Table of Contents Previous Next PDF


Creating and Configuring Access Control Lists
Creating and Configuring Access Control Lists
An access control list (ACL) is a list that specifies who and what is authorized to access Oracle Tuxedo system objects. The ACL enables a system manager to administer security through authenticating users, setting permissions, and controlling access. The Oracle Tuxedo Administration Console ACL objects allow the system manager to create and configure ACL objects. These objects are grouped into the following major categories:
ACL Groups
Creating ACL Groups
Configuring ACL Groups (T_ACLGROUP Class)
ACL Principals (users or domains)
Creating ACL Principals
Configuring ACL Principals (T_ACLPRINCIPAL Class)
ACLs
Creating ACLs
Configuring ACLs (T_ACLPERM Class)
 
ACL Groups
The ACL Groups represent the groups of Oracle Tuxedo application users and domains.
<a name="N_ACLGROUP"></a>
Creating ACL Groups
To create new ACL Groups:
1.
Select the ACL Groups folder in the tree view.
2.
Select Quick Menu —>New (right-click) to display the New Object window.
3.
Enter values for the following fields:
Group Name (TA_GROUPNAME)
Group ID (TA_GROUPID) (optional)
4.
Click the Create button to close the window and create the new ACL group.
5. <a name="T_ACLGROUP"></a>
Configuring ACL Groups (T_ACLGROUP Class)
To configure ACL Groups, choose an ACL Groups object in the tree view. Enter values for the fields in the General tab displayed in the Configuration Tool pane.
<a name="C_ACLGROUP"></a>
General Tab
The General tab page lists the ACL Groups Class attributes and includes the following fields:
Group Name (TA_GROUPNAME)
Group ID (TA_GROUPID)
Object State (TA_STATE)
l <a name="13041"></a> <a name="12379"></a>
Group Name (TA_GROUPNAME)
Description
Logical name of an ACL group. An ACL group is a set of users characterized by the type of permission to access particular administrative objects, such as services.
Valid Values
A string of one to 30 characters. The group name must be printable and it may not include a pound sign (#), a comma, a colon, or a newline character.
Example
banktellers
<a name="13084"></a> <a name="12377"></a>
Group ID (TA_GROUPID)
Description
A decimal number representing the ACL group specified in the Group Name (TA_GROUPNAME). A value of 0 indicates the default group other. If not specified at creation time, it defaults to the next available (unique) identifier greater than 0.
Valid Values
A number greater than 0 but less than 16,384.
Default
A unique ID number is assigned.
Example
201
Notes
0 is reserved for a group named other which is provided by Oracle Tuxedo. (You can add users to this group but you cannot modify or delete the group.)
<a name="12378"></a>
Object State (TA_STATE)
Description
This field displays the state of your ACL group. An ACL group may be in only one state: VALID.
ACL Principals
The users and remote domains in an application that need authentication and authorization are collectively known as principals. To join an application as a specific user, it is necessary to present a user-specific password.
<a name="N_ACLPRINCIPAL"></a>
Creating ACL Principals
To create new ACL Principals:
1.
Select the ACL Principals folder in the tree view.
2.
Select Quick Menu —>New (right-click) to display the New Object window.
3.
Enter values for the following fields:
Principal Name (TA_PRINNAME)
Password (TA_PRINPASSWD) (optional)
4.
Click the Create button to close the window and create the new ACL principals.
The rest of this section describes the fields on the Create New Object window.
<a name="T_ACLPRINCIPAL"></a>
Configuring ACL Principals (T_ACLPRINCIPAL Class)
To configure ACL Principals, choose an ACL Principals object in the tree view. Enter values for the fields in the Configuration Tool General tab page.
<a name="C_ACLPRINCIPAL"></a>
General Tab
The General tab page lists the ACL Principals Class attributes and includes the following fields:
Principal Name (TA_PRINNAME)
Principal Client Name (TA_PRINCLTNAME)
Principal ID (TA_PRINID)
Principal Group (TA_PRINGRP)
Password (TA_PRINPASSWD)
Object State (TA_STATE)
l <a name="13044"></a> <a name="12388"></a>
Principal Name (TA_PRINNAME)
Description
Logical name of a principal. A principal is a user or domain that can access a Oracle Tuxedo application.
Valid Values
A string from 1 to 30 characters in length.
The principal name must be printable and it cannot contain a pound sign (#), a colon, or a newline character.
Example
bill_jones
<a name="12387"></a>
Principal Client Name (TA_PRINCLTNAME)
Description
The client name associated with a principal (that is, a user or domain that can access a Oracle Tuxedo application). The client name provides a further qualifier on the user entry that is checked for authentication.
Valid Values
A string from 1 to 30 characters in length.
The client name must be printable and it cannot contain a colon or a newline character.
Default
* (wildcard character)
Example
tpsysusr (logs you in as the Oracle Tuxedo application administrator)
typsysop (logs you in as the Oracle Tuxedo application operator)
<a name="12385"></a>
Principal ID (TA_PRINID)
Description
A unique identification number for an ACL principal.
Valid Values
A number in the range of 1 to 131,071 inclusive.
Default
A unique ID number is assigned.
Example
2001
Notes
Oracle Tuxedo reserves principal client names for the administrator and operator of a Tuxedo application. The name tpsysadm logs in the associated user as the administrator; tpsysop logs in the associated user as the operator. If you plan to use either of these names, be sure to specify it in this field. If you do not, authentication will fail and the designated user will not be able to log in as the administrator (or operator).
<a name="12384"></a>
Principal Group (TA_PRINGRP)
Description
A group ID number that specifies the group to which a principal belongs. A value of 0 indicates the default group other. If not specified at creation time, the default value 0 is assigned.
Valid Values
A number in the range of 0 to 16,383 inclusive.
Default
0 (assigned to group other)
Example
201
Notes
0 is reserved for a group named other which is provided by Oracle Tuxedo. If you do not assign principals to a group, they will be assigned, by default, to group other.
<a name="13076"></a> <a name="12389"></a>
Password (TA_PRINPASSWD)
Description
The authentication password for the associated ACL principal.
Valid Values
A string.
Example
obi1kenobi
Notes
The system automatically encrypts this password.
<a name="12386"></a>
Object State (TA_STATE)
Description
This field displays the state of your ACL principal. An ACL principal may be in only one state: VALID.
ACLs
The ACLs, as a whole, comprise the principals and access control lists for Oracle Tuxedo applications services, application queues, and events. The ACLs indicate what groups are allowed to access Oracle Tuxedo system entities.
<a name="N_ACLPERM"></a>
Creating ACLs
To create new ACLs:
1.
Select the ACLs folder in the tree view.
2.
Select Quick Menu —>New (right-click) to display the New Object window.
3.
Enter values for the following fields:
ACL Entity Name (TA_ACLNAME)
ACL Entity Type (TA_ACLTYPE) (optional)
Groups (TA_ACLGROUPIDS)
4.
Click the Create button to close the window and create the new ACL group.
5. <a name="T_ACLPERM></a>
Configuring ACLs (T_ACLPERM Class)
The Configuration Tool pane displays one General tab page with the fields for configuring ACLs.
<a name="C_ACLPERM></a>
General Tab
The General tab page lists the ACLs Class attributes and include the following fields:
ACL Entity Name (TA_ACLNAME)
ACL Entity Type (TA_ACLTYPE)
Groups (TA_ACLGROUPIDS)
Object State (TA_STATE)
l <a name="13042"></a>
l <a name="12382"></a>
ACL Entity Name (TA_ACLNAME)
Description
The name of a service, event or queue (referred to, collectively, as an “entity”) for which permissions are being granted.
Valid Values
A string from 1 to 30 characters in length.
The ACL entity name must be printable and it cannot contain a colon, a pound sign (#), or a newline character.
Example
TRANSFER
<a name="13043"></a> <a name="12383"></a>
ACL Entity Type (TA_ACLTYPE)
Description
The type of the entity for which permissions are being granted.
Valid Values
ENQ or DEQ or SERVICE or POSTEVENT
Example
SERVICE
<a name="13083"></a> <a name="12381"></a>
Groups (TA_ACLGROUPIDS)
Description
A comma-separated list of numeric IDs for groups that are permitted access to the associated entity.
Valid Values
A string.
The length of this list is limited only by the amount of disk space on the machine.
Example
201, 301
Notes
The values in this list are the Group ID numbers you entered for the relevant ACL groups on the General tab page for the ACL Groups class. See Group ID (TA_GROUPID).
<a name="12380"><a>
Object State (TA_STATE)
Description
This field displays the state of your ACL. An ACL may be in only one state: VALID.

Copyright © 1994, 2017, Oracle and/or its affiliates. All rights reserved.