chlpracl Command

Purpose

Changes the access controls for a least-privilege (LP) resource.

Syntax

To add one or more accesses to a Resource ACL or to overwrite a Resource ACL with one or more accesses:

chlpracl [ -a-n host1[,host2,… ] ] [-o] [-r] [-h] [-TV] resource ID_1 perm1 [ID_2 perm2] …

To add one or more accesses to a Resource ACL or to overwrite an Resource ACL with one or more accesses all using the same permissions:

chlpracl [ -a-n host1[,host2,… ] ] -l [-o] [-r] [-h] [-TV] resource ID_1 [ID_2…] perm

To delete one or more accesses from a Resource ACL:

chlpracl [ -a-n host1[,host2,… ] ] -d [-r] [-h] [-TV] resource ID_1 [ID_2…]

To add accesses to (or remove accesses from) a Resource ACL or to overwrite a Resource ACL, with the accesses specified in a file:

chlpracl [ -a-n host1[,host2,… ] ] [ -o-d ] -f file_name [-r] [-h] [-TV] resource

To set a Resource ACL so that no permissions are allowed, or to use the Resource Shared ACL:

chlpracl [ -a-n host1[,host2,… ] ] { -b-x } [-r] [-h] [-TV] resource

To set all of the Resource ACLs so that no permissions are allowed, or to use the Resource Shared ACL:

chlpracl [ -a-n host1[,host2,… ] ] { -B-X } [-h] [-TV]

Description

The chlpracl command changes the access control list (ACL) that is associated with a least-privilege (LP) resource. This command allows an access to be added to or removed from the Resource ACL. This ACL controls access to such resource operations as listing attribute values and running LP commands. One Resource ACL exists for each LP resource.

For controlling access to the LP resource, three different types of Resource ACLs exist:
  1. Resource ACL
  2. Resource Initial ACL
  3. Resource Shared ACL
The chlpracl command allows the Resource ACL to indicate that the Resource Shared ACL should be used in its stead to control access. For descriptions of these ACLs, see the lpacl information file.

To add an access to the Resource ACL, specify the name of the LP resource, the ID, and the permission the ID is to have. More than one ID and permission pair can be specified. If you want to add multiple IDs and they will all have the same permission, use the -l flag to indicate that the format of the command is a list of IDs followed by a single permission that applies to all of the IDs. If you use the -o flag, the IDs and permissions specified with the command will overwrite the existing accesses. The previously-defined accesses in the ACL are deleted.

To delete accesses from the Resource ACL, use the -d flag and specify the name of the LP resource and the IDs to be deleted.

Use the -f flag to indicate that the accesses are specified in a file. Each line of the file will be an ID and permission for that ID. If the -d flag is used with the -f flag, only the ID is needed on each line. Everything after the first space is ignored.

This command runs on any node. If you want this command to run on all of the nodes in a domain, use the -a flag. If you want this command to run on a subset of nodes in a domain, use the -n flag. Otherwise, this command runs on the local node.

Flags

-a
Changes the Resource ACLs for resource on all nodes in the domain. The CT_MANAGEMENT_SCOPE environment variable's setting determines the cluster scope. If CT_MANAGEMENT_SCOPE is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope
The chlpracl command runs once for the first valid scope that the LP resource manager finds. For example, suppose a management domain and a peer domain exist and the CT_MANAGEMENT_SCOPE environment variable is not set. In this case, chlpracl –a runs in the management domain. To run chlpracl –a in the peer domain, you must set CT_MANAGEMENT_SCOPE to 2.
-b
Bypasses the ACL for the specified LP resource. The Resource Shared ACL is used for access control for this LP resource. Any ACL entries in the Resource ACL are deleted.
-B
Bypasses the ACLs for all LP resources. The Resource Shared ACL is used for access control for all LP resources. Any ACL entries in the Resource ACLs are deleted. One Resource Shared ACL exists for each IBM.LPCommands class (or node).
-d
Removes the ACL entry for the specified ID from the specified Resource ACL.
-f file_name
Indicates that the accesses are specified in file_name. Each line of this file consists of an ID and the permission for that ID. If the -d flag is used with the -f flag, only the ID is needed on each line. Everything after the first space is ignored.
-l
Indicates that there is a list of IDs followed by a single permission that is used for all of the IDs.
-n host1[,host2,…]
Specifies the nodes in the domain on which the Resource ACL should be changed. By default, the Resource ACL is changed on the local node. This flag is valid only in a management domain or a peer domain. If CT_MANAGEMENT_SCOPE is not set, first the management domain scope is chosen if it exists, then the peer domain scope is chosen if it exists, and then local scope is chosen, until the scope is valid for the command. The command will run once for the first valid scope found.
-o
Indicates that the specified ACL accesses overwrite any existing ACL entries for the specified Resource ACL. Any ACL entries in the Resource ACL are deleted.
-r
Indicates that resource is a "typical" RSCT resource handle. The resource handle must be enclosed in quotation marks. The Resource ACL of the resource handle is modified.
-x
Sets the Resource ACL for the specified LP resource to deny all accesses to the LP resource. Any ACL entries in the Resource ACL are deleted.
-X
Sets the Resource ACL of all LP resources to deny all accesses to the LP resource. Any ACL entries in the Resource ACLs are deleted.
-h
Writes the command's usage statement to standard output.
-T
Writes the command's trace messages to standard error.
-V
Writes the command's verbose messages to standard output.

Parameters

resource
Specifies the name of the LP resource for which the Resource ACL is changed.
ID
Specifies the network identity of the user. If the same ID is listed more than once, the last permission specified is used. For a description of how to specify the network identity, see the lpacl information file.
perm
Specifies the permission allowed for ID. perm is specified as a string of one or more characters, where each character represents a particular permission. The valid values for perm are:
r
Read permission (consists of the q, l, e, and v permissions)
w
Write permission (consists of the d, c, s, and o permissions)
a
Administrator permission
x
Execute permission
q
Query permission
l
Enumerate permission
e
Event permission
v
Validate permission
d
Define and undefine permission
c
Refresh permission
s
Set permission
o
Online, offline, and reset permission
0
No permission
See the lpacl information file for a description of each permission and how it applies.

Security

To run the chlpracl command, you need:
  • read permission in the Class ACL of the IBM.LPCommands resource class.
  • read and administrator permission in the Resource ACL.

    As an alternative, the Resource ACL can direct the use of the Resource Shared ACL if these permissions exist in the Resource Shared ACL.

Permissions are specified in the LP ACLs on the contacted system. See the lpacl information file for general information about LP ACLs and the RSCT: Administration Guide for information about modifying them.

Exit Status

0
The command has run successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Environment Variables

CT_CONTACT
Determines the system where the session with the resource monitoring and control (RMC) daemon occurs. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the resource classes or resources that are processed.
CT_IP_AUTHENT
When the CT_IP_AUTHENT environment variable exists, the RMC daemon uses IP-based network authentication to contact the RMC daemon on the system that is specified by the IP address to which the CT_CONTACT environment variable is set. CT_IP_AUTHENT only has meaning if CT_CONTACT is set to an IP address; it does not rely on the domain name system (DNS) service.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon in processing the resources of the least-privilege (LP) resource manager. The management scope determines the set of possible target nodes where resources can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.
If this environment variable is not set, local scope is used, unless the -a flag or the -n flag is specified.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -V flag is specified, this command's verbose messages are written to standard output.

Standard Error

All trace messages are written to standard error.

Examples

  1. To give user joe on nodeA the ability to run the LP command lpcommand1 on nodeA, run one of these commands on nodeA: 
    chlpracl lpcommand1 joe@NODEID  x

chlpracl lpcommand1 joe@LOCALHOST  x
  2. nodeA and nodeB are in a peer domain. To give user joe on nodeB the ability to run the LP command lpcommand1 on nodeB, run this command on nodeA: 
    chlpracl -n nodeB lpcommand1 joe@LOCALHOST  x
    In this example, specifying joe@NODEID instead of joe@LOCALHOST gives joe on nodeA the ability to run the LP command lpcommand1 on nodeB.
  3. To give user joe on nodeA execute permission to the LP command lpcommand1 and bill on nodeA administrator permission and write permission to the same resource on nodeA, run this command on nodeA: 
    chlpracl lpcommand1 joe@LOCALHOST  x  bill@LOCALHOST  wa
  4. To give user joe on nodeA administrator permission to the LP command lpcommand1 on nodeA, overwriting the current ACLs for lpcommand1 so that this is the only access allowed, run this command on nodeA: 
    chlpracl -o lpcommand1 joe@LOCALHOST x
  5. To give users joe, bill, and jane on nodeA the ability to run the LP command lpcommand1 on nodeA, run this command on nodeA: 
    chlpracl lpcommand1 -l joe@LOCALHOST  bill@LOCALHOST  jane@LOCALHOST  x
  6. To delete access for joe on nodeA from the ACLs for the LP command lpcommand1 on nodeA, run this command on nodeA: 
    chlpracl -d lpcommand1 joe@LOCALHOST
  7. To add a list of accesses that are in a file named /mysecure/aclfile on nodeA to the LP command lpcommand1 on nodeA, run this command on nodeA: 
    chlpracl -f /mysecure/aclfile lpcommand1
    The contents of /mysecure/aclfile on nodeA could be: 
    joe@LOCALHOST	  		x
bill@LOCALHOST                   ax
jane@LOCALHOST		 	wx
  8. To bypass the Resource ACL for the LP command lpcommand1 on nodeA, and use the Resource Shared ACL to control access to it, run this command on nodeA: 
    chlpracl -b lpcommand1
  9. To bypass the Resource ACLs for all of the LP resources on nodeA, and use the Resource Shared ACL to control accesses, run this command on nodeA: 
    chlpracl -B
  10. To deny all accesses to the LP command lpcommand1 on nodeA, run this command on nodeA: 
    chlpracl -x lpcommand1

Location

/usr/sbin/rsct/bin/chlpracl
Contains the chlpracl command