Solstice Enterprise Manager 4.1 C++ API Reference

Chapter 5

Access Control API

To access to Solstice EM tools and managed objects, users must belong to a group. In addition, users' access privileges are determined based on the group to which they belong. The Access Control API provides a solid C++ interface to GDMO object classes.

The Access Control API enables you to:

• Assign rules that define access for groups of users
• Define the access rules at a group level
• Control access to Solstice EM applications and managed objects

This chapter comprises the following topics:

• Section 5.1 Design Objectives
• Section 5.2 Access Control Types
• Section 5.3 Class Hierarchy
• Section 5.4 Symbolic Constants and Defined Types
• Section 5.5 Access Control API Classes

5.1 Design Objectives

The Access Control API was developed with the following design objectives:

• Uniform treatment of all the access control objects to maximize reusability of design and code
• Compatibility with the X.741 standard
• Ease of use, especially for users familiar with PMI
• Object-oriented design of the API, so that it is consistent with the other Solstice EM APIs

5.2 Access Control Types

The Access Control API defines two types of access control:

• Object-level access control. Controls the level of access to managed objects. For example, users belonging to the operator group are denied access to the log object, but they get back a response.
• Feature-level access control. Controls the level of access to application features. For example, users belonging to the operator group are denied access to the destroy feature of the em_viewer application, but allowed to access the view feature.

5.3 Class Hierarchy

FIGURE 5-1 illustrates the hierarchy of the Access Control API container classes.

FIGURE 5-1   C++ Container Classes and Their Inheritance

FIGURE 5-2 Illustrates the hierarchy of the Access Control API.

FIGURE 5-2   Access Control C++ Classes and Their Inheritance

TABLE 5-1 describes the Access Control API classes.

TABLE 5-1   Access Control API Classes 

Class	Description
ACAccessControlRules Class	Represents the emAccessControlRules GDMO object class.
ACAccessUserList Class	Represents the accessUserList GDMO object class.
ACAppFeatureContainer Class	Contains all features of an application.
ACApplication Class	Represents the application GDMO object class.
ACApplicationContainer Class	Contains all applications.
ACApplicationFeature Class	Represents the applicationFeature GDMO object class.
ACCallback Class	Extension of the PMI Callback class.
ACContainer Class	Abstract base class for C++ container objects.
ACDbObject Class	Represents the emDbObject GDMO object class.
ACDbObjectContainer Class	Represents the emDbInfo GDMO object class.
ACEMNotificationEmitter Class	Represents the emNotificationEmitter GDMO object class.
ACEMTargets Class	Represents the emTargets GDMO object class.
ACGroup Class	Represents the group GDMO object class.
ACGroupContainer Class	Represents the groupContainer object class.
ACInterface Class	Contains all container objects. Main single point interface to Access Control API.
ACObject Class	Represents the accessControl GDMO object class.
ACRule Class	Represents the rule GDMO object class.
ACRuleContainer Class	Contains C++ Access Control Rule objects.
ACScope Class	Holds scope information. Convenience class.
ACTargets Class	Represents the targets GDMO object class.
ACTargetsContainer Class	Represents the targetContainer GDMO object class.
ACUser Class	Stores user information. Convenience class.

5.4 Symbolic Constants and Defined Types

5.4.1 Constants

ACAuxOwnerType

enum ACAuxOwnerType { USER, GROUP, INVALID_OWNER_TYPE = -1 }

ACAccessControlSwitch

enum ACAccessControlSwitch { emAccessControlOff, emAccessControlOn }

ACCallbackType

enum ACCallbackType { OBJECT_CREATION_CALLBACK, OBJECT_DELETION_CALLBACK, ATTRIBUTE_VALUE_CHANGED_CALLBACK, IMAGE_INCLUDED_CALLBACK, IMAGE_EXCLUDED_CALLBACK, RAW_EVENT_CALLBACK }

ACDenialGranularity

enum ACDenialGranularity { request, object, attribute }

ACEMAuditLevel

enum ACEMAuditLevel { AUDIT_OFF, AUDIT_LEVEL1, AUDIT_LEVEL2 }

ACEMSecurityLevel

enum ACEMSecurityLevel { SECURITY_OFF, SECURITY_LEVEL1, SECURITY_LEVEL2 }

ACErrorType

enum ACErrorType { ACC_OK, ACC_FAILED, ACC_USER_EXISTS, ACC_USER_NOT_EXISTS, ACC_INVALID_USER_NAME, ACC_GROUP_EXISTS, ACC_GROUP_NOT_EXISTS, ACC_APPLICATION_EXISTS, ACC_APPLICATION_NOT_EXISTS, ACC_TARGETS_EXISTS, ACC_TARGETS_NOT_EXISTS, ACC_RULE_EXISTS, ACC_RULE_NOT_EXISTS, ACC_FEATURE_EXISTS, ACC_FEATURE_NOT_EXISTS, ACC_MOI_EXISTS, ACC_MOI_NOT_EXISTS, ACC_MOC_EXISTS, ACC_MOC_NOT_EXISTS, ACC_DB_OBJECT_TABLE_EXISTS, ACC_DB_OBJECT_TABLE_NOT_EXISTS, ACC_DB_OBJECT_ACCESS_EXISTS, ACC_DB_OBJECT_ACCESS_NOT_EXISTS, ACC_NO_MEMORY }

ACObjectType

enum ACObjectType { AC_TARGETS_OBJECT, AC_RULE_OBJECT, AC_APPLICATION_OBJECT, AC_GROUP_OBJECT, AC_DB_OBJECT, AC_EM_NOTIFICATION_EMITTER }

ACTargetsType

enum ACTargetsType { X741_TARGETS, EM_TARGETS }

EnforcementAction

enum EnforcementAction { denyWithResponse, denyWithoutResponse, abortAssociation, denyWithFalseResponse, allow }

5.4.2 Defined Types

This section lists the defined types.

ACAccessUserListSet

typedef RWTValSlist<ACUser> ACAccessUserListSet

ACApplicationAndFeatureList

typedef RWTValSlist<RWCString> ACApplicationAndFeatureList

ACApplicationFeatureList

typedef RWTValSlist<RWCString> ACApplicationFeatureList

ACApplicationList

typedef RWTValSlist<RWCString> ACApplicationList

ACDbObjectAccessList

typedef RWTValSlist<RWCString> ACDbObjectAccessList

ACDbObjectList

typedef RWTValSlist<RWCString> ACDbObjectList

ACDbObjectTableList

typedef RWTValSlist<RWCString> ACDbObjectTableList

ACDefaultAccess

typedef RWTValSlist<RWCString> ACDefaultAccess

ACDefaultEventAccess

typedef EnforcementAction ACDefaultEventAccess

ACDenialResponse

typedef EnforcementAction ACDenialResponse

ACDomainIdentity

typedef RWCString ACDomainIdentity

ACEventsDiscriminator

typedef RWCString ACEventsDiscriminator

ACFilter

typedef RWCString ACFilter

ACGroupDescription

typedef RWCString ACGroupDescription

ACGroupList

typedef RWTValSlist<RWCString> ACGroupList

ACGroupMemberList

typedef RWTValSlist<RWCString> ACGroupMemberList

ACMOCList

typedef RWTValSlist<RWCString> ACMOCList

ACMOIList

typedef RWTValSlist<RWCString> ACMOIList

ACOperationsList

typedef RWTValSlist<RWCString> ACOperationsList

ACRuleList

typedef RWTValSlist<RWCString> ACRuleList

ACTargetsList

typedef RWTValSlist<RWCString> ACTargetsList

ACSuperUserList

typedef RWTValHashSet<RWCString> ACSuperUserList

ACTrustedHostList

typedef RWTValHashSet<RWCString> ACTrusedHostList

5.5 Access Control API Classes

This section describes the following Access Control API classes:

ACAccessControlRules	ACEMTargets
ACAccessUserList	ACGroup
ACAppFeatureContainer	ACGroupContainer
ACApplication	ACInterface
ACApplicationContainer	ACObject
ACApplicationFeature	ACRule
ACCallback	ACRuleContainer
ACContainer	ACScope
ACDbObject	ACTargets
ACDbObjectContainer	ACTargetsContainer
ACEMNotificationEmitter	ACUser

5.6 ACAccessControlRules Class

Inheritance: class ACObject

#include <acapi/accesscontrolrules.hh>

Data Members: No public data members are declared in this class.

The ACAccessControlRules class represents the emAccessControlRules GDMO object class, which is defined in the Solstice EM Access Control module and is derived from X.741's accessControlRules GDMO object class.

The emAccessControlRules GDMO object class extends the accessControlRules GDMO object class by adding the following attributes:

• accessControlSwitch
• trustedHostList
• defaultEventAccess

The ACAccessControlRules class provides methods for accessing and modifying the default attribute values of the access control service. This class acts as a container for all the rules in the system.

5.6.1 Constructor

ACAccessControlRules()

The default constructor initializes the object that it represents, and prepares itself to register callbacks.

---

Note – It is possible to construct more than one ACAccessControlRules object. The additional objects, however, are references to the same object, because there can only be one instance of the emAccessControlRules GDMO object.

---

5.6.2 Destructor

~ACAccessControlRules()

5.6.3 ACAccessControlRules Member Functions

add_trusted_hosts

Result add_trusted_hosts(ACTrustedHostList& add_trusted_host_list)

Adds add_trusted_host_list to the list of trusted hosts. If a host is already included in the trusted hosts list, it is not added again.

get_access_control_switch

ACAccessControlSwitch get_access_control_switch()

Gets the access control status of the currently running Solstice EM. This function returns one of the following two values:

• emAccessControlOff

  Indicates that any user can freely view, modify, or delete objects in the platform. Access control is not enforced.

• emAccessControlOn

  Indicates that users need to be added to the platform and given appropriate privileges to view, modify, or delete objects. Access control is enforced.

get_default_access

ACDefaultAccess get_default_access()

Gets the default access value for each operation (action, create, delete, and so on).

Returns a list of value pairs of the form {<operation> <access>, <operation> <access>, ...}. For example:

{action denyWithResponse, create denyWithResponse, delete denyWithResponse, get denyWithResponse, replace denyWithResponse, addMember denyWithResponse, removeMember denyWithResponse, replaceWithDefault denyWithResponse, multipleObjectSelection denyWithResponse, filter denyWithResponse}

The default access value for all operations is denyWithResponse.

get_default_event_access

ACDefaultEventAccess get_default_event_access()

Gets the default action for events. It returns one of the following values:

• denyWithResponse (default)
• denyWithoutResponse
• abortAssociation
• denyWithFalseResponse
• allow

get_denial_granularity

ACDenialGranularity get_denial_granularity()

Returns one of the following three values that represent the level at which denial of access is exhibited:

• request

  Access is denied at the request level. An entire request to access one or more managed objects in the MIS is denied if access to one of the managed objects in the request is denied. The request is allowed only when all managed objects in the request are accessible.

• object

  Access is denied at the object level. Access is denied only to the request's managed objects that are not accessible. Access to the remaining managed objects in the request is allowed.

• attribute

  Access is denied at the attribute level. Request to access a managed object is denied if access to one or more of its attributes is denied. Access to the managed object is allowed only when all the attributes of the managed object are accessible.

get_denial_response

ACDenialResponse get_denial_response()

Returns the denial response that access control sends out when denial is made because the default rule was satisfied.

The return values are as follows:

• denyWithResponse (default)
• denyWithoutResponse
• abortAssociation
• denyWithFalseResponse
• allow

get_domain_identity

ACDomainIdentity get_domain_identity()

Returns the access control domain identity that is governed by the access control rules. By default, the domain identity is EM.

get_trusted_host_list

ACTrustedHostList get_trusted_host_list(Boolean real) const

Returns the list of trusted hosts. Trusted hosts are systems that can freely connect as root to an MIS machine. The list of trusted hosts is maintained by the MIS server that holds the security profiles.

is_trusted_host

RWBoolean is_trusted_host(const RWCString& host_name) const

Checks whether host_name is in the list of trusted hosts. If host_name is part of the list, this function returns TRUE; otherwise, it returns FALSE.

remove_trusted_hosts

Result remove_trusted_hosts(ACTrustedHostList& remove_trusted_host_list)

Removes the hosts in remove_trusted_host_list from the list of trusted hosts. If a host in remove_trusted_host_list is not in the list of trusted hosts, it is ignored.

Returns TRUE on successful completion; otherwise, FALSE.

replace_trusted_host_list

Result replace_trusted_host_list(ACTrustedHostList& new_trusted_host_list)

Replaces the trusted host list with new_trusted_host_list.

Returns TRUE on successful completion; otherwise, FALSE.

set_access_control_switch

Result set_access_control_switch(ACAccessControlSwitch)

Sets the access control status in the MIS to one of the following values:

• emAccessControlOff

  Any user can freely view, modify, or delete objects in the platform. Access control is not enforced.

• emAccessControlOn

  Users need to be added to the platform and given appropriate privileges to view, modify, or delete objects. Access control is enforced.

Returns TRUE on successful completion; otherwise, FALSE.

set_default_access

Result set_default_access(ACDefaultAccess&)

Sets the default access for each operation (action, create, delete, and so on) as a list of value pairs of the form {<operation> <access>, <operation> <access>, ...}.

For example:

{action denyWithResponse, create denyWithResponse, delete denyWithResponse, get denyWithResponse, replace denyWithResponse, addMember denyWithResponse, removeMember denyWithResponse, replaceWithDefault denyWithResponse, multipleObjectSelection denyWithResponse, filter denyWithResponse}

Returns TRUE on successful completion; otherwise, FALSE.

set_default_event_access

Result set_default_event_access(ACDefaultEventAccess)

Sets the access control status in the platform to one of the following values:

• denyWithResponse (default)
• denyWithoutResponse
• abortAssociation
• denyWithFalseResponse
• allow

Returns TRUE on successful completion; otherwise, FALSE.

set_denial_granularity

Result set_denial_granularity(ACDenialGranularity)

Sets the access denial level to one of the following values (passed through the ACDenialGranularity parameter):

• request

  Access is denied at the request level. An entire request to access one or more managed objects in the MIS is denied if access to one of the managed objects in the request is denied. The request is allowed only when all managed objects in the request are accessible.

• object

  Access is denied at the object level. Access is denied only to the request's managed objects that are not accessible. Access to the remaining managed objects in the request is allowed.

• attribute

  Access is denied at the attribute level. Request to access a managed object is denied if access to one or more of its attributes is denied. Access to the managed object is allowed only when all the attributes of the managed object are accessible.

---

Note – Solstice EM only supports object-level access control.

---

Returns TRUE on successful completion; otherwise, FALSE.

set_denial_response

Result set_denial_response(ACDenialResponse)

Sets the denial response to be returned by access control when the default rule is satisfied to one of the following values:

• denyWithResponse (default)
• denyWithoutResponse
• abortAssociation
• denyWithFalseResponse
• allow

Returns TRUE on successful completion; otherwise, FALSE.

5.7 ACAccessUserList Class

Inheritance: public ACObject

#include <acapi/acaccessuserlist.hh>

Data Members: No public data members are declared in this class.

The ACAccessUserList class represents the accessUserList GDMO object in the MIS. This class stores the list of users registered under access control, and maintains a list of super users. Whenever any of the attribute values for this class changes, it sends attributeValueChange notifications.

5.7.1 Constructor

ACAccessUserList()

The default constructor initializes the ACAccessUserList class, and prepares it to register callbacks.

---

Note – It is possible to construct more than one ACAccessUserList object. The additional objects, however, are references to the same object, because there can only be one instance of the accessUserList GDMO object.

---

5.7.2 Destructor

~ACAccessUserList()

5.7.3 ACAccessUserList Member Functions

add_superusers

Result add_superusers(ACSuperUserList& add_superuser_list)

Adds add_superuser_list to the list of super users, unless a user in list is already a super user.

Returns TRUE on successful completion; otherwise, FALSE.

add_user

Result add_user(ACUser& user)

Adds user as a user under access control. If user already exits, the error type is set to ACC_USER_EXISTS, and the error string is set to "User exists in accessUserList!".

Returns TRUE on successful completion; otherwise, FALSE.

get_access_user_list_set

ACAccessUserListSet get_access_user_list_set()

Returns a list of the users registered under access control.

get_superuser_list

ACSuperUserList get_superuser_list(Boolean real = TRUE) const

Returns a list of the super users under the access control domain.

is_superuser

RWBoolean is_superuser(const RWCString& user_name) const

Returns TRUE if user_name is a super user; otherwise, FALSE.

replace_superuser_list

Result replace_superuser_list(ACSuperUserList& new_superuser_list)

Replaces the existing list of super users with new_superuser_list.

Returns TRUE on successful completion; otherwise, FALSE.

remove_superusers

Result remove_superusers(ACSuperUserList& remove_superuser_list)

Removes the super users that are specified in the remove_superuser_list list.

Returns TRUE on successful completion; otherwise, FALSE.

remove_user

Result remove_user(ACUser& user)

Removes user from the list of users under access control.

Returns TRUE on successful completion; otherwise, FALSE.

5.8 ACAppFeatureContainer Class

Inheritance: class ACContainer

#include <acapi/acapplicationfeature.hh>

Data Members: No public data members are declared in this class.

The ACAppFeatureContainer class is a container for all the features that can be controlled through Solstice EM's feature-level access control for a given application.

5.8.1 Constructor

ACAppFeatureContainer(const RWCString& appl_name)

The constructor creates a feature container object for appl_name. If an object has already been created for appl_name, the object is not created again. Instead, the object's internal reference count is incremented by one.

5.8.2 Destructor

~ACAppFeatureContainer()

5.8.3 ACAppFeatureContainer Member Functions

get_all_features

ACApplicationFeatureList get_all_features()

Returns all the features that have been registered for feature-level access control for the application that this class represents.

get_container_name

RWCString get_container_name()

Returns the container name, which is the application name.

get_feature

ACApplicationFeature get_feature(const RWCString& featurename)

Returns the ACApplicationFeature object featurename.

5.9 ACApplication Class

Inheritance: class ACObject

#include <acapi/acapplication.hh>

Data Members: No public data members are declared in this class.

The ACApplication class represents the application GDMO object class defined in the Solstice EM Access Control module. This object is a container for all the features that are controlled through Solstice EM's feature-level access control for a given application.

5.9.1 Constructor

ACApplication(const RWCString& appl_name)

The constructor creates an application object whose name is the value of appl_name. If an object has already been created for appl_name, the object is not created again. Instead, the object's internal reference count is incremented by one.

5.9.2 Destructor

~ACApplication()

5.9.3 ACApplication Member Functions

destroy

Result destroy()

Removes the application object that this class represents from all groups to which it belongs. In addition, deletes the application object and its features from access control. Upon the deletion, the application is no longer subject to access control.

Returns TRUE on successful completion; otherwise, FALSE.

get_application_description

RWCString get_application_description()

Gets the application description information.

Returns TRUE on successful completion; otherwise, FALSE.

set_application_description

Result set_application_description(const RWCString& desc)

Sets desc as the application's description information.

Returns TRUE on successful completion; otherwise, FALSE.

5.10 ACApplicationContainer Class

Inheritance: public ACContainer

#include <acapi/acapplication.hh>

Data Members: No public data members are declared in this class.

The ACApplicationContainer class represents the applicationContainer GDMO object class which is defined in the Solstice EM Access Control module. This object is a container for all the applications that can be controlled through Solstice EM's feature-level access control.

5.10.1 Constructor

ACApplicationContainer()

The constructor creates an application container object that contains all the applications that are subject to access control. If such an object has already been created, its internal reference count is incremented by one.

5.10.2 Destructor

~ACApplicationContainer()

5.10.3 ACApplicationContainer Member Functions

get_all_applications

ACApplicationList get_all_applications()

Returns a list of all the applications under the ACApplicationContainer object which, by default, includes most of the Solstice EM applications.

get_application

ACApplication get_application(const RWCString& appname)

Returns the ACApplication object whose name is stored in appname.

5.11 ACApplicationFeature Class

Inheritance: public ACObject

#include <acapi/acapplicationfeature.hh>

Data Members: No public data members are declared in this class.

The ACApplicationFeature class represents the applicationFeature GDMO object class which is defined in the Solstice EM Access Control module. ACApplicationFeature represents a feature that can be controlled through Solstice EM's feature-level access control for a given application.

5.11.1 Constructor

ACApplicationFeature(const RWCString& appname, const RWCString& featurename)

The constructor creates an applicationFeature object based on the values of appname and featurename. If such an object already exists, the internal reference count is incremented by one, and the object is returned.

5.11.2 Destructor

~ACApplicationFeature()

5.11.3 ACApplicationFeature Member Functions

destroy

Result destroy()

Removes an application's feature object from all groups to which it belongs and deletes the feature object from access control. Upon deletion, the application's feature is no longer subject to access control.

Returns TRUE on successful completion; otherwise, FALSE.

get_feature_description

RWCString get_feature_description()

Returns the feature's description.

set_feature_description

Result set_feature_description(const RWCString& desc)

Sets desc as the description for the feature.

Returns TRUE if successful; otherwise, FALSE.

5.12 ACCallback Class

Inheritance: class Callback

#include <acapi/accallback.hh>

This class is a simple extension of the PMI callback class.

5.12.1 Constructors

ACCallback()

The default constructor initializes the Callback object.

ACCallback(CallbackHandler hand, Ptr userdata, ACCallbackType type)

In the preceding constructor:

• hand, defined in pmi/callback.hh, is a pointer to the function that the scheduler must call.
• type can be one of the following:
  
  
  • OBJECT_CREATION_CALLBACK
    
  • OBJECT_DELETION_CALLBACK
    
  • ATTRIBUTE_VALUE_CHANGED_CALLBACK
    
  • IMAGE_INCLUDED_CALLBACK
    
  • IMAGE_EXCLUDED_CALLBACK
    
  • RAW_EVENT_CALLBACK

    ACCallback(const ACCallback& other)

The preceding is a copy constructor.

5.12.2 Destructor

~ACCallback()

5.12.3 ACCallback Operator Overloading

ACCallback& operator = (const ACCallback& other)

The assignment operator works like the copy constructor.

5.12.4 ACCallback Member Functions

exec_callback

void exec_callback(Ptr call_data) const

Invokes the callback's handler with the callback's data, and exec's call_data as arguments.

get_callback_type

ACCallbackType get_callback_type() const

Returns the callback's type.

5.13 ACContainer Class

Inheritance: None

#include <acapi/accontainer.hh>

Data Members: No public data members are declared in this class.

The ACContainer class is an abstract base class that abstracts the concept of a container for access control GDMO objects.

This class is subclassed to derive more specific classes that serve as an interface to containers of various X.741 GDMO object classes. For example, the subclass ACRuleContainer C++ provides the interface to the container of X.741 rule GDMO objects.

Multiple ACContainer objects that represent the same container of X.741 GDMO objects share the same object by maintaining a reference count. The ACContainer class allows its subclasses to register any object inclusion and object exclusion events from the container and any raw events from PMI, so that the container is updated dynamically and automatically.

5.13.1 Constructor

This constructor is protected so that the user cannot instantiate this object.

5.13.2 Destructor

virtual ~ACContainer() = 0;

5.13.3 ACContainer Operator Overloading

Boolean operator == (const ACContainer& self, const ACContainer& other)

If the two compared container objects have the same object names, the preceding comparison operator returns TRUE.

ACContainer& operator=(const ACContainer&)

The preceding operator overloads the assignment operator.

5.13.4 ACContainer Member Functions

add_callback

void add_callback(const ACCallback& cb)

Adds the given callback pointer to ACContainer's callback queue.

---

Note – You can add more than one callback for a given type of event. This allows you to use multiple callbacks to process the same event.

---

The following six types of events are supported:

• OBJECT_CREATION
• OBJECT_DELETION
• ATTRIBUTE_VALUE_CHANGED
• IMAGE_INCLUDED
• IMAGE_EXCLUDED
• RAW_EVENT

get_error_string

RWCString get_error_string()

Returns the error string stored in the ACAccessControl object that pertains to the object that this function represents.

get_error_type

ACErrorType get_error_type()

Returns the error type stored in the ACAccessControl object that pertains to the object that this function represents. The possible values of the error type are:

ACC_APPLICATION_EXISTS	ACC_MOC_EXISTS
ACC_APPLICATION_NOT_EXISTS	ACC_MOC_NOT_EXISTS
ACC_DB_OBJECT_ACCESS_EXISTS	ACC_MOI_EXISTS
ACC_DB_OBJECT_ACCESS_NOT_EXISTS	ACC_MOI_NOT_EXISTS
ACC_DB_OBJECT_TABLE_EXISTS	ACC_NO_MEMORY
ACC_DB_OBJECT_TABLE_NOT_EXISTS	ACC_OK
ACC_FAILED	ACC_RULE_EXISTS
ACC_FEATURE_EXISTS	ACC_RULE_NOT_EXISTS
ACC_FEATURE_NOT_EXISTS	ACC_TARGETS_EXISTS
ACC_GROUP_EXISTS	ACC_TARGETS_NOT_EXISTS
ACC_GROUP_NOT_EXISTS	ACC_USER_EXISTS
ACC_INVALID_USER_NAME	ACC_USER_NOT_EXISTS

get_name_only

RWCString get_name_only()

Returns the name of the ACAccessControl object that pertains to the ACContainer.

get_object_name

RWCString get_object_name() const

Returns the name of the ACAccessControl object stored in the distinguished name (DN) format.

remove_callback

void remove_callback(const ACCallback& cb)

Removes the callback associated with its object.

reset_error

void reset_error()

Resets the error state of the ACAccessControl object that pertains to the ACContainer by setting both the error string and error type to ACC_OK.

set_error

void set_error(ACErrorType type, const RWCString& err)

Sets the error type to the type argument, and the error string to the err argument. If type is ACC_OK, this method performs the same action as the reset_error method.

set_error_string

void set_error_string(const RWCString& err)

Sets the error string to the err.

set_error_type

void set_error_type(ACErrorType type)

Sets the error type to the type argument. If type is ACC_OK, this method performs the same action as the reset_error method.

5.14 ACDbObject Class

Inheritance: public ACObject

#include <acapi/acdbobject.hh>

Data Members: No public data members are declared in this class.

The ACDbObject class represents the emDbObject GDMO object class from the Solstice EM DB Info module. An emDbObject object represents a database object on which access control can be specified.

5.14.1 Constructor

ACDbObject(const RWCString& objectname)

The constructor creates an emDbObject object whose name is specified by objectname. If a Dbobject with the same name already exists, the internal reference count is incremented by one and the object is returned.

5.14.2 Destructor

~ACDbObject()

5.14.3 ACDbObject Member Functions

add_db_object_access

Result add_db_object_access(const RWCString& access)

Adds the given argument to the emDbObject object's access list.

Returns TRUE on successful completion. Otherwise, if access already exists in the access list, this function sets the error type to ACC_DB_OBJECT_ACCESS_EXISTS and the error string to "Access exists in emDbObjectAccessList!", and returns FALSE.

add_db_object_table

Result add_db_object_table(const RWCString& table)

Adds table to emDbObject's table list.

Returns TRUE on successful completion. Otherwise, if table already exists in the table list, this function sets the error type to ACC_DB_OBJECT_ACCESS_EXISTS and the error string to "Access exists in emDbObjectAccessList!", and returns FALSE.

get_db_object_access_list

ACDbObjectAccessList get_db_object_access_list()

Returns the access list that contains the names of the groups that can access DbObject.

get_db_object_table_list

ACDbObjectTableList get_db_object_table_list()

Returns the list of tables that are under access control for the DbObject object.

remove_db_object_access

Result remove_db_object_access(const RWCString& access)

Removes access from the DbObject object's access list.

Returns TRUE on successful completion. Otherwise, if access does not exist, this function sets the error type to ACC_DB_OBJECT_ACCESS_NOT_EXISTS and the error string to "Access doesn't exist in emDbObjectAccessList!", and returns FALSE.

remove_db_object_table

Result remove_db_object_table(const RWCString& table)

Removes table from the DbObject object's table list.

Returns TRUE on successful completion. Otherwise, if table does not exist, this function sets the error type to ACC_DB_OBJECT_TABLE_NOT_EXISTS and the error string to "Table doesn't exist in emDbObjectTableList!", and returns FALSE.

set_db_object_access_list

Result set_db_object_access_list(ACDbObjectAccessList& accesslist)

Replaces DbObject's current access with accesslist.

Returns TRUE on successful completion; otherwise, FALSE.

set_db_object_table_list

Result set_db_object_table_list(ACDbObjectTableList& tablelist)

Replaces the current table list of the DbObject with tablelist.

Returns TRUE on successful completion; otherwise, FALSE.

set_auxobject_owner

Result set_auxobject_owner( ACAuxOwnerType owntype,RWCString ownid)

The above method sets the owner of the auxiliary object to ownid and the type of the owner to owntype. Returns TRUE on successful completion; otherwise, FALSE.

get_auxobject_owner_type

ACAuxOwnerType get_auxobject_owner_type()

The above method returns the type of owner, that is USER or GROUP of the auxiliary object. If the owner type is not known or incorrect INVALID_OWNER_TYPE is returned.

get_auxobject_owner_id

RWCString get_auxobject_owner_id()

The above method returns the owner id of the auxiliary object, this is valid only when the owner type of the auxiliary object is USER or GROUP.

5.14.4 Notes About the ACDbObject Class

The default owner of an auxiliary object is created as root. In order to change the owner, you need to set the owner id using the set_auxobject_owner() method. The owner type can be USER or GROUP and the owner id can be a the name of a user or the name of a group.

After setting the auxiliary object's owner, you must perform a create() or store() operation so that the changes in the auxiliary object are pushed down to the MIS. CODE EXAMPLE 5-1 illustrates the sequence for performing a create() operation (M-CREATE).

CODE EXAMPLE 5-1   Sequence for Performing a create() Operation 

// Create the ACDbObject: Create an auxiliary object with root as the // default owner id ACDbObject *acdbobj_ptr = new ACDbObject(logname, FALSE); // Set the auxiliary objects owner if (!acdbobj_ptr->set_auxobject_owner(USER, owner_id_str.chp())) { cout << "Failed to set the owner id." << endl; exit(0); } // Create the acdbobject and its auxiliary object if (!acdbobj_ptr->create()) { cout << "Failed to create the acdbobject." << endl; exit(1); } The sequence for changing the owner of a log is as follows: (M-SET) // Set the auxiliary objects owner //--------------------------------- if (!acdbobj_ptr->set_auxobject_owner(USER, owner_id_str.chp())) { cout << "Failed to set the owner id." << endl; exit(0); } // Store the changes to the owner of the auxiliary object if (!acdbobj_ptr->store_auxobject()) { cout << "Failed to change the auxiliary objects owner." << endl; exit(1); }

---

Note – Two test programs that show how to create and set an ACDbObject object are supplied in the /opt/SUNWconn/em/src/ac_api directory.

---

5.15 ACDbObjectContainer Class

Inheritance: public ACContainer

#include <acapi/acdbobject.hh>

Data Members: No public data members are declared in this class.

The ACDbObjectContainer class represents the emDbInfo GDMO object class from the Solstice EM DB Info module. ACDbObjectContainer is a container for all ACDbObject objects. It stores database-specific access control information.

5.15.1 Constructor

ACDbObjectContainer()

The default constructor creates the container object. If the object has already been created, the internal reference count for the object is incremented by one.

5.15.2 Destructor

~ACDbObjectContainer()

5.15.3 ACDbObjectContainer Member Functions

get_access_db_objects

ACDbObjectList get_access_db_objects(const RWCString& group)

Returns all ACDbObject objects that contain the given group in the ACDbObjectContainer object's access list.

get_all_db_objects

ACDbObjectList get_all_db_objects()

Returns all ACDbObject objects that are stored in ACDbObjectContainer.

ACDbObject get_db_object(const RWCString& appname)

get_db_object

Returns the ACDbObject object whose name is specified by appname.

get_db_server_name

RWCString get_db_server_name()

Returns the database server name.

get_db_server_type

RWCString get_db_server_type()

Returns the database server type.

5.16 ACEMNotificationEmitter Class

Inheritance: public ACObject

#include <acapi/notificationemitter.hh>

Data Members: No public data members are declared in this class.

The ACEMNotificationEmitter class represents the emNotificationEmitter GDMO object class from the Solstice EM Access Control module. The emNotificationEmitter object represents a notification emitter for security alarm and auditing.

5.16.1 Constructor

ACEMNotificationEmitter()

The constructor creates a notificationEmitter object. If such an object has already been created, the internal reference count for the object is incremented by one.

5.16.2 Destructor

~ACEMNotificationEmitter()

5.16.3 ACEMNotificationEmitter Member Functions

get_audit_level

ACEMAuditLevel get_audit_level()

Returns one of the following values that represent the audit level:

• AUDIT_OFF
• AUDIT_LEVEL1
• AUDIT_LEVEL2

get_invalid_access_attempts

long get_invalid_access_attempts()

Returns a count of the number of times that access was denied.

get_security_level

ACEMSecurityLevel get_security_level()

Returns one of the following values that represent the security level:

• SECURITY_OFF
• SECURITY_LEVEL1
• SECURITY_LEVEL2

get_valid_access_attempts

long get_valid_access_attempts()

Returns a count of the number of times that an access control decision function authorized access.

set_audit_level

Result set_audit_level(ACEMAuditLevel)

Sets the audit level to one of the following values:

• AUDIT_OFF
• AUDIT_LEVEL1
• AUDIT_LEVEL2

Returns TRUE on successful completion; otherwise, FALSE.

set_security_level

Result set_security_level(ACEMSecurityLevel)

Sets the security level to one of the following values:

• SECURITY_OFF
• SECURITY_LEVEL1
• SECURITY_LEVEL2

Returns TRUE on successful completion; otherwise, FALSE.

5.17 ACEMTargets Class

Inheritance: public ACTargets

#include <acapi/acemtargets.hh>

Data Members: No public data members are declared in this class.

The ACEMTargets class represents the emTargets GDMO object class which is defined in the Solstice EM Access Control module. emTargets is derived from X.741's targets GDMO object class. ACEMTargets class adds an eventDiscriminator attribute to the targets class to be used for event access control.

5.17.1 Constructor

ACEMTargets(const RWCString& objname)

The preceding constructor creates an ACEMTargets object whose name is specified by objname. If an object has already been created with the same name, the internal reference count for the object is incremented by one.

5.17.2 Destructor

~ACEMTargets()

5.17.3 ACEMTargets Member Functions

get_event_discriminator

ACEventsDiscriminator get_event_discriminator()

Returns the ACEMTargets object's event discriminator.

set_event_discriminator

Result set_event_discriminator(ACEventsDiscriminator)

Sets the ACEMTargets object's event discriminator to ACEventsDiscriminator.

Returns TRUE on successful completion; otherwise, FALSE.

5.18 ACGroup Class

Inheritance: public ACObject

#include <acapi/acgroup.hh>

Data Members: No public data members are declared in this class.

The ACGroup class represents the group GDMO object class which is defined in the Solstice EM Access Control module. group is derived from X.741's aclInitiators GDMO object class.

5.18.1 Constructor

ACGroup(const RWCString& objectname)

The constructor creates an ACGroup object whose name is specified by objectname. If an object with the same name has already been created, the internal reference count for the object is incremented by one.

5.18.2 Destructor

~ACGroup()

5.18.3 ACGroup Member Functions

add_application

Result add_application(const RWCString& app)

Adds app to the list of applications that can be accessed by its group.

Returns TRUE on successful completion; otherwise, FALSE.

add_application_feature

Result add_application_feature(const RWCString& app, const RWCString& feature)

Adds feature to the feature list of app that can be accessed by its group.

Returns TRUE on successful completion; otherwise, FALSE.

add_group_member

Result add_group_member(const RWCString& membername)

Adds the given member to its group.

Returns TRUE on successful completion. Otherwise, if the given member already exists in the group, this function sets the error type to ACC_USER_EXISTS and the error string to "User exists in groupMemberList!", and returns FALSE.

destroy

Result destroy()

Removes the instantiated group object from all containers that contains it, and then removes the object itself.

Returns TRUE on successful completion; otherwise, FALSE.

get_all_applications_full_access

Boolean get_all_applications_full_access()

Returns TRUE if the group it represents contains the DN of the application container in its applicationAndFeatureList, which indicates that the group has full access to all applications; otherwise, FALSE.

A group has full access to all applications in an application container if the group contains the DN of the application container. This method returns TRUE if the instantiated group contains the DN of an application container in the applicationAndFeatureList of the group; otherwise, FALSE.

get_applications

ACApplicationList get_applications()

Returns all the applications that are accessible by its group.

get_application_and_feature_list

ACApplicationAndFeatureList get_application_and_feature_list(Boolean real)

If real is TRUE, this function returns a list of the DNs of all MIS applications and features that are accessible by the instantiated group; otherwise, it returns a list of the DNs of all applications and features in its own application space.

get_application_feature

Result add_application_feature(const RWCString& app, const RWCString& feature)

Adds feature to the feature list of <app> that can be accessed by its group.

Returns TRUE on successful completion; otherwise, FALSE. For more information, check the error type and string by calling the get_error_type function and the get_error_string function. Verify that the application has full access by calling get_application_full_access.

get_application_features

ACApplicationFeatureList get_application_features( const RWCString& appname)

This function returns all the features of the given application that are accessible by its group. If the given application has full access, this function returns an empty list. Verify that the application has full access by calling get_application_full_access.

get_application_full_access

Boolean get_application_full_access(const RWCString& appname)

Checks the applicationAndFeatureList of the instantiated group for the DN of the given application, to determine whether the group has full access to the given application.

Returns TRUE if its group has full access to the given application; otherwise, FALSE.

get_group_description

ACGroupDescription get_group_description()

Returns the ACGroup object's description information.

get_group_member_list

ACGroupMemberList get_group_member_list()

Returns a list of the group members (users).

remove_application

Result remove_application(const RWCString& app)

Removes the given application and all of its associated features from the applicationAndFeatureList of the group.

Returns TRUE on successful completion; otherwise, FALSE.

remove_application_feature

Result remove_application_feature(const RWCString& app, const RWCString& feature)

Removes the given feature from the given application.

Returns TRUE on successful completion; otherwise, FALSE.

If the given feature does not exist, this function sets the error type to ACC_FEATURE_NOT_EXISTS and the error string to "Application feature doesn't exist in applicationAndFeatureList!".

remove_group_member

Result remove_group_member(const RWCString& membername)

Removes the given member (user) from its groupMemberList.

Returns TRUE on successful completion; otherwise, FALSE.

If the given member does not exist, this function sets the error type to ACC_USER_NOT_EXISTS and the error string to "User doesn't exist in groupMemberList!".

set_all_applications_full_access

Result set_all_applications_full_access(Boolean fullacccess)

A group has full access to all applications in an application container if the group contains the DN of the application container.

If fullaccess is TRUE, this method adds the DN of an application container to the applicationAndFeatureList of the instantiated group.

If fullaccess is FALSE, this method removes the DN from the applicationAndFeatureList of the instantiated group.

Returns TRUE on successful completion; otherwise, FALSE.

set_application_and_feature_list

Result set_application_and_feature_list(A CApplicationAndFeatureList& list)

Sets the given list as the applicationAndFeatureList for the instantiated group.

Returns TRUE on successful completion; otherwise, FALSE.

set_application_full_access

Result set_application_full_access(const RWCString& application)

Sets the DN of the given application in the applicationAndFeatureList of the instantiated group so that the group has full access to the given application.

Returns TRUE on successful completion; otherwise, FALSE.

set_group_description

Result set_group_description(const ACGroupDescription& description)

Sets the description of the instantiated group object to description.

Returns TRUE on successful completion; otherwise, FALSE.

set_group_member_list

Result set_group_member_list(ACGroupMemberList& list)

Sets the member (user) list of the instantiated group to list.

Returns TRUE on successful completion; otherwise, FALSE.

get_initiator_aci_mandated

Boolean get_initiator_aci_mandated()

Returns TURE if the initiator of the instantiated ACGroup object is authorized; otherwise, FALSE.

set_initiator_aci_mandated

Result set_initiator_aci_mandated(Boolean mandated)

If mandated is TRUE, sets the initiator of the instantiated ACGroup object to authorized; otherwise, sets the initiator to unauthorized.

Returns TRUE on successful completion; otherwise, FALSE.

5.19 ACGroupContainer Class

Inheritance: public ACContainer

#include <acapi/acgroup.hh>

Data Members: No public data members are declared in this class.

The ACGroupContainer class represents the groupContainer GDMO object class which is defined in the Solstice EM Access Control module. groupContainer is a container for all the groups that are defined under access control of Solstice EM.

5.19.1 Constructor

ACGroupContainer()

The constructor creates a group container object that, when instantiated, contains all the groups that are subject to access control. By default, the following groups are available: full access, operator, and view-only. If such an object exists, the internal reference count for the object is incremented by one.

5.19.2 Destructor

~ACGroupContainer()

5.19.3 ACGroupContainer Member Functions

get_all_groups

ACGroupList get_all_groups()

Returns all the groups under the groupContainer object in the form of a group list.

get_group

ACGroup get_group(const RWCString& groupname)

Returns the group object with the given name.

get_user_group_list

ACGroupList get_user_group_list(const RWCString& username)

Returns all the groups containing a user with the given name.

5.20 ACInterface Class

Inheritance: None

#include <acapi/acinterface.hh>

Data Members: No public data members are declared in this class.

The ACInterface class is a convenience class that you can use to get all the container objects for access control and their contained objects.

5.20.1 Constructor

ACInterface()

The default constructor does nothing because there are no data members to initialize.

5.20.2 Destructor

~ACInterface()

5.20.3 ACInterface Member Functions

get_access_user_list

ACAccessUserList get_access_user_list();

Creates an ACAccessUserList object if it does not exist and returns it.

get_application_container

ACApplicationContainer get_application_container()

Creates an ACApplicationContainer object if it does not exist and returns it.

get_db_object_container

ACDbObjectContainer get_db_object_container()

Creates an ACDbObjectContainer object if it does not exist and returns it.

get_em_notification_emitter

ACEMNotificationEmitter get_em_notification_emitter()

Creates an ACEMNotificationEmitter object if it does not exist and returns it. If such an object exists, its internal reference count is incremented by one.

get_feature_container

ACAppFeatureContainer get_feature_container(const RWCString& appname)

Creates an ACAppFeatureContainer object (for the given application) if it does not exist and returns it.

get_group_container

ACGroupContainer get_group_container()

Creates an ACGroupContainer object if it does not exist and returns it.

get_rule_container

ACRuleContainer get_rule_container()

Creates an ACRuleContainer object if it does not exist and returns it.

get_targets_container

ACTargetsContainer get_targets_container()

Creates an ACTargetsContainer object if it does not exist and returns it.

5.21 ACObject Class

Inheritance: None

#include <acapi/acobject.hh>

Data Members: No public data members are declared in this class.

The ACObject class represents the accessControl managed object class, an abstract base class, as defined in X.741. ACObject is subclassed to derive more specific classes that serve as an interface to X.741 GDMO object classes.

ACObject should be used as a base class for only those classes that represent a concrete GDMO object class; that is, one that can be instantiated. For example, the ACRule C++ class derives from the ACObject class and provides the interface to the X.741 rule GDMO object class.

5.21.1 Constructor

There is no default public constructor available for this class.

ACObject(const ACObject&)

A copy constructor is defined whose declaration is shown above.

5.21.2 Destructor

virtual ~ACObject() = 0

When the reference count for this object becomes 0, the object is deleted.

5.21.3 ACObject Operator Overloading

ACObject& operator = (const ACObject&)

The preceding is the declaration of an assignment operator.

Boolean operator == (const ACObject& other)

The preceding comparison operator returns TRUE if the objects on both sides are the same; otherwise, FALSE.

5.21.4 ACObject Member Functions

add_callback

void add_callback(const ACCallback& cb)

Adds the given callback to receive one of the following three events:

• objectCreation
• objectDeletion

  It is your responsibility to delete the object name to free the allocated memory for object name.

• attributeValueChange

As part of the call data to the callback, the instantiated ACObject object is passed.

---

Note – It is possible to add more than one callback for the same event type.

---

copy

Result copy(ACObject& source)

Makes a copy of the given ACobject.

Returns TRUE on successful completion; otherwise, FALSE.

create

Result create()

Creates an ACObject object that represents the accessControl GDMO object. This is analogous to the Image::create() function in PMI.

Returns TRUE on successful completion; otherwise, FALSE. .

destroy

virtual Result destroy()

Destroys an ACObject that represents the accessControl GDMO object. This is analogous to the Image::destroy() function in PMI.

Returns TRUE on successful completion; otherwise, FALSE.

exists

Boolean exists()

Checks whether the object exists. This is analogous to the Image::exists() function in PMI.

Returns TRUE on successful completion; otherwise, FALSE.

get_error_string

RWCString get_error_string() const

Returns the error string stored in the ACAccessControl object that pertains to the instantiated ACObject.

get_error_type

ACErrorType get_error_type() const;

Returns the error type stored in the ACAccessControl object that pertains to the instantiated ACObject. The error type can have one of the following values:

ACC_APPLICATION_EXISTS	ACC_MOC_EXISTS
ACC_APPLICATION_NOT_EXISTS	ACC_MOC_NOT_EXISTS
ACC_DB_OBJECT_ACCESS_EXISTS	ACC_MOI_EXISTS
ACC_DB_OBJECT_ACCESS_NOT_EXISTS	ACC_MOI_NOT_EXISTS
ACC_DB_OBJECT_TABLE_EXISTS	ACC_NO_MEMORY
ACC_DB_OBJECT_TABLE_NOT_EXISTS	ACC_OK
ACC_FAILED	ACC_RULE_EXISTS
ACC_FEATURE_EXISTS	ACC_RULE_NOT_EXISTS
ACC_FEATURE_NOT_EXISTS	ACC_TARGETS_EXISTS
ACC_GROUP_EXISTS	ACC_TARGETS_NOT_EXISTS
ACC_GROUP_NOT_EXISTS	ACC_USER_EXISTS
ACC_INVALID_USER_NAME	ACC_USER_NOT_EXISTS

get_name_only

RWCString get_name_only() const

Returns the name of the instantiated ACObject.

get_object_name

RWCString get_object_name() const

Returns the name of the instantiated ACObject in the distinguished name (DN) format.

remove_callback

void remove_callback(const ACCallback& cb)

Removes the given callback.

reset_error

void reset_error()

Resets the error state of the object by setting the error string to "ACC_OK" and the error type to ACC_OK.

revert

Result revert()

Reverts the state of the object by canceling any pending set operation that has not yet been stored.

Returns TRUE on successful completion; otherwise, FALSE.

set_error

void set_error(ACErrorType type, const RWCString& err)

Sets the error type to the given type and error string to the given string. A type value of ACC_OK performs a reset_error on the object.

set_error_string

void set_error_string(const RWCString& err)

Sets the error string to the given string.

set_error_type

void set_error_type(ACErrorType type)

Sets the error type to the given type. A type value of ACC_OK performs a reset_error on the object.

store

Result store()

Stores the object that will be the representation of the GDMO object. This is analogous to the Image::store() function in PMI.

Returns TRUE on successful completion; otherwise, FALSE.

5.22 ACRule Class

Inheritance: public ACObject

#include <acapi/acrule.hh>

Data Members: No public data members are declared in this class.

The ACRule class represents X.741's rule GDMO object class, which grants or denies access. If the value of the enforcement action attribute is allow, access is permitted. Otherwise, the enforcement action attribute defines the type of denial response made to the initiator of the management operation.

5.22.1 Constructor

ACRule(const RWCString& objectname);

The constructor creates an ACRule object whose name is specified by objectname. If such an object with this name has already been created, the internal reference count for the object is incremented by one.

5.22.2 Destructor

~ACRule()

5.22.3 ACRule Member Functions

add_group

Result add_group(const RWCString& groupname)

Adds the given group to the rule's initiator list.

Returns TRUE on successful completion; otherwise, FALSE.

If the given group already exists, this function sets the error type to ACC_GROUP_EXISTS and the error string to "Group exists in initiatorsList!".

add_targets

Result add_targets(const RWCString& target)

Adds the given target to the rule's target list.

Returns TRUE on successful completion; otherwise, FALSE.

If the given target already exists, this function sets the error type to ACC_TARGETS_EXISTS and the error string to "Targets exists in initiatorsList!".

get_enforcement_action

EnforcementAction get_enforcement_action()

Returns the enforcement action that is defined for this rule, which can be one of the following:

• denyWithResponse
• denyWithoutResponse
• abortAssociation
• denyWithFalseResponse
• allow

get_group_list

ACGroupList get_group_list()

Returns a list of the groups that belong to the rule object.

get_targets_list

ACTargetsList get_targets_list()

Returns a list of the targets that belong to the rule object.

remove_group

Result remove_group(const RWCString& groupname)

Removes the given group from the rule's initiator's list.

Returns TRUE on successful completion; otherwise, FALSE.

If the given group already exists, this function sets the error type to ACC_GROUP_NOT_EXISTS and the error string to "Group doesn't exist in initiatorsList!".

remove_targets

Result remove_targets(const RWCString& target)

Removes the given target from the rule's target list.

Returns TRUE on successful completion; otherwise, FALSE.

If the given target already exists, this function sets the error type to ACC_TARGETS_NOT_EXISTS and the error string to "Targets doesn't exist in initiatorsList!".

set_enforcement_action

Result set_enforcement_action(EnforcementAction action)

Sets the given action as the enforcement action for the rule. The given action can be one of the following:

• denyWithResponse
• denyWithoutResponse
• abortAssociation
• denyWithFalseResponse
• allow

Returns TRUE on successful completion; otherwise, FALSE.

set_group_list

Result set_group_list(ACGroupList& grouplist)

Sets the given list as the rule's initiator list.

Returns TRUE on successful completion; otherwise, FALSE.

set_targets_list

Result set_targets_list(ACTargetsList& targetlist)

Sets the given list as the rule's target list.

Returns TRUE on successful completion; otherwise, FALSE.

5.23 ACRuleContainer Class

Inheritance: public ACContainer

#include <acapi/acrule.hh>

Data Members: No public data members are declared in this class.

The ACRuleContainer class is a container for all the rules defined in access control. This class does not directly represent any GDMO object class.

5.23.1 Constructor

ACRuleContainer()

The constructor creates a rule container object, so that when it is instantiated it contains all the rules that are subject to access control. If such an object has already been created, the internal reference count for the object is incremented by one.

5.23.2 Destructor

~ACRuleContainer()

5.23.3 ACRuleContainer Member Functions

get_access_control_rules

ACAccessControlRules get_access_control_rules()

Returns the ACAccessControlRules object that represents the emAccessControlRules GDMO object class. This ACAccessControlRules object can be used to get the various attributes of the emAccessControlRule.

get_all_rules

ACRuleList get_all_rules()

Returns all the rules available in the rule container object.

get_group_rule_list

ACRuleList get_group_rule_list(const RWCString& groupname)

Returns a list of all the rules that reference the given group.

get_rule

ACRule get_rule(const RWCString& rulename)

Returns the rule object whose name is specified by rulename.

get_targets_rule_list

ACRuleList get_targets_rule_list(const RWCString& targetsname)

Returns all the rules that reference the given target.

5.24 ACScope Class

Inheritance: None

#include <acapi/actargets.hh>

Data Members: The following public data members are defined.

• type can be:
  
  
  • BASE_OBJECT
    
  • NTH_LEVEL
    
  • BASE_TO_NTH_LEVEL
    
  • ALL_LEVELS
    
  • ALL_LEVELS_EXCEPT_BASE
• level can be any positive integer.

The ACScope class contains the scope information.

5.24.1 Constructors

Default Constructor

ACScope()

The default constructor initializes type to BASE_OBJECT and level to 0.

ACScope(MessScopeType t, U32 l)

The preceding constructor initializes type to t and level to l.

• type can be:
  
  
  • BASE_OBJECT
    
  • NTH_LEVEL
    
  • BASE_TO_NTH_LEVEL
    
  • ALL_LEVELS
    
  • ALL_LEVELS_EXCEPT_BASE

    ACScope(const ACScope& other)

The preceding constructor is a copy constructor.

5.24.1.1 ACScope Operator Overloading

ACScope& operator=(const ACScope& other)

The preceding operator overloads the assignment operator and assigns the values of right side to left side.

5.24.1.2 ACScope Member Functions

No public member functions.

5.25 ACTargets Class

Inheritance: public ACObject

#include <acapi/actargets.hh>

Data Members: No public data members are declared in this class.

The ACTargets class represents X.741's targets GDMO object class. Targets identify managed objects within the security domain.

5.25.1 Constructor

ACTargets(const RWCString& objectname, ACTargetsType type = X741_TARGETS)

The constructor creates an ACTargets object with the given name and type. The default type is X741_TARGETS, which creates a targets GDMO object from X.741. Any other type creates an emTargets GDMO object which is defined in the Solstice EM Access Control module. If an object with the same name exists, the internal reference count for the object is incremented by one.

The constructor creates an ACTargets object with the given name and type. The type is either the targets GDMO object defined in X741.gdmo or the emTargets GDMO object defined in the Solstice EM Access Control module. The default type is the targets GDMO object if no type is specified.

5.25.2 Destructor

virtual ~ACTargets()

5.25.3 ACTargets Member Functions

add_moc

Result add_moc(const RWCString& mocname)

Adds the given managed object class (MOC) name to the MOC list that is defined for the target.

Returns TRUE on successful completion; otherwise, FALSE.

If the given MOC already exists, the function sets the error type to ACC_MOC_EXISTS and the error string to "MOC exists in targetsList!".

add_moi

Result add_moi(const RWCString& moiname)

Adds the given managed object instance (MOI) to the list of MOIs that are defined for the target.

Returns TRUE on successful completion; otherwise, FALSE.

If the given MOI already exists in the target list, this function sets the error type to ACC_MOI_EXISTS and the error string to "MOI exists in targetsList!".

destroy

Result destroy()

Removes the target from all the rules that reference it, and deletes the target.

Returns TRUE on successful completion; otherwise, FALSE.

get_filter

ACFilter get_filter()

Returns the stored filter for the target.

get_moc_list

ACMOCList get_moc_list()

Returns the list of MOCs that are defined for the instantiated target object.

get_moi_list

ACMOIList get_moi_list()

Returns a list of the MOIs that are defined for the target.

Check for the error type to get any error that occurred while performing this function.

get_operations_list

ACOperationsList get_operations_list()

Returns the list of operations that are defined for this target. For example, {action, get, multipleObjectSelection, filter}.

Check for the error type to get any error that occurred while performing this function.

get_scope

ACScope get_scope()

Returns the target's scope.

remove_moc

Result remove_moc(const RWCString& mocname)

Removes the given MOC from this target's list of MOCs.

Returns TRUE on successful completion; otherwise, FALSE.

If the given MOC already exists, this function sets the error type to ACC_MOC_NOT_EXISTS and the error string to "MOC doesn't exist in targetsList!".

remove_moi

Result remove_moi(const RWCString& moiname)

Removes the given MOI from this target's list of MOIs.

Returns TRUE on successful completion; otherwise, FALSE.

If the given MOI already exists, this function sets the error type to ACC_MOI_NOT_EXISTS and the error string to "MOI doesn't exist in targetsList!".

set_filter

Result set_filter(const ACFilter& filter)

Sets the given filter for the target object.

Returns TRUE on successful completion; otherwise, FALSE.

set_moc_list

Result set_moc_list(ACMOCList& moclist)

Sets the given MOC list for the target object.

Returns TRUE on successful completion; otherwise, FALSE.

set_moi_list

Result set_moi_list(ACMOIList& moilist)

Sets the given MOI list for the target object.

Returns TRUE on successful completion; otherwise, FALSE.

set_operations_list

Result set_operations_list(ACOperationsList& operlist)

Sets the given operations list for the target object.

Returns TRUE on successful completion; otherwise, FALSE.

set_scope

Result set_scope(const ACScope& scope)

Sets the given scope for the target object.

Returns TRUE on successful completion; otherwise, FALSE.

5.26 ACTargetsContainer Class

Inheritance: public ACContainer

#include <acapi/actargets.hh>

Data Members: No public data members are declared in this class.

The ACTargetsContainer class represents the targetContainer GDMO object class which is defined in the Solstice EM Access Control module. ACTargetsContainer is a container for all the Solstice EM access control targets.

5.26.1 Constructor

ACTargetsContainer()

The constructor creates a targets container object to contain all the targets that are subject to access control. If such an object exists, the internal reference count for the object is incremented by one.

5.26.2 Destructor

~ACTargetsContainer()

5.26.3 ACTargetsContainer Member Functions

get_all_targets

ACTargetsList get_all_targets()

Returns all the targets under the targetContainer object.

get_em_targets

ACEMTargets get_em_targets(const RWCString& targetsname)

Returns the ACEMTargets object with the given name.

get_targets

ACTargets get_targets(const RWCString& targetsname)

Returns the ACTargets object with the given name.

5.27 ACUser Class

Inheritance: None

#include <acapi/acaccessuserlist.hh>

Data Members: No public data members are declared in this class.

The ACUser class stores a user's login name and full name in memory. Access control applications get a user's login name and full name by accessing the instantiated ACUser object.

5.27.1 Constructors

Default Constructor

ACUser()

The default constructor does not initialize the login name and full name.

ACUser(const RWCString& loginname, const RWCString& fullname)

The preceding constructor initializes the login name to loginname and the full name to fullname.

ACUser(const RWCString& loginname)

The preceding constructor initializes the login name to loginname and the full name to an empty string.

ACUser(const ACUser& other)

The above constructor is a copy constructor.

5.27.2 ACUser Operator Overloading

ACContainerData& operator = (const ACContainerData& other)

The preceding operator overloads the assignment operator, and assigns the values of other to self.

friend Boolean operator == (const ACContainerData& self, const ACContainerData& other)

The preceding operator overloads the equality operator, so that if both the self and other objects have the same login name, the overload method returns TRUE; otherwise, the method returns FALSE.

5.27.3 ACUser Member Functions

get_full_name

RWCString get_full_name() const

Returns the full name stored in the object.

get_login_name

RWCString get_login_name() const

Returns the login name stored in the object.

is_valid_user

Boolean is_valid_user(unsigned int& error_code)

Verifies the validity of the instantiated ACUser by contacting em_login daemon to check whether the user is a valid user on the MIS host. Returns TRUE on successful completion; otherwise, FALSE.

set_full_name

void set_full_name(const RWCString&)

Sets the full name in the object to the given name.

set_login_name

void set_login_name(const RWCString&)

Sets the login name in the object to the given name.