Solstice Enterprise Manager 4.1 C++ API Reference Doc Set ContentsPreviousNextIndex


Chapter 5

Access Control API

To access to Solstice EM tools and managed objects, users must belong to a group. In addition, users' access privileges are determined based on the group to which they belong. The Access Control API provides a solid C++ interface to GDMO object classes.

The Access Control API enables you to:

This chapter comprises the following topics:

5.1 Design Objectives

The Access Control API was developed with the following design objectives:

5.2 Access Control Types

The Access Control API defines two types of access control:

5.3 Class Hierarchy

FIGURE 5-1 illustrates the hierarchy of the Access Control API container classes.


FIGURE 5-1   C++ Container Classes and Their Inheritance

FIGURE 5-2 Illustrates the hierarchy of the Access Control API.


FIGURE 5-2   Access Control C++ Classes and Their Inheritance

TABLE 5-1 describes the Access Control API classes.

TABLE 5-1   Access Control API Classes 
Class Description
ACAccessControlRules Class
Represents the emAccessControlRules GDMO object class.
ACAccessUserList Class
Represents the accessUserList GDMO object class.
ACAppFeatureContainer Class
Contains all features of an application.
ACApplication Class
Represents the application GDMO object class.
ACApplicationContainer Class
Contains all applications.
ACApplicationFeature Class
Represents the applicationFeature GDMO object class.
ACCallback Class
Extension of the PMI Callback class.
ACContainer Class
Abstract base class for C++ container objects.
ACDbObject Class
Represents the emDbObject GDMO object class.
ACDbObjectContainer Class
Represents the emDbInfo GDMO object class.
ACEMNotificationEmitter Class
Represents the emNotificationEmitter GDMO object class.
ACEMTargets Class
Represents the emTargets GDMO object class.
ACGroup Class
Represents the group GDMO object class.
ACGroupContainer Class
Represents the groupContainer object class.
ACInterface Class
Contains all container objects. Main single point interface to Access Control API.
ACObject Class
Represents the accessControl GDMO object class.
ACRule Class
Represents the rule GDMO object class.
ACRuleContainer Class
Contains C++ Access Control Rule objects.
ACScope Class
Holds scope information. Convenience class.
ACTargets Class
Represents the targets GDMO object class.
ACTargetsContainer Class
Represents the targetContainer GDMO object class.
ACUser Class
Stores user information. Convenience class.


5.4 Symbolic Constants and Defined Types

5.4.1 Constants

ACAuxOwnerType

enum ACAuxOwnerType {

USER,

GROUP,

INVALID_OWNER_TYPE = -1

}

ACAccessControlSwitch

enum ACAccessControlSwitch {
  emAccessControlOff,
  emAccessControlOn
}

ACCallbackType

enum ACCallbackType {
  OBJECT_CREATION_CALLBACK,
  OBJECT_DELETION_CALLBACK,
  ATTRIBUTE_VALUE_CHANGED_CALLBACK,
  IMAGE_INCLUDED_CALLBACK,
  IMAGE_EXCLUDED_CALLBACK,
  RAW_EVENT_CALLBACK
}

ACDenialGranularity

enum  ACDenialGranularity {
  request,
  object,
  attribute
}

ACEMAuditLevel

enum ACEMAuditLevel
{
  AUDIT_OFF,
  AUDIT_LEVEL1,
  AUDIT_LEVEL2
}

ACEMSecurityLevel

enum ACEMSecurityLevel
{
  SECURITY_OFF,
  SECURITY_LEVEL1,
  SECURITY_LEVEL2
}

ACErrorType

enum ACErrorType {
  ACC_OK,
  ACC_FAILED,
  ACC_USER_EXISTS,
  ACC_USER_NOT_EXISTS,
  ACC_INVALID_USER_NAME,
  ACC_GROUP_EXISTS,
  ACC_GROUP_NOT_EXISTS,
  ACC_APPLICATION_EXISTS,
  ACC_APPLICATION_NOT_EXISTS,
  ACC_TARGETS_EXISTS,
  ACC_TARGETS_NOT_EXISTS,
  ACC_RULE_EXISTS,
  ACC_RULE_NOT_EXISTS,
  ACC_FEATURE_EXISTS,
  ACC_FEATURE_NOT_EXISTS,
  ACC_MOI_EXISTS,
  ACC_MOI_NOT_EXISTS,
  ACC_MOC_EXISTS,
  ACC_MOC_NOT_EXISTS,
  ACC_DB_OBJECT_TABLE_EXISTS,
  ACC_DB_OBJECT_TABLE_NOT_EXISTS,
  ACC_DB_OBJECT_ACCESS_EXISTS,
  ACC_DB_OBJECT_ACCESS_NOT_EXISTS,
  ACC_NO_MEMORY
}

ACObjectType

enum ACObjectType {
  AC_TARGETS_OBJECT,
  AC_RULE_OBJECT,
  AC_APPLICATION_OBJECT,
  AC_GROUP_OBJECT,
  AC_DB_OBJECT,
  AC_EM_NOTIFICATION_EMITTER
}

ACTargetsType

enum ACTargetsType {
  X741_TARGETS,
  EM_TARGETS
}

EnforcementAction

enum EnforcementAction {
  denyWithResponse,
  denyWithoutResponse,
  abortAssociation,
  denyWithFalseResponse,
  allow
}

5.4.2 Defined Types

This section lists the defined types.

ACAccessUserListSet

typedef RWTValSlist<ACUser> ACAccessUserListSet

ACApplicationAndFeatureList

typedef RWTValSlist<RWCString> 
ACApplicationAndFeatureList

ACApplicationFeatureList

typedef RWTValSlist<RWCString> 
ACApplicationFeatureList

ACApplicationList

typedef RWTValSlist<RWCString> ACApplicationList

ACDbObjectAccessList

typedef RWTValSlist<RWCString> 
ACDbObjectAccessList

ACDbObjectList

typedef RWTValSlist<RWCString> ACDbObjectList

ACDbObjectTableList

typedef RWTValSlist<RWCString> ACDbObjectTableList

ACDefaultAccess

typedef RWTValSlist<RWCString> ACDefaultAccess

ACDefaultEventAccess

typedef EnforcementAction ACDefaultEventAccess

ACDenialResponse

typedef EnforcementAction ACDenialResponse

ACDomainIdentity

typedef RWCString ACDomainIdentity

ACEventsDiscriminator

typedef RWCString ACEventsDiscriminator

ACFilter

typedef RWCString ACFilter

ACGroupDescription

typedef RWCString ACGroupDescription

ACGroupList

typedef RWTValSlist<RWCString> ACGroupList

ACGroupMemberList

typedef RWTValSlist<RWCString> ACGroupMemberList

ACMOCList

typedef RWTValSlist<RWCString> ACMOCList

ACMOIList

typedef RWTValSlist<RWCString> ACMOIList

ACOperationsList

typedef RWTValSlist<RWCString> ACOperationsList

ACRuleList

typedef RWTValSlist<RWCString> ACRuleList

ACTargetsList

typedef RWTValSlist<RWCString> ACTargetsList

ACSuperUserList

typedef RWTValHashSet<RWCString> ACSuperUserList

ACTrustedHostList

typedef 
RWTValHashSet<RWCString> 
ACTrusedHostList

5.5 Access Control API Classes

This section describes the following Access Control API classes:

  • ACAccessControlRules

  • ACEMTargets

  • ACAccessUserList

  • ACGroup

  • ACAppFeatureContainer

  • ACGroupContainer

  • ACApplication

  • ACInterface

  • ACApplicationContainer

  • ACObject

  • ACApplicationFeature

  • ACRule

  • ACCallback

  • ACRuleContainer

  • ACContainer

  • ACScope

  • ACDbObject

  • ACTargets

  • ACDbObjectContainer

  • ACTargetsContainer

  • ACEMNotificationEmitter

  • ACUser


  • 5.6 ACAccessControlRules Class

    Inheritance: class ACObject

    #include 
    <acapi/accesscontrolrules.hh>
    

    Data Members: No public data members are declared in this class.

    The ACAccessControlRules class represents the emAccessControlRules GDMO object class, which is defined in the Solstice EM Access Control module and is derived from X.741's accessControlRules GDMO object class.

    The emAccessControlRules GDMO object class extends the accessControlRules GDMO object class by adding the following attributes:

    The ACAccessControlRules class provides methods for accessing and modifying the default attribute values of the access control service. This class acts as a container for all the rules in the system.

    5.6.1 Constructor

    ACAccessControlRules()
    

    The default constructor initializes the object that it represents, and prepares itself to register callbacks.


    Note – It is possible to construct more than one ACAccessControlRules object. The additional objects, however, are references to the same object, because there can only be one instance of the emAccessControlRules GDMO object.

    5.6.2 Destructor

    ~ACAccessControlRules()
    

    5.6.3 ACAccessControlRules Member Functions

    add_trusted_hosts

    Result add_trusted_hosts(ACTrustedHostList& add_trusted_host_list)
    

    Adds add_trusted_host_list to the list of trusted hosts. If a host is already included in the trusted hosts list, it is not added again.

    get_access_control_switch

    ACAccessControlSwitch get_access_control_switch()
    

    Gets the access control status of the currently running Solstice EM. This function returns one of the following two values:

    get_default_access

    ACDefaultAccess get_default_access()
    

    Gets the default access value for each operation (action, create, delete, and so on).

    Returns a list of value pairs of the form {<operation> <access>, <operation> <access>, ...}. For example:

    {action denyWithResponse, create 
    denyWithResponse, delete 
    denyWithResponse, get denyWithResponse, replace 
    denyWithResponse, 
    addMember denyWithResponse, removeMember denyWithResponse, 
    replaceWithDefault denyWithResponse, multipleObjectSelection 
    denyWithResponse, filter denyWithResponse}
    

    The default access value for all operations is denyWithResponse.

    get_default_event_access

    ACDefaultEventAccess get_default_event_access()
    

    Gets the default action for events. It returns one of the following values:

    get_denial_granularity

    ACDenialGranularity get_denial_granularity()
    

    Returns one of the following three values that represent the level at which denial of access is exhibited:

    get_denial_response

    ACDenialResponse get_denial_response()
    

    Returns the denial response that access control sends out when denial is made because the default rule was satisfied.

    The return values are as follows:

    get_domain_identity

    ACDomainIdentity get_domain_identity()
    

    Returns the access control domain identity that is governed by the access control rules. By default, the domain identity is EM.

    get_trusted_host_list

    ACTrustedHostList get_trusted_host_list(Boolean real) 
    const
    

    Returns the list of trusted hosts. Trusted hosts are systems that can freely connect as root to an MIS machine. The list of trusted hosts is maintained by the MIS server that holds the security profiles.

    is_trusted_host

    RWBoolean is_trusted_host(const RWCString& host_name) const
    

    Checks whether host_name is in the list of trusted hosts. If host_name is part of the list, this function returns TRUE; otherwise, it returns FALSE.

    remove_trusted_hosts

    Result remove_trusted_hosts(ACTrustedHostList& 
    remove_trusted_host_list)
    

    Removes the hosts in remove_trusted_host_list from the list of trusted hosts. If a host in remove_trusted_host_list is not in the list of trusted hosts, it is ignored.

    Returns TRUE on successful completion; otherwise, FALSE.

    replace_trusted_host_list

    Result replace_trusted_host_list(ACTrustedHostList& 
    new_trusted_host_list)
    

    Replaces the trusted host list with new_trusted_host_list.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_access_control_switch

    Result set_access_control_switch(ACAccessControlSwitch)
    

    Sets the access control status in the MIS to one of the following values:

    • emAccessControlOff
      Any user can freely view, modify, or delete objects in the platform. Access control is not enforced.
    • emAccessControlOn
      Users need to be added to the platform and given appropriate privileges to view, modify, or delete objects. Access control is enforced.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_default_access

    Result set_default_access(ACDefaultAccess&)
    

    Sets the default access for each operation (action, create, delete, and so on) as a list of value pairs of the form {<operation> <access>, <operation> <access>, ...}.

    For example:

    {action denyWithResponse, 
    create denyWithResponse, delete 
    denyWithResponse, get denyWithResponse, replace 
    denyWithResponse, 
    addMember denyWithResponse, removeMember denyWithResponse, 
    replaceWithDefault denyWithResponse, multipleObjectSelection 
    denyWithResponse, filter denyWithResponse}
    

    Returns TRUE on successful completion; otherwise, FALSE.

    set_default_event_access

    Result set_default_event_access(ACDefaultEventAccess)
    

    Sets the access control status in the platform to one of the following values:

    • denyWithResponse (default)
    • denyWithoutResponse
    • abortAssociation
    • denyWithFalseResponse
    • allow

    Returns TRUE on successful completion; otherwise, FALSE.

    set_denial_granularity

    Result set_denial_granularity(ACDenialGranularity)
    

    Sets the access denial level to one of the following values (passed through the ACDenialGranularity parameter):

    • request
      Access is denied at the request level. An entire request to access one or more managed objects in the MIS is denied if access to one of the managed objects in the request is denied. The request is allowed only when all managed objects in the request are accessible.
    • object
      Access is denied at the object level. Access is denied only to the request's managed objects that are not accessible. Access to the remaining managed objects in the request is allowed.
    • attribute
      Access is denied at the attribute level. Request to access a managed object is denied if access to one or more of its attributes is denied. Access to the managed object is allowed only when all the attributes of the managed object are accessible.


    Note – Solstice EM only supports object-level access control.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_denial_response

    Result set_denial_response(ACDenialResponse)
    

    Sets the denial response to be returned by access control when the default rule is satisfied to one of the following values:

    • denyWithResponse (default)
    • denyWithoutResponse
    • abortAssociation
    • denyWithFalseResponse
    • allow

    Returns TRUE on successful completion; otherwise, FALSE.

    5.7 ACAccessUserList Class

    Inheritance: public ACObject

    #include 
    <acapi/acaccessuserlist.hh>
    

    Data Members: No public data members are declared in this class.

    The ACAccessUserList class represents the accessUserList GDMO object in the MIS. This class stores the list of users registered under access control, and maintains a list of super users. Whenever any of the attribute values for this class changes, it sends attributeValueChange notifications.

    5.7.1 Constructor

    ACAccessUserList()
    

    The default constructor initializes the ACAccessUserList class, and prepares it to register callbacks.


    Note – It is possible to construct more than one ACAccessUserList object. The additional objects, however, are references to the same object, because there can only be one instance of the accessUserList GDMO object.

    5.7.2 Destructor

    ~ACAccessUserList()
    

    5.7.3 ACAccessUserList Member Functions

    add_superusers

    Result add_superusers(ACSuperUserList& add_superuser_list)
    

    Adds add_superuser_list to the list of super users, unless a user in list is already a super user.

    Returns TRUE on successful completion; otherwise, FALSE.

    add_user

    Result add_user(ACUser& user)
    

    Adds user as a user under access control. If user already exits, the error type is set to ACC_USER_EXISTS, and the error string is set to "User exists in accessUserList!".

    Returns TRUE on successful completion; otherwise, FALSE.

    get_access_user_list_set

    ACAccessUserListSet get_access_user_list_set()
    

    Returns a list of the users registered under access control.

    get_superuser_list

    ACSuperUserList get_superuser_list(Boolean real = TRUE) 
    const
    

    Returns a list of the super users under the access control domain.

    is_superuser

    RWBoolean is_superuser(const RWCString& user_name) 
    const
    

    Returns TRUE if user_name is a super user; otherwise, FALSE.

    replace_superuser_list

    Result replace_superuser_list(ACSuperUserList& new_superuser_list)
    

    Replaces the existing list of super users with new_superuser_list.

    Returns TRUE on successful completion; otherwise, FALSE.

    remove_superusers

    Result remove_superusers(ACSuperUserList& remove_superuser_list)
    

    Removes the super users that are specified in the remove_superuser_list list.

    Returns TRUE on successful completion; otherwise, FALSE.

    remove_user

    Result remove_user(ACUser& user)
    

    Removes user from the list of users under access control.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.8 ACAppFeatureContainer Class

    Inheritance: class ACContainer

    #include 
    <acapi/acapplicationfeature.hh>
    

    Data Members: No public data members are declared in this class.

    The ACAppFeatureContainer class is a container for all the features that can be controlled through Solstice EM's feature-level access control for a given application.

    5.8.1 Constructor

    ACAppFeatureContainer(const 
    RWCString& appl_name)
    

    The constructor creates a feature container object for appl_name. If an object has already been created for appl_name, the object is not created again. Instead, the object's internal reference count is incremented by one.

    5.8.2 Destructor

    ~ACAppFeatureContainer()
    

    5.8.3 ACAppFeatureContainer Member Functions

    get_all_features

    ACApplicationFeatureList 
    get_all_features()
    

    Returns all the features that have been registered for feature-level access control for the application that this class represents.

    get_container_name

    RWCString get_container_name()
    

    Returns the container name, which is the application name.

    get_feature

    ACApplicationFeature 
    get_feature(const RWCString& featurename)
    

    Returns the ACApplicationFeature object featurename.

    5.9 ACApplication Class

    Inheritance: class ACObject

    #include <acapi/acapplication.hh>
    

    Data Members: No public data members are declared in this class.

    The ACApplication class represents the application GDMO object class defined in the Solstice EM Access Control module. This object is a container for all the features that are controlled through Solstice EM's feature-level access control for a given application.

    5.9.1 Constructor

    ACApplication(const RWCString& 
    appl_name)
    

    The constructor creates an application object whose name is the value of appl_name. If an object has already been created for appl_name, the object is not created again. Instead, the object's internal reference count is incremented by one.

    5.9.2 Destructor

    ~ACApplication()
    

    5.9.3 ACApplication Member Functions

    destroy

    Result destroy()
    

    Removes the application object that this class represents from all groups to which it belongs. In addition, deletes the application object and its features from access control. Upon the deletion, the application is no longer subject to access control.

    Returns TRUE on successful completion; otherwise, FALSE.

    get_application_description

    RWCString 
    get_application_description()
    

    Gets the application description information.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_application_description

    Result 
    set_application_description(const RWCString& desc)
    

    Sets desc as the application's description information.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.10 ACApplicationContainer Class

    Inheritance: public ACContainer

    #include 
    <acapi/acapplication.hh>
    

    Data Members: No public data members are declared in this class.

    The ACApplicationContainer class represents the applicationContainer GDMO object class which is defined in the Solstice EM Access Control module. This object is a container for all the applications that can be controlled through Solstice EM's feature-level access control.

    5.10.1 Constructor

    ACApplicationContainer()
    

    The constructor creates an application container object that contains all the applications that are subject to access control. If such an object has already been created, its internal reference count is incremented by one.

    5.10.2 Destructor

    ~ACApplicationContainer()
    

    5.10.3 ACApplicationContainer Member Functions

    get_all_applications

    ACApplicationList get_all_applications()
    

    Returns a list of all the applications under the ACApplicationContainer object which, by default, includes most of the Solstice EM applications.

    get_application

    ACApplication get_application(const RWCString& appname)
    

    Returns the ACApplication object whose name is stored in appname.

    5.11 ACApplicationFeature Class

    Inheritance: public ACObject

    #include 
    <acapi/acapplicationfeature.hh>
    

    Data Members: No public data members are declared in this class.

    The ACApplicationFeature class represents the applicationFeature GDMO object class which is defined in the Solstice EM Access Control module. ACApplicationFeature represents a feature that can be controlled through Solstice EM's feature-level access control for a given application.

    5.11.1 Constructor

    ACApplicationFeature(const RWCString& appname, 
    const RWCString& 
    featurename)
    

    The constructor creates an applicationFeature object based on the values of appname and featurename. If such an object already exists, the internal reference count is incremented by one, and the object is returned.

    5.11.2 Destructor

    ~ACApplicationFeature()
    

    5.11.3 ACApplicationFeature Member Functions

    destroy

    Result destroy()
    

    Removes an application's feature object from all groups to which it belongs and deletes the feature object from access control. Upon deletion, the application's feature is no longer subject to access control.

    Returns TRUE on successful completion; otherwise, FALSE.

    get_feature_description

    RWCString get_feature_description()
    

    Returns the feature's description.

    set_feature_description

    Result set_feature_description(const RWCString& 
    desc)
    

    Sets desc as the description for the feature.

    Returns TRUE if successful; otherwise, FALSE.

    5.12 ACCallback Class

    Inheritance: class Callback

    #include 
    <acapi/accallback.hh>
    

    This class is a simple extension of the PMI callback class.

    5.12.1 Constructors

    ACCallback()
    

    The default constructor initializes the Callback object.

    ACCallback(CallbackHandler hand, Ptr userdata, 
    ACCallbackType type)
    

    In the preceding constructor:

    • hand, defined in pmi/callback.hh, is a pointer to the function that the scheduler must call.
    • type can be one of the following:

      • OBJECT_CREATION_CALLBACK
      • OBJECT_DELETION_CALLBACK
      • ATTRIBUTE_VALUE_CHANGED_CALLBACK
      • IMAGE_INCLUDED_CALLBACK
      • IMAGE_EXCLUDED_CALLBACK
      • RAW_EVENT_CALLBACK

        ACCallback(const ACCallback& other)
        

    The preceding is a copy constructor.

    5.12.2 Destructor

    ~ACCallback()
    

    5.12.3 ACCallback Operator Overloading

    ACCallback& operator = (const ACCallback& other)
    

    The assignment operator works like the copy constructor.

    5.12.4 ACCallback Member Functions

    exec_callback

    void exec_callback(Ptr call_data) const
    

    Invokes the callback's handler with the callback's data, and exec's call_data as arguments.

    get_callback_type

    ACCallbackType get_callback_type() const
    

    Returns the callback's type.

    5.13 ACContainer Class

    Inheritance: None

    #include 
    <acapi/accontainer.hh>
    

    Data Members: No public data members are declared in this class.

    The ACContainer class is an abstract base class that abstracts the concept of a container for access control GDMO objects.

    This class is subclassed to derive more specific classes that serve as an interface to containers of various X.741 GDMO object classes. For example, the subclass ACRuleContainer C++ provides the interface to the container of X.741 rule GDMO objects.

    Multiple ACContainer objects that represent the same container of X.741 GDMO objects share the same object by maintaining a reference count. The ACContainer class allows its subclasses to register any object inclusion and object exclusion events from the container and any raw events from PMI, so that the container is updated dynamically and automatically.

    5.13.1 Constructor

    This constructor is protected so that the user cannot instantiate this object.

    5.13.2 Destructor

    virtual ~ACContainer() = 0;
    

    5.13.3 ACContainer Operator Overloading

    Boolean operator == (const ACContainer& self, const 
    ACContainer& 
    other)
    

    If the two compared container objects have the same object names, the preceding comparison operator returns TRUE.

    ACContainer& operator=(const ACContainer&)
    

    The preceding operator overloads the assignment operator.

    5.13.4 ACContainer Member Functions

    add_callback

    void add_callback(const ACCallback& cb)
    

    Adds the given callback pointer to ACContainer's callback queue.


    Note – You can add more than one callback for a given type of event. This allows you to use multiple callbacks to process the same event.

    The following six types of events are supported:

    • OBJECT_CREATION
    • OBJECT_DELETION
    • ATTRIBUTE_VALUE_CHANGED
    • IMAGE_INCLUDED
    • IMAGE_EXCLUDED
    • RAW_EVENT
    get_error_string

    RWCString get_error_string()
    

    Returns the error string stored in the ACAccessControl object that pertains to the object that this function represents.

    get_error_type

    ACErrorType get_error_type()
    

    Returns the error type stored in the ACAccessControl object that pertains to the object that this function represents. The possible values of the error type are:

  • ACC_APPLICATION_EXISTS

  • ACC_MOC_EXISTS

  • ACC_APPLICATION_NOT_EXISTS

  • ACC_MOC_NOT_EXISTS

  • ACC_DB_OBJECT_ACCESS_EXISTS

  • ACC_MOI_EXISTS

  • ACC_DB_OBJECT_ACCESS_NOT_EXISTS

  • ACC_MOI_NOT_EXISTS

  • ACC_DB_OBJECT_TABLE_EXISTS

  • ACC_NO_MEMORY

  • ACC_DB_OBJECT_TABLE_NOT_EXISTS

  • ACC_OK

  • ACC_FAILED

  • ACC_RULE_EXISTS

  • ACC_FEATURE_EXISTS

  • ACC_RULE_NOT_EXISTS

  • ACC_FEATURE_NOT_EXISTS

  • ACC_TARGETS_EXISTS

  • ACC_GROUP_EXISTS

  • ACC_TARGETS_NOT_EXISTS

  • ACC_GROUP_NOT_EXISTS

  • ACC_USER_EXISTS

  • ACC_INVALID_USER_NAME

  • ACC_USER_NOT_EXISTS


  • get_name_only

    RWCString get_name_only()
    

    Returns the name of the ACAccessControl object that pertains to the ACContainer.

    get_object_name

    RWCString get_object_name() const
    

    Returns the name of the ACAccessControl object stored in the distinguished name (DN) format.

    remove_callback

    void remove_callback(const ACCallback& cb)
    

    Removes the callback associated with its object.

    reset_error

    void reset_error()
    

    Resets the error state of the ACAccessControl object that pertains to the ACContainer by setting both the error string and error type to ACC_OK.

    set_error

    void set_error(ACErrorType type, const 
    RWCString& 
    err)
    

    Sets the error type to the type argument, and the error string to the err argument. If type is ACC_OK, this method performs the same action as the reset_error method.

    set_error_string

    void set_error_string(const RWCString& err)
    

    Sets the error string to the err.

    set_error_type

    void set_error_type(ACErrorType type)
    

    Sets the error type to the type argument. If type is ACC_OK, this method performs the same action as the reset_error method.

    5.14 ACDbObject Class

    Inheritance: public ACObject

    #include 
    <acapi/acdbobject.hh>
    

    Data Members: No public data members are declared in this class.

    The ACDbObject class represents the emDbObject GDMO object class from the Solstice EM DB Info module. An emDbObject object represents a database object on which access control can be specified.

    5.14.1 Constructor

    ACDbObject(const RWCString& objectname)
    

    The constructor creates an emDbObject object whose name is specified by objectname. If a Dbobject with the same name already exists, the internal reference count is incremented by one and the object is returned.

    5.14.2 Destructor

    ~ACDbObject()
    

    5.14.3 ACDbObject Member Functions

    add_db_object_access

    Result add_db_object_access(const RWCString& access)
    

    Adds the given argument to the emDbObject object's access list.

    Returns TRUE on successful completion. Otherwise, if access already exists in the access list, this function sets the error type to ACC_DB_OBJECT_ACCESS_EXISTS and the error string to "Access exists in emDbObjectAccessList!", and returns FALSE.

    add_db_object_table

    Result add_db_object_table(const RWCString& table)
    

    Adds table to emDbObject's table list.

    Returns TRUE on successful completion. Otherwise, if table already exists in the table list, this function sets the error type to ACC_DB_OBJECT_ACCESS_EXISTS and the error string to "Access exists in emDbObjectAccessList!", and returns FALSE.

    get_db_object_access_list

    ACDbObjectAccessList get_db_object_access_list()
    

    Returns the access list that contains the names of the groups that can access DbObject.

    get_db_object_table_list

    ACDbObjectTableList get_db_object_table_list()
    

    Returns the list of tables that are under access control for the DbObject object.

    remove_db_object_access

    Result remove_db_object_access(const RWCString& 
    access)
    

    Removes access from the DbObject object's access list.

    Returns TRUE on successful completion. Otherwise, if access does not exist, this function sets the error type to ACC_DB_OBJECT_ACCESS_NOT_EXISTS and the error string to "Access doesn't exist in emDbObjectAccessList!", and returns FALSE.

    remove_db_object_table

    Result remove_db_object_table(const RWCString& 
    table)
    

    Removes table from the DbObject object's table list.

    Returns TRUE on successful completion. Otherwise, if table does not exist, this function sets the error type to ACC_DB_OBJECT_TABLE_NOT_EXISTS and the error string to "Table doesn't exist in emDbObjectTableList!", and returns FALSE.

    set_db_object_access_list

    Result 
    set_db_object_access_list(ACDbObjectAccessList& accesslist)
    

    Replaces DbObject's current access with accesslist.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_db_object_table_list

    Result set_db_object_table_list(ACDbObjectTableList& 
    tablelist)
    

    Replaces the current table list of the DbObject with tablelist.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_auxobject_owner

    Result set_auxobject_owner(
    ACAuxOwnerType 	owntype,RWCString ownid)
    

    The above method sets the owner of the auxiliary object to ownid and the type of the owner to owntype. Returns TRUE on successful completion; otherwise, FALSE.

    get_auxobject_owner_type

    ACAuxOwnerType get_auxobject_owner_type()
    

    The above method returns the type of owner, that is USER or GROUP of the auxiliary object. If the owner type is not known or incorrect INVALID_OWNER_TYPE is returned.

    get_auxobject_owner_id

    RWCString get_auxobject_owner_id()
    

    The above method returns the owner id of the auxiliary object, this is valid only when the owner type of the auxiliary object is USER or GROUP.

    5.14.4 Notes About the ACDbObject Class

    The default owner of an auxiliary object is created as root. In order to change the owner, you need to set the owner id using the set_auxobject_owner() method. The owner type can be USER or GROUP and the owner id can be a the name of a user or the name of a group.

    After setting the auxiliary object's owner, you must perform a create() or store() operation so that the changes in the auxiliary object are pushed down to the MIS. CODE EXAMPLE 5-1 illustrates the sequence for performing a create() operation (M-CREATE).

    CODE EXAMPLE 5-1   Sequence for Performing a create() Operation 
    // Create the ACDbObject: Create an auxiliary object with root as the 
    
    // default owner id
    
            ACDbObject *acdbobj_ptr = new ACDbObject(logname, FALSE);
    
            // Set the auxiliary objects owner
    
            if (!acdbobj_ptr->set_auxobject_owner(USER, owner_id_str.chp())) {
    
                cout << "Failed to set the owner id." << endl;
    
                exit(0);
    
            }
    
            // Create the acdbobject and its auxiliary object
    
            if (!acdbobj_ptr->create()) {
    
                cout << "Failed to create the acdbobject." << endl;
    
                exit(1);
    
             }
    
    The sequence for changing the owner of a log is as follows: (M-SET)
    
            // Set the auxiliary objects owner
    
            //---------------------------------
    
            if (!acdbobj_ptr->set_auxobject_owner(USER, owner_id_str.chp())) {
    
                cout << "Failed to set the owner id." << endl;
    
                exit(0);
    
            }
    
            // Store the changes to the owner of the auxiliary object
    
            if (!acdbobj_ptr->store_auxobject()) {
    
                cout << "Failed to change the auxiliary objects owner." << endl;
    
                exit(1);
    
             }
    


    Note – Two test programs that show how to create and set an ACDbObject object are supplied in the /opt/SUNWconn/em/src/ac_api directory.

    5.15 ACDbObjectContainer Class

    Inheritance: public ACContainer

    #include 
    <acapi/acdbobject.hh>
    

    Data Members: No public data members are declared in this class.

    The ACDbObjectContainer class represents the emDbInfo GDMO object class from the Solstice EM DB Info module. ACDbObjectContainer is a container for all ACDbObject objects. It stores database-specific access control information.

    5.15.1 Constructor

    ACDbObjectContainer()
    

    The default constructor creates the container object. If the object has already been created, the internal reference count for the object is incremented by one.

    5.15.2 Destructor

    ~ACDbObjectContainer()
    

    5.15.3 ACDbObjectContainer Member Functions

    get_access_db_objects

    ACDbObjectList get_access_db_objects(const 
    RWCString& group)
    

    Returns all ACDbObject objects that contain the given group in the ACDbObjectContainer object's access list.

    get_all_db_objects

    ACDbObjectList get_all_db_objects()
    

    Returns all ACDbObject objects that are stored in ACDbObjectContainer.

    ACDbObject get_db_object(const RWCString& appname)
    

    get_db_object

    Returns the ACDbObject object whose name is specified by appname.

    get_db_server_name

    RWCString get_db_server_name()
    

    Returns the database server name.

    get_db_server_type

    RWCString get_db_server_type()
    

    Returns the database server type.

    5.16 ACEMNotificationEmitter Class

    Inheritance: public ACObject

    #include 
    <acapi/notificationemitter.hh>
    

    Data Members: No public data members are declared in this class.

    The ACEMNotificationEmitter class represents the emNotificationEmitter GDMO object class from the Solstice EM Access Control module. The emNotificationEmitter object represents a notification emitter for security alarm and auditing.

    5.16.1 Constructor

    ACEMNotificationEmitter()
    

    The constructor creates a notificationEmitter object. If such an object has already been created, the internal reference count for the object is incremented by one.

    5.16.2 Destructor

    ~ACEMNotificationEmitter()
    

    5.16.3 ACEMNotificationEmitter Member Functions

    get_audit_level

    ACEMAuditLevel get_audit_level()
    

    Returns one of the following values that represent the audit level:

    • AUDIT_OFF
    • AUDIT_LEVEL1
    • AUDIT_LEVEL2
    get_invalid_access_attempts

    long get_invalid_access_attempts()
    

    Returns a count of the number of times that access was denied.

    get_security_level

    ACEMSecurityLevel get_security_level()
    

    Returns one of the following values that represent the security level:

    • SECURITY_OFF
    • SECURITY_LEVEL1
    • SECURITY_LEVEL2
    get_valid_access_attempts

    long get_valid_access_attempts()
    

    Returns a count of the number of times that an access control decision function authorized access.

    set_audit_level

    Result set_audit_level(ACEMAuditLevel)
    

    Sets the audit level to one of the following values:

    • AUDIT_OFF
    • AUDIT_LEVEL1
    • AUDIT_LEVEL2

    Returns TRUE on successful completion; otherwise, FALSE.

    set_security_level

    Result set_security_level(ACEMSecurityLevel)
    

    Sets the security level to one of the following values:

    • SECURITY_OFF
    • SECURITY_LEVEL1
    • SECURITY_LEVEL2

    Returns TRUE on successful completion; otherwise, FALSE.

    5.17 ACEMTargets Class

    Inheritance: public ACTargets

    #include 
    <acapi/acemtargets.hh>
    

    Data Members: No public data members are declared in this class.

    The ACEMTargets class represents the emTargets GDMO object class which is defined in the Solstice EM Access Control module. emTargets is derived from X.741's targets GDMO object class. ACEMTargets class adds an eventDiscriminator attribute to the targets class to be used for event access control.

    5.17.1 Constructor

    ACEMTargets(const RWCString& objname)
    

    The preceding constructor creates an ACEMTargets object whose name is specified by objname. If an object has already been created with the same name, the internal reference count for the object is incremented by one.

    5.17.2 Destructor

    ~ACEMTargets()
    

    5.17.3 ACEMTargets Member Functions

    get_event_discriminator

    ACEventsDiscriminator get_event_discriminator()
    

    Returns the ACEMTargets object's event discriminator.

    set_event_discriminator

    Result set_event_discriminator(ACEventsDiscriminator)
    

    Sets the ACEMTargets object's event discriminator to ACEventsDiscriminator.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.18 ACGroup Class

    Inheritance: public ACObject

    #include <acapi/acgroup.hh>
    

    Data Members: No public data members are declared in this class.

    The ACGroup class represents the group GDMO object class which is defined in the Solstice EM Access Control module. group is derived from X.741's aclInitiators GDMO object class.

    5.18.1 Constructor

    ACGroup(const RWCString& objectname)
    

    The constructor creates an ACGroup object whose name is specified by objectname. If an object with the same name has already been created, the internal reference count for the object is incremented by one.

    5.18.2 Destructor

    ~ACGroup()
    

    5.18.3 ACGroup Member Functions

    add_application

    Result add_application(const RWCString& app)
    

    Adds app to the list of applications that can be accessed by its group.

    Returns TRUE on successful completion; otherwise, FALSE.

    add_application_feature

    Result add_application_feature(const RWCString& 
    app, const 
    RWCString& feature)
    

    Adds feature to the feature list of app that can be accessed by its group.

    Returns TRUE on successful completion; otherwise, FALSE.

    add_group_member

    Result add_group_member(const RWCString& membername)
    

    Adds the given member to its group.

    Returns TRUE on successful completion. Otherwise, if the given member already exists in the group, this function sets the error type to ACC_USER_EXISTS and the error string to "User exists in groupMemberList!", and returns FALSE.

    destroy

    Result destroy()
    

    Removes the instantiated group object from all containers that contains it, and then removes the object itself.

    Returns TRUE on successful completion; otherwise, FALSE.

    get_all_applications_full_access

    Boolean get_all_applications_full_access()
    

    Returns TRUE if the group it represents contains the DN of the application container in its applicationAndFeatureList, which indicates that the group has full access to all applications; otherwise, FALSE.

    A group has full access to all applications in an application container if the group contains the DN of the application container. This method returns TRUE if the instantiated group contains the DN of an application container in the applicationAndFeatureList of the group; otherwise, FALSE.

    get_applications

    ACApplicationList get_applications()
    

    Returns all the applications that are accessible by its group.

    get_application_and_feature_list

    ACApplicationAndFeatureList 
    get_application_and_feature_list(Boolean real)
    

    If real is TRUE, this function returns a list of the DNs of all MIS applications and features that are accessible by the instantiated group; otherwise, it returns a list of the DNs of all applications and features in its own application space.

    get_application_feature

    Result add_application_feature(const RWCString& 
    app, const 
    RWCString& feature)
    

    Adds feature to the feature list of <app> that can be accessed by its group.

    Returns TRUE on successful completion; otherwise, FALSE. For more information, check the error type and string by calling the get_error_type function and the get_error_string function. Verify that the application has full access by calling get_application_full_access.

    get_application_features

    ACApplicationFeatureList get_application_features(
    const RWCString& appname)

    This function returns all the features of the given application that are accessible by its group. If the given application has full access, this function returns an empty list. Verify that the application has full access by calling get_application_full_access.

    get_application_full_access

    Boolean get_application_full_access(const RWCString& 
    appname)
    

    Checks the applicationAndFeatureList of the instantiated group for the DN of the given application, to determine whether the group has full access to the given application.

    Returns TRUE if its group has full access to the given application; otherwise, FALSE.

    get_group_description

    ACGroupDescription get_group_description()
    

    Returns the ACGroup object's description information.

    get_group_member_list

    ACGroupMemberList get_group_member_list()
    

    Returns a list of the group members (users).

    remove_application

    Result remove_application(const RWCString& app)
    

    Removes the given application and all of its associated features from the applicationAndFeatureList of the group.

    Returns TRUE on successful completion; otherwise, FALSE.

    remove_application_feature

    Result remove_application_feature(const RWCString& 
    app, const 
    RWCString& feature)
    

    Removes the given feature from the given application.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given feature does not exist, this function sets the error type to ACC_FEATURE_NOT_EXISTS and the error string to "Application feature doesn't exist in applicationAndFeatureList!".

    remove_group_member

    Result remove_group_member(const RWCString& membername)
    

    Removes the given member (user) from its groupMemberList.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given member does not exist, this function sets the error type to ACC_USER_NOT_EXISTS and the error string to "User doesn't exist in groupMemberList!".

    set_all_applications_full_access

    Result set_all_applications_full_access(Boolean fullacccess)
    

    A group has full access to all applications in an application container if the group contains the DN of the application container.

    If fullaccess is TRUE, this method adds the DN of an application container to the applicationAndFeatureList of the instantiated group.

    If fullaccess is FALSE, this method removes the DN from the applicationAndFeatureList of the instantiated group.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_application_and_feature_list

    Result set_application_and_feature_list(A
    CApplicationAndFeatureList& list)

    Sets the given list as the applicationAndFeatureList for the instantiated group.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_application_full_access

    Result set_application_full_access(const RWCString& 
    application)
    

    Sets the DN of the given application in the applicationAndFeatureList of the instantiated group so that the group has full access to the given application.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_group_description

    Result set_group_description(const 
    ACGroupDescription& description)
    

    Sets the description of the instantiated group object to description.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_group_member_list

    Result set_group_member_list(ACGroupMemberList& 
    list)
    

    Sets the member (user) list of the instantiated group to list.

    Returns TRUE on successful completion; otherwise, FALSE.

    get_initiator_aci_mandated

    Boolean get_initiator_aci_mandated() 
    

    Returns TURE if the initiator of the instantiated ACGroup object is authorized; otherwise, FALSE.

    set_initiator_aci_mandated

    Result set_initiator_aci_mandated(Boolean 
    mandated)
    

    If mandated is TRUE, sets the initiator of the instantiated ACGroup object to authorized; otherwise, sets the initiator to unauthorized.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.19 ACGroupContainer Class

    Inheritance: public ACContainer

    #include <acapi/acgroup.hh>
    

    Data Members: No public data members are declared in this class.

    The ACGroupContainer class represents the groupContainer GDMO object class which is defined in the Solstice EM Access Control module. groupContainer is a container for all the groups that are defined under access control of Solstice EM.

    5.19.1 Constructor

    ACGroupContainer()
    

    The constructor creates a group container object that, when instantiated, contains all the groups that are subject to access control. By default, the following groups are available: full access, operator, and view-only. If such an object exists, the internal reference count for the object is incremented by one.

    5.19.2 Destructor

    ~ACGroupContainer()
    

    5.19.3 ACGroupContainer Member Functions

    get_all_groups

    ACGroupList get_all_groups()
    

    Returns all the groups under the groupContainer object in the form of a group list.

    get_group

    ACGroup get_group(const RWCString& groupname)
    

    Returns the group object with the given name.

    get_user_group_list

    ACGroupList get_user_group_list(const RWCString& 
    username)
    

    Returns all the groups containing a user with the given name.

    5.20 ACInterface Class

    Inheritance: None

    #include 
    <acapi/acinterface.hh>
    

    Data Members: No public data members are declared in this class.

    The ACInterface class is a convenience class that you can use to get all the container objects for access control and their contained objects.

    5.20.1 Constructor

    ACInterface()
    

    The default constructor does nothing because there are no data members to initialize.

    5.20.2 Destructor

    ~ACInterface()
    

    5.20.3 ACInterface Member Functions

    get_access_user_list

    ACAccessUserList get_access_user_list();
    

    Creates an ACAccessUserList object if it does not exist and returns it.

    get_application_container

    ACApplicationContainer get_application_container()
    

    Creates an ACApplicationContainer object if it does not exist and returns it.

    get_db_object_container

    ACDbObjectContainer get_db_object_container()
    

    Creates an ACDbObjectContainer object if it does not exist and returns it.

    get_em_notification_emitter

    ACEMNotificationEmitter get_em_notification_emitter()
    

    Creates an ACEMNotificationEmitter object if it does not exist and returns it. If such an object exists, its internal reference count is incremented by one.

    get_feature_container

    ACAppFeatureContainer get_feature_container(const 
    RWCString& 
    appname)
    

    Creates an ACAppFeatureContainer object (for the given application) if it does not exist and returns it.

    get_group_container

    ACGroupContainer get_group_container()
    

    Creates an ACGroupContainer object if it does not exist and returns it.

    get_rule_container

    ACRuleContainer get_rule_container()
    

    Creates an ACRuleContainer object if it does not exist and returns it.

    get_targets_container

    ACTargetsContainer get_targets_container()
    

    Creates an ACTargetsContainer object if it does not exist and returns it.

    5.21 ACObject Class

    Inheritance: None

    #include <acapi/acobject.hh>
    

    Data Members: No public data members are declared in this class.

    The ACObject class represents the accessControl managed object class, an abstract base class, as defined in X.741. ACObject is subclassed to derive more specific classes that serve as an interface to X.741 GDMO object classes.

    ACObject should be used as a base class for only those classes that represent a concrete GDMO object class; that is, one that can be instantiated. For example, the ACRule C++ class derives from the ACObject class and provides the interface to the X.741 rule GDMO object class.

    5.21.1 Constructor

    There is no default public constructor available for this class.

    ACObject(const ACObject&)
    

    A copy constructor is defined whose declaration is shown above.

    5.21.2 Destructor

    virtual ~ACObject() = 0
    

    When the reference count for this object becomes 0, the object is deleted.

    5.21.3 ACObject Operator Overloading

    ACObject& operator = (const ACObject&)
    

    The preceding is the declaration of an assignment operator.

    Boolean operator == (const ACObject& other)
    

    The preceding comparison operator returns TRUE if the objects on both sides are the same; otherwise, FALSE.

    5.21.4 ACObject Member Functions

    add_callback

    void add_callback(const ACCallback& cb)
    

    Adds the given callback to receive one of the following three events:

    • objectCreation
    • objectDeletion
      It is your responsibility to delete the object name to free the allocated memory for object name.
    • attributeValueChange

    As part of the call data to the callback, the instantiated ACObject object is passed.


    Note – It is possible to add more than one callback for the same event type.

    copy

    Result copy(ACObject& source)
    

    Makes a copy of the given ACobject.

    Returns TRUE on successful completion; otherwise, FALSE.

    create

    Result create()
    

    Creates an ACObject object that represents the accessControl GDMO object. This is analogous to the Image::create() function in PMI.

    Returns TRUE on successful completion; otherwise, FALSE. .

    destroy

    virtual Result destroy()
    

    Destroys an ACObject that represents the accessControl GDMO object. This is analogous to the Image::destroy() function in PMI.

    Returns TRUE on successful completion; otherwise, FALSE.

    exists

    Boolean exists()
    

    Checks whether the object exists. This is analogous to the Image::exists() function in PMI.

    Returns TRUE on successful completion; otherwise, FALSE.

    get_error_string

    RWCString get_error_string() const
    

    Returns the error string stored in the ACAccessControl object that pertains to the instantiated ACObject.

    get_error_type

    ACErrorType get_error_type() const;
    

    Returns the error type stored in the ACAccessControl object that pertains to the instantiated ACObject. The error type can have one of the following values:

  • ACC_APPLICATION_EXISTS

  • ACC_MOC_EXISTS

  • ACC_APPLICATION_NOT_EXISTS

  • ACC_MOC_NOT_EXISTS

  • ACC_DB_OBJECT_ACCESS_EXISTS

  • ACC_MOI_EXISTS

  • ACC_DB_OBJECT_ACCESS_NOT_EXISTS

  • ACC_MOI_NOT_EXISTS

  • ACC_DB_OBJECT_TABLE_EXISTS

  • ACC_NO_MEMORY

  • ACC_DB_OBJECT_TABLE_NOT_EXISTS

  • ACC_OK

  • ACC_FAILED

  • ACC_RULE_EXISTS

  • ACC_FEATURE_EXISTS

  • ACC_RULE_NOT_EXISTS

  • ACC_FEATURE_NOT_EXISTS

  • ACC_TARGETS_EXISTS

  • ACC_GROUP_EXISTS

  • ACC_TARGETS_NOT_EXISTS

  • ACC_GROUP_NOT_EXISTS

  • ACC_USER_EXISTS

  • ACC_INVALID_USER_NAME

  • ACC_USER_NOT_EXISTS


  • get_name_only

    RWCString get_name_only() const
    

    Returns the name of the instantiated ACObject.

    get_object_name

    RWCString get_object_name() const
    

    Returns the name of the instantiated ACObject in the distinguished name (DN) format.

    remove_callback

    void remove_callback(const ACCallback& cb)
    

    Removes the given callback.

    reset_error

    void reset_error()
    

    Resets the error state of the object by setting the error string to "ACC_OK" and the error type to ACC_OK.

    revert

    Result revert()
    

    Reverts the state of the object by canceling any pending set operation that has not yet been stored.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_error

    void set_error(ACErrorType type, const 
    RWCString& 
    err)
    

    Sets the error type to the given type and error string to the given string. A type value of ACC_OK performs a reset_error on the object.

    set_error_string

    void set_error_string(const RWCString& err)
    

    Sets the error string to the given string.

    set_error_type

    void set_error_type(ACErrorType type)
    

    Sets the error type to the given type. A type value of ACC_OK performs a reset_error on the object.

    store

    Result store()
    

    Stores the object that will be the representation of the GDMO object. This is analogous to the Image::store() function in PMI.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.22 ACRule Class

    Inheritance: public ACObject

    #include <acapi/acrule.hh>
    

    Data Members: No public data members are declared in this class.

    The ACRule class represents X.741's rule GDMO object class, which grants or denies access. If the value of the enforcement action attribute is allow, access is permitted. Otherwise, the enforcement action attribute defines the type of denial response made to the initiator of the management operation.

    5.22.1 Constructor

    ACRule(const RWCString& objectname);
    

    The constructor creates an ACRule object whose name is specified by objectname. If such an object with this name has already been created, the internal reference count for the object is incremented by one.

    5.22.2 Destructor

    ~ACRule()
    

    5.22.3 ACRule Member Functions

    add_group

    Result add_group(const RWCString& groupname)
    

    Adds the given group to the rule's initiator list.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given group already exists, this function sets the error type to ACC_GROUP_EXISTS and the error string to "Group exists in initiatorsList!".

    add_targets

    Result add_targets(const RWCString& target)
    

    Adds the given target to the rule's target list.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given target already exists, this function sets the error type to ACC_TARGETS_EXISTS and the error string to "Targets exists in initiatorsList!".

    get_enforcement_action

    EnforcementAction get_enforcement_action()
    

    Returns the enforcement action that is defined for this rule, which can be one of the following:

    • denyWithResponse
    • denyWithoutResponse
    • abortAssociation
    • denyWithFalseResponse
    • allow
    get_group_list

    ACGroupList get_group_list()
    

    Returns a list of the groups that belong to the rule object.

    get_targets_list

    ACTargetsList get_targets_list()
    

    Returns a list of the targets that belong to the rule object.

    remove_group

    Result remove_group(const RWCString& groupname)
    

    Removes the given group from the rule's initiator's list.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given group already exists, this function sets the error type to ACC_GROUP_NOT_EXISTS and the error string to "Group doesn't exist in initiatorsList!".

    remove_targets

    Result remove_targets(const RWCString& target)
    

    Removes the given target from the rule's target list.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given target already exists, this function sets the error type to ACC_TARGETS_NOT_EXISTS and the error string to "Targets doesn't exist in initiatorsList!".

    set_enforcement_action

    Result set_enforcement_action(EnforcementAction action)
    

    Sets the given action as the enforcement action for the rule. The given action can be one of the following:

    • denyWithResponse
    • denyWithoutResponse
    • abortAssociation
    • denyWithFalseResponse
    • allow

    Returns TRUE on successful completion; otherwise, FALSE.

    set_group_list

    Result set_group_list(ACGroupList& grouplist)
    

    Sets the given list as the rule's initiator list.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_targets_list

    Result set_targets_list(ACTargetsList& targetlist)
    

    Sets the given list as the rule's target list.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.23 ACRuleContainer Class

    Inheritance: public ACContainer

    #include <acapi/acrule.hh>
    

    Data Members: No public data members are declared in this class.

    The ACRuleContainer class is a container for all the rules defined in access control. This class does not directly represent any GDMO object class.

    5.23.1 Constructor

    ACRuleContainer()
    

    The constructor creates a rule container object, so that when it is instantiated it contains all the rules that are subject to access control. If such an object has already been created, the internal reference count for the object is incremented by one.

    5.23.2 Destructor

    ~ACRuleContainer()
    

    5.23.3 ACRuleContainer Member Functions

    get_access_control_rules

    ACAccessControlRules get_access_control_rules()
    

    Returns the ACAccessControlRules object that represents the emAccessControlRules GDMO object class. This ACAccessControlRules object can be used to get the various attributes of the emAccessControlRule.

    get_all_rules

    ACRuleList get_all_rules()
    

    Returns all the rules available in the rule container object.

    get_group_rule_list

    ACRuleList get_group_rule_list(const RWCString& 
    groupname)
    

    Returns a list of all the rules that reference the given group.

    get_rule

    ACRule get_rule(const RWCString& rulename)
    

    Returns the rule object whose name is specified by rulename.

    get_targets_rule_list

    ACRuleList get_targets_rule_list(const RWCString& 
    targetsname)
    

    Returns all the rules that reference the given target.

    5.24 ACScope Class

    Inheritance: None

    #include <acapi/actargets.hh>
    

    Data Members: The following public data members are defined.

    • type can be:

      • BASE_OBJECT
      • NTH_LEVEL
      • BASE_TO_NTH_LEVEL
      • ALL_LEVELS
      • ALL_LEVELS_EXCEPT_BASE
    • level can be any positive integer.

    The ACScope class contains the scope information.

    5.24.1 Constructors

    Default Constructor

    ACScope()
    

    The default constructor initializes type to BASE_OBJECT and level to 0.

    ACScope(MessScopeType t, U32 l)
    

    The preceding constructor initializes type to t and level to l.

    • type can be:

      • BASE_OBJECT
      • NTH_LEVEL
      • BASE_TO_NTH_LEVEL
      • ALL_LEVELS
      • ALL_LEVELS_EXCEPT_BASE

        ACScope(const ACScope& other)
        

    The preceding constructor is a copy constructor.

    5.24.1.1 ACScope Operator Overloading

    ACScope& operator=(const ACScope& other)
    

    The preceding operator overloads the assignment operator and assigns the values of right side to left side.

    5.24.1.2 ACScope Member Functions

    No public member functions.

    5.25 ACTargets Class

    Inheritance: public ACObject

    #include <acapi/actargets.hh>
    

    Data Members: No public data members are declared in this class.

    The ACTargets class represents X.741's targets GDMO object class. Targets identify managed objects within the security domain.

    5.25.1 Constructor

    ACTargets(const RWCString& objectname, 
    ACTargetsType type = 
    X741_TARGETS)
    

    The constructor creates an ACTargets object with the given name and type. The default type is X741_TARGETS, which creates a targets GDMO object from X.741. Any other type creates an emTargets GDMO object which is defined in the Solstice EM Access Control module. If an object with the same name exists, the internal reference count for the object is incremented by one.

    The constructor creates an ACTargets object with the given name and type. The type is either the targets GDMO object defined in X741.gdmo or the emTargets GDMO object defined in the Solstice EM Access Control module. The default type is the targets GDMO object if no type is specified.

    5.25.2 Destructor

    virtual ~ACTargets()
    

    5.25.3 ACTargets Member Functions

    add_moc

    Result add_moc(const RWCString& mocname)
    

    Adds the given managed object class (MOC) name to the MOC list that is defined for the target.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given MOC already exists, the function sets the error type to ACC_MOC_EXISTS and the error string to "MOC exists in targetsList!".

    add_moi

    Result add_moi(const RWCString& moiname)
    

    Adds the given managed object instance (MOI) to the list of MOIs that are defined for the target.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given MOI already exists in the target list, this function sets the error type to ACC_MOI_EXISTS and the error string to "MOI exists in targetsList!".

    destroy

    Result destroy()
    

    Removes the target from all the rules that reference it, and deletes the target.

    Returns TRUE on successful completion; otherwise, FALSE.

    get_filter

    ACFilter get_filter()
    

    Returns the stored filter for the target.

    get_moc_list

    ACMOCList get_moc_list()
    

    Returns the list of MOCs that are defined for the instantiated target object.

    get_moi_list

    ACMOIList get_moi_list()
    

    Returns a list of the MOIs that are defined for the target.

    Check for the error type to get any error that occurred while performing this function.

    get_operations_list

    ACOperationsList get_operations_list()
    

    Returns the list of operations that are defined for this target. For example, {action, get, multipleObjectSelection, filter}.

    Check for the error type to get any error that occurred while performing this function.

    get_scope

    ACScope get_scope()
    

    Returns the target's scope.

    remove_moc

    Result remove_moc(const RWCString& mocname)
    

    Removes the given MOC from this target's list of MOCs.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given MOC already exists, this function sets the error type to ACC_MOC_NOT_EXISTS and the error string to "MOC doesn't exist in targetsList!".

    remove_moi

    Result remove_moi(const RWCString& moiname)
    

    Removes the given MOI from this target's list of MOIs.

    Returns TRUE on successful completion; otherwise, FALSE.

    If the given MOI already exists, this function sets the error type to ACC_MOI_NOT_EXISTS and the error string to "MOI doesn't exist in targetsList!".

    set_filter

    Result set_filter(const ACFilter& filter)
    

    Sets the given filter for the target object.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_moc_list

    Result set_moc_list(ACMOCList& moclist)
    

    Sets the given MOC list for the target object.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_moi_list

    Result set_moi_list(ACMOIList& moilist)
    

    Sets the given MOI list for the target object.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_operations_list

    Result set_operations_list(ACOperationsList& operlist)
    

    Sets the given operations list for the target object.

    Returns TRUE on successful completion; otherwise, FALSE.

    set_scope

    Result set_scope(const ACScope& scope)
    

    Sets the given scope for the target object.

    Returns TRUE on successful completion; otherwise, FALSE.

    5.26 ACTargetsContainer Class

    Inheritance: public ACContainer

    #include <acapi/actargets.hh>
    

    Data Members: No public data members are declared in this class.

    The ACTargetsContainer class represents the targetContainer GDMO object class which is defined in the Solstice EM Access Control module. ACTargetsContainer is a container for all the Solstice EM access control targets.

    5.26.1 Constructor

    ACTargetsContainer()
    

    The constructor creates a targets container object to contain all the targets that are subject to access control. If such an object exists, the internal reference count for the object is incremented by one.

    5.26.2 Destructor

    ~ACTargetsContainer()
    

    5.26.3 ACTargetsContainer Member Functions

    get_all_targets

    ACTargetsList get_all_targets()
    

    Returns all the targets under the targetContainer object.

    get_em_targets

    ACEMTargets get_em_targets(const RWCString& targetsname)
    

    Returns the ACEMTargets object with the given name.

    get_targets

    ACTargets get_targets(const RWCString& targetsname)
    

    Returns the ACTargets object with the given name.

    5.27 ACUser Class

    Inheritance: None

    #include 
    <acapi/acaccessuserlist.hh>
    

    Data Members: No public data members are declared in this class.

    The ACUser class stores a user's login name and full name in memory. Access control applications get a user's login name and full name by accessing the instantiated ACUser object.

    5.27.1 Constructors

    Default Constructor

    ACUser()
    

    The default constructor does not initialize the login name and full name.

    ACUser(const RWCString& loginname, const 
    RWCString& fullname)
    

    The preceding constructor initializes the login name to loginname and the full name to fullname.

    ACUser(const RWCString& loginname)
    

    The preceding constructor initializes the login name to loginname and the full name to an empty string.

    ACUser(const ACUser& other)
    

    The above constructor is a copy constructor.

    5.27.2 ACUser Operator Overloading

    ACContainerData& operator = (const 
    ACContainerData& other)
    

    The preceding operator overloads the assignment operator, and assigns the values of other to self.

    friend Boolean operator == (const ACContainerData& 
    self, const 
    ACContainerData& other)
    

    The preceding operator overloads the equality operator, so that if both the self and other objects have the same login name, the overload method returns TRUE; otherwise, the method returns FALSE.

    5.27.3 ACUser Member Functions

    get_full_name

    RWCString get_full_name() const
    

    Returns the full name stored in the object.

    get_login_name

    RWCString get_login_name() const
    

    Returns the login name stored in the object.

    is_valid_user

    Boolean is_valid_user(unsigned int& error_code)
    

    Verifies the validity of the instantiated ACUser by contacting em_login daemon to check whether the user is a valid user on the MIS host. Returns TRUE on successful completion; otherwise, FALSE.

    set_full_name

    void set_full_name(const RWCString&)
    

    Sets the full name in the object to the given name.

    set_login_name

    void set_login_name(const RWCString&)
    

    Sets the login name in the object to the given name.


    Sun Microsystems, Inc.
    Copyright information. All rights reserved.
    Doc Set  |   Contents   |   Previous   |   Next   |   Index