will retrieve configuration information for the selected tuxTAclGrpTable instance(s). The following state indicates the meaning of a tuxTAclGrpState returned in response to a GET request. States not listed will not be returned.

valid(1)
tuxTAclGrpTable instance is defined and inactive. Note that this is the only valid state for this class. ACL groups are never active.

SET: invalid(2)
A SET operation will update configuration information for the selected tuxTAclGrpTable instance. The following state indicates the meaning of a tuxTAclGrpState set in a SET request. States not listed may not be set.

invalid(2)
Delete tuxTAclGrpTable instance for application. Successful return removes the instance from the table.

tuxTAclPermTable

The tuxTAclPermTable group indicates what groups are allowed to access TUXEDO system entities. These entities are named via a string. The names currently represent service names, event names, and application queue names. To create a new row in this table, it is necessary to issue a SET request for a non-existing row that specifies at least the values for tuxTAclPermName and tuxTAclPermType.

Variable Name Object ID

tuxTAclPermName

.1.3.6.1.4.1.140.300.11.2.1.1.1

tuxTAclPermType

.1.3.6.1.4.1.140.300.11.2.1.1.2

tuxTAclPermGrpIds

.1.3.6.1.4.1.140.300.11.2.1.1.3

tuxTAclPermState

.1.3.6.1.4.1.140.300.11.2.1.1.4

tuxTAclPermName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

The name of the entity for which permissions are being granted. The name can represent a service name, an event name, and/or a queue name. An ACL name is a string of printable characters and cannot contain a colon, pound sign, or newline.

Note: This object can be set only during row creation.

tuxTAclPermType

Syntax

INTEGER { enq(1), deq(2), service(3), postevent(4) }

Access

read-write

Description

The type of the entity for which permissions are being granted.

Note: This object can be set only during row creation.

tuxTAclPermGrpIds

Syntax

DisplayString (SIZE(0..800))

Access

read-write

Description

A comma separated list of group identifiers (numbers) that are permitted access to the associated entity.

tuxTAclPermState

Syntax

INTEGER { valid(1), invalid(2) }

Access

read-write

Description

The values for GET and SET operations are as follows:

GET: valid(1)
A GET operation will retrieve configuration information for all selected entities. The following state indicates the meaning of a tuxTAclPermState returned in response to a GET request. States not listed will not be returned.

valid(1)
tuxTAclPermState instance is defined. Note that this is the only valid state for this class. ACL permissions are never active.

SET: invalid(2)
A SET operation will update configuration information for the selected tuxTAclPermState instance. The following state indicates the meaning of a tuxTAclPermState set in a SET request. States not listed may not be set.

invalid(2)
Delete tuxTAclPermState instance for application. State change allowed only when in the valid(1) state. Successful return leaves the object in the invalid(2) state.

Note that the tuxTAclPermTable instance refers to all groupids related to a particular tuxTAclPermName in the table.

tuxTAclPrinTbl

The tuxTAclPrinTbl group represents users or domains that can access a TUXEDO application and the group with which they are associated. To join the application as a specific user, it is necessary to present a user-specific password. To create a new row in this table, it is necessary to issue a SET request for a non-existing row (instance).

Variable Name Object ID

tuxTAclPrinName

.1.3.6.1.4.1.140.300.11.3.1.1.1

tuxTAclCltName

.1.3.6.1.4.1.140.300.11.3.1.1.2

tuxTAclPrinId

.1.3.6.1.4.1.140.300.11.3.1.1.3

tuxTAclPrinGrp

.1.3.6.1.4.1.140.300.11.3.1.1.4

tuxTAclPrinPasswd

.1.3.6.1.4.1.140.300.11.3.1.1.5

tuxTAclPrinState

.1.3.6.1.4.1.140.300.11.3.1.1.6

tuxTAclPrinName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

Logical name of the user or domain (a principal). A principal name is a string of printable characters and cannot contain a pound sign, colon, or newline.

Note: This object can be set only during row creation.

tuxTAclCltName

Syntax

DisplayString (SIZE(1..30))

Access

read-write

Description

The client name associated with the user. It generally describes the role of the associated user and provides a further qualifier on the user entry. If not specified at creation time, the default is the wildcard asterisk (*). A client name is a string of printable characters and cannot contain a colon or newline.

tuxTAclPrinId

Syntax

INTEGER (1..131072)

Access

read-write

Description

Unique user identification number. If not specified at creation time, it defaults to the next available (unique) identifier greater than 0.

Note: This object can be set only during row creation.

tuxTAclPrinGrp

Syntax

INTEGER (0..16384)

Access

read-write

Description

Group identifier associated with this user. A value of 0 indicates the default group other. If not specified at creation time, the default value 0 is assigned.

tuxTAclPrinPasswd

Syntax

DisplayString

Access

read-write

Description

The clear-text authentication password for the associated user. Note that the system will automatically encrypt this information on behalf of the administrator.

tuxTAclPrinState

Syntax

INTEGER { valid(1), invalid(2) }

Access

read-write

Description

The values for GET and SET operations are as follows:

GET: valid(1)
A GET operation will retrieve configuration information for the selected tuxTAclPrinTbl instance(s). The following state indicates the meaning of tuxTAclPrinState:

valid(1)
tuxTAclPrinTbl instance is defined and inactive. Note that this is the only valid state for this class. ACL principals are never active.

SET: invalid(2)
A SET operation will update configuration information for the selected tuxTAclPrinTbl instance. The following state indicates the meaning of a tuxTAclPrinState set in a SET request. States not listed may not be set.

invalid(2)
Delete tuxTAclPrinTbl instance for application. State change allowed only when in the valid(1) state. Successful return leaves the object in the invalid(2) state.