The SEOSROUTE_VerifyCreate function performs a pseudo‑login to CA ControlMinder and returns the ACEE handle that is created.
The first six parameters must be supplied by the application; the last three are returned by CA ControlMinder and can be used by the application to make decisions and provide the user with status information.
The function returns an unsigned integer that is one of the following values:
The user is allowed to access the resource as requested.
The password does not match the expected password.
The request was denied.
Seosd is not responding.
The user ID of the calling process is not 0 (root), and the user executing the calling process does not have the SERVER attribute.
A user name was not supplied.
The phACEE parameter is a null pointer.
The CA ControlMinder daemon returned an error described in szMsg.
Notes:
int SEOSROUTE_VerifyCreate(const char *szUserId,
const char *szPwd,
const char *szNewPwd,
int bPwdChk,
const char *szTerm,
int LogOpt,
int *phACEE,
API_AUTH_RES *pRes,
char *szMsg);
The name of the user for whom the ACEE is created. This parameter must be supplied.
The password of the user identified by szUserId. If a NULL pointer is specified, CA ControlMinder skips the password check.
The new password, should your application be changing the user's password in the CA ControlMinder database. Specify a NULL pointer if you are not specifying a new password or if a NULL pointer is specified for szPwd.
A flag that determines whether the password is to be checked or not. You can combine the following flag values (using bitwise OR):
Check that the current password is valid.
In UNIX, check that the new password is valid according to active password policy rules.
Simulate login without checking for time restrictions.
The name of the terminal from which the user logged onto the system.
A flag that determines whether an audit log entry must be made. Valid values are:
For server applications, do not create an audit record, regardless of whether the authorization request succeeds or fails (value = 0).
If the current rules in the database require it, create an audit record (value = 1).
For server applications, always create an audit record regardless of the database rules (value = 2).
For server applications, create an audit record only if the authorization request fails and the database rules require it (value = 3).
The ACEE handle returned by CA ControlMinder. This value is used by CA ControlMinder in subsequent authorization checks for the currently verified user.
A pointer to the API_AUTH_RES structure containing the authorization result.
A pointer to a buffer SEOSAPI_AUTH_MSGLEN bytes long into which CA ControlMinder returns a status message.
The SEOSROUTE_VerifyDelete function releases an ACEE. Use this function to release ACEEs created using the SEOSROUTE_VerifyCreate function. Your application should release ACEEs once they are no longer required, because each allocated handle uses system resources and CA ControlMinder internal resources. These resources are limited.
The first two parameters must be supplied by the program; the last parameter is returned by CA ControlMinder and can be used by the program to make decisions and provide the user with status information.
The function returns an integer that is one of the following values:
The ACEE was released.
The ACEE handle was not found.
Seosd is not responding.
The user ID of the calling process is not 0 (root), and the user executing the calling process does not have the SERVER attribute.
The phACEE parameter is a NULL pointer.
The CA ControlMinder daemon returned an error described in szMsg.
Note: To execute the SEOSROUTE_VerifyDelete function, the calling process must have an effective user ID of 0 or the user associated with the calling process must have the SERVER attribute.
int SEOSROUTE_VerifyDelete(int *phACEE,
int bLog,
char *szMsg)
A pointer to the handle of the ACEE to be released.
A flag that determines whether an audit log entry is created. It can have a value of 0 or 1. To create a log entry, set the bLog parameter to 1.
A pointer to a buffer SEOSAPI_AUTH_MSGLEN bytes long into which CA ControlMinder returns a status message.
This section describes the data structures used by the Authorization and Authentication API functions to pass information back and forth between the functions and the CA ControlMinder daemons (in UNIX) and services (in Windows). Every field of each data structure is described.
The Authorization and Authentication API functions use the following structures:
Holds the result of an authorization check.
Encapsulates a single member of type SEOS_ACCS.
Holds a list of access flags.
Holds an object identification descriptor.
The API_AUTH_RES structure holds the results of an authorization check.
A code indicating the result of the authorization check. Valid values are:
The authorization stage at which the information in the structure was written. This information is useful if access was granted but the authorization failed later for some reason.
The authorization stage at which the permit or deny decision was made.
An unsigned long integer representing the type of access requested.
The object ID of the resource for which authorization was checked.
If accumulated group rights are being checked and if access is allowed or denied by a group, this member stores the object ID of the last group checked.
If accumulated group rights are not being checked and if access is allowed or denied by a group, this member stores the object ID of the group.
The API_AZN_RES structure holds the results of an authorization check.
A code indicating the result of the authorization check. Valid values are:
The authorization stage at which the information in the structure was written. This information is useful if access was granted but the authorization failed later for some reason.
The authorization stage at which the permit or deny decision was made.
An unsigned long integer representing the type of access requested.
The object ID of the resource for which authorization was checked.
If accumulated group rights are being checked and if access is allowed or denied by a group, this member stores the object ID of the last group checked.
If accumulated group rights are not being checked and if access is allowed or denied by a group, this member stores the object ID of the group.
Structure representing the class definition of a record in the database.
Structure representing the property definition of a record in the database.
Structure representing the object definition of a record in the database.
The SEOS_ACCESS structure encapsulates a single member of the type SEOS_ACCS.
An unsigned long integer representing the type of access requested. A list of possible values is detailed for the SEOS_ACCS structure.
The SEOS_ACCS data type is an unsigned long integer representing the type of access requested.
Access types currently defined for the APIs include the following:
For All Requests
Everything is allowed.
Changing ACLs is allowed.
Creating new files in class FILE and new objects in class ADMIN is allowed.
Deleting is allowed (same as SEOS_ACCS_ERASE).
Deleting is allowed.
Executing programs is allowed.
Scanning files is allowed.
Adding users to groups or removing users from groups is allowed.
Renaming is allowed.
Nothing is allowed.
Changing password attributes is allowed.
Read access is allowed.
Renaming files is allowed.
Write access is allowed.
Not used.
For UNIX Requests Only
Changing ownership is allowed.
Changing group setting is allowed.
Changing file mode is allowed.
Changing modification time of files is allowed.
Generic Attributes
Changing ACLs of files is allowed.
Macros for Multiple Access Requests
CHOWN + CHGRP
READ + WRITE + EXEC
CHOG + CHMOD + UTIMES + SEC + UPDATE
Note: For possible additional values for this field, see the file ACDir/include/seostype.h.
The SEOS_OID data type is an unsigned long integer representing the object ID of a record in the database.
Each object in the database has a unique object ID. If you know the object ID, you can use seadmapi to retrieve information about the object.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|