Previous Topic: Programming GuideNext Topic: IR API


Database Organization

The information in the database is organized into classes. A class's definition includes information that is common to all records, or objects, of that class. Records that belong to the same class have a similar meaning. For example, every record in the USER class represents a user; every record in the GROUP class represents a group of users; and every record in the TERMINAL class represents a terminal from which users can access the current host. Every class contains a properties definition table that includes a list of properties that you can assign to records belonging to the class.

A record is a single entity that represents an instance of its class. For example, a record in the USER class represents an individual user. Each class contains properties, or fields, that are specific to the class. Information is stored in a record by assigning values to its properties. The definition of a property includes information on the layout of the data and attributes that define how the data is stored in the database. You can assign values to every property of a record. The definition of the record's class determines which properties you can assign to the record and what values you can assign to each property.

The structure of the database is best described by an example. Consider the USER class. Every record in the USER class represents a user of the system. The properties definition table of the USER class contains a list of properties that you can assign to user records. Some of the properties in the list are FULL_NAME, ORGANIZATION, and GROUPS. You can assign values for these properties to every user represented by a record in the database. For example, the FULL_NAME property stores the user's full name; the ORGANIZATION property stores information about the organization the user belongs to; and the GROUPS property contains a list of the groups to which the user belongs. The properties of a record are similar to fields in a database record. The format of a property can vary depending on the property definition. In this example, the FULL_NAME and ORGANIZATION properties have only a single value, whereas the GROUPS property is a list that consists of a variable number of repetitive elements. A user can belong to an unlimited number of groups.

Each class in the database has a name and an ID associated with the name. The database engine uses the class ID internally to achieve better performance and smaller database file sizes. The class IDs do not have any meaning beyond their internal use and may differ between different databases. Use class names; do not use class IDs.

Each property of a class in the database has a name and an ID associated with the property name. The database engine uses the property ID internally to achieve better performance and smaller database file sizes. Note that every class has its own properties definition table; thus, a property name can appear in more than one class and the property may have different attributes in different classes. A property is identified either by its name and the name of the class in which it resides or by its unique property ID.

Every record in the database has a name and belongs to a class. Records in different classes can have the same name. Each record in the database is associated with a record ID. The record ID is a 32‑bit number that is unique to each record in the database. CA ControlMinder uses the record ID internally. When referring to a record, you can use the record name or the record ID.

Every record in the database can have values assigned to its properties. CA ControlMinder sets some properties automatically, and the user sets others explicitly. The security administrator or a delegated responsible person sets most properties by using the tools included with CA ControlMinder.

Note: For detailed information about the properties supported by each class, see the selang Reference Guide.

Database Layout

The database consists of the following data files:

seos_cdf.dat

The class description file contains the class definition table.

seos_odf.dat

The objects description file contains the records definition table.

seos_pdf.dat

The properties description file contains the properties definition table.

seos_pvf.dat

The properties value file contains the values assigned to every CA ControlMinder property.

The data files also have indexing files that are not mentioned here because they are transparent to the Administration API.

Class Description File

The class description file stores information on all classes defined to CA ControlMinder. The information stored therein includes the name of the class, the class ID, and other flags used internally by CA ControlMinder. The class information is stored in a structure called SEOSDB_CDF.

Properties Description File

The properties description file stores information on each property defined to CA ControlMinder. The property information includes:

Some properties are defined as single value, and others are defined as a list value. The properties description information is stored in a structure called SEOSDB_PDF.

Objects Description File

The objects description file stores basic information on each record defined to CA ControlMinder. The following data is stored in the objects description file:

The objects description information is stored in a structure called SEOSDB_ODF.

Properties Values File

The properties values file contains the values assigned to every property of every record defined in the database. Each entry consists of:

Information used for integrity checking is also stored in the properties values file; however, this information cannot be accessed using the Administration API.

Database Lists

This section describes the various types of lists that exist in the database.

User to Group Connections

Both user records and group records contain data that define the connections of users to groups.

The user record contains a list of groups to which the user belongs. The following information is stored in the user record:

The group record contains a list of users who are connected to the group. The list contains only the record IDs of the users.

When connecting a user to a group, the list of groups connected to the user, and the list of users connected to the group, must be updated. When a user is connected to a group, CA ControlMinder automatically updates both lists. If a user is subsequently deleted from the database, the user cannot be deleted from every group record containing the user's ID. Thus, some group records may contain user IDs of users who no longer exist in the database. CA ControlMinder generates new object IDs in a manner that ensures that an ID cannot be assigned to an object more than once in the lifetime of the database. The unused user IDs in the group records do not pose a security threat.

Connections of Resources to Resource Groups

Like a user‑group connection, the connection of a resource to a resource group is stored in both the resource record and the resource group record. The resource record contains a list of record IDs that identifies the resource groups to which the resource is connected. The resource group record contains a list of resource IDs that identifies the resources that are connected to the resource group. The resource and resource group records are automatically updated whenever a resource is connected to a resource group.

ACL Entries

The access control list (ACL) is a list of zero or more entries in a resource record. Each entry in the ACL defines the access an accessor object in the database has to the resource. Each ACL entry consists of:

This entry determines what the accessor is allowed to do to the resource represented by the resource record.

CA ControlMinder also provides program access control lists (PACLs), also known as conditional ACLs, which are similar to regular ACLs. In addition to the record ID of the accessor and the accessor's level of authority, PACL entries consist of a PROGRAM record ID.

By convention, CA ControlMinder does not assign the object ID of zero to any object. In ACLs and PACLs, an object ID of zero represents user (*)-that is, all CA ControlMinder defined users.

Note: For more information about ACLs, see the authorize command in the selang Reference Guide.

Understanding ACEE

CA ControlMinder assigns an accessor environment element (ACEE) to each user when the user logs into the system. The ACEE is a data structure containing the user's credentials and definitions of various security parameters. Every process created by the login process inherits the parent process's ACEE. The ACEE is maintained even if the process substitutes user by executing the system's su utility or the sesu utility.

Each ACEE has a handle that uniquely describes the process's credentials and other information at any point in time. The ACEE and its associated handle exist until the login session that created them terminates.

The Administration API and all CA ControlMinder authorization processes use the ACEE handle to identify and describe the user making the request.

The Administration API includes functions that fetch a user's ACEE or ACEE handle. In UNIX, the information obtained by these functions can be viewed using the sewhoami utility with the appropriate options.

Note: For more information about the sewhoami utility, see the Reference Guide.

Scope Limitations of the API

The Administration API uses a simpler security scope method than the CA ControlMinder language interpreter, so as not to adversely affect performance.

The Administration API uses the attributes set in the users' USER records, but ignores other privileges that use ownership, group attributes, and the ADMIN class. This means that users cannot perform some operations using the Administration API that they can perform by using selang, selangx, the CA ControlMinder Administrator (seadm), or Policy Manager. For example, in selang a user can display or update an object that the user owns. The Administration API, however, does not allow an owner of an object to update it unless the owner also has the ADMIN attribute.

Conventions

The Administration API uses the following conventions:

Header Files

To use this API, you are required to include in your source code the header files with prototypes and structure definitions. All prototypes are in the seadmapi.h file, while most of the data types are in other headers. The seostype.h header file provides structure definitions of all data stored in the database. The structure definitions of auditing and error logging records are located in the header file selogtype.h.

Libraries

This section discusses the libraries that must be used with this API.

In UNIX

seadmapi consists of a single library file, seadmapi.a, that you should link with every compiled source file that uses this API.

CA ControlMinder includes a shared library version of this API called libseadmapi.xx, where xx is the standard operating system convention (usually so or sl) for shared library names. Before executing programs that use the shared library, such as sample_TermOwn.c, check that an environment variable points to the path of the shared library. To point an environment to the shared path, enter:

setenv LD_LIBRARY_PATH /opt/CA/AccessControl/lib
In Windows

To compile and link your program with seadmapi functions, make sure you include the static library seadmapi.lib in your link path. This library is usually found in ACDir\lib (where ACDir is the directory you installed CA ControlMinder in, by default C:\Program Files\CA\Access Control).

Before executing programs that use this library, check that an environment variable points to the path of the library.

Compiling and Linking with seadmapi

There are no special flags required to compile with seadmapi. Linking, on the other hand, may require additional settings. Unfortunately, these flags are machine and operating system dependent. Use the makefiles provided by the samples of this API, and look at those samples for up‑to‑date information.

Programming Notes

Important! To avoid deadlocks, do not use any Administration API functions inside a seosd exit.

All functions provided by this API are thread‑safe. If a function is not thread‑safe, then the Notes section of the function specifies that fact.

Note: You must call the seadmapi_init or seadmapi_IsSeOSSyscallLoaded function before calling any other function in the seadmapi library.

Functions

The Administration API includes functions that are categorized as follows:

Class Operations Functions

The following functions operate on the CA ControlMinder classes:

seadmapi_ClassGetEqual

Retrieves a specific class from the database.

seadmapi_ClassGetFirst

Retrieves first class from the database.

seadmapi_ClassGetNext

Retrieves next class from the database.

Property Operations

The following functions operate on properties:

seadmapi_PropGetEqual

Retrieves description of a specific property.

seadmapi_PropGetFirstInClass

Retrieves first property description of a class.

seadmapi_PropGetNextInClass

Retrieves next property description of a class.

Object Operations

The following functions operate on objects:

seadmapi_FreeObjList

Frees the list of objects retrieved by ObjInClassList.

seadmapi_ObjGetEqual

Retrieves information on a specific object.

seadmapi_ObjGetFirstInClass

Retrieves information of the first object in a class.

seadmapi_ObjGetGreaterEqual

Retrieves information on an object whose object ID is greater than or equal to the specified object ID.

seadmapi_ObjGetNextInClass

Retrieves information on next object in a class.

seadmapi_ObjInClassList

Retrieves a list of objects in a specified class.

Value Operations

The following functions operate on values:

seadmapi_FetchListPropVal

Gets the values for a list type property.

seadmapi_FetchSinglePropVal

Gets the values for a single value property.

seadmapi_FreeListPropVal

Free the list of values from FetchListPropVal.

seadmapi_SetSinglePropVal

Sets the value of one property value type.

Query Operations

The following functions perform queries:

seadmapi_GetEntity

Retrieves an entire object and its properties values, using the previously initialized entity ruler.

seadmapi_GetExEntity

Retrieves an entire object and its properties values, including the object and class names, using the previously initialized entity ruler.

seadmapi_GetGraceInfo

Retrieves grace information about the user.

seadmapi_InitEntityRuler

Initializes an entity query buffer used for GetEntity and GetExEntity operations.

seadmapi_KillExEntityMem

Frees memory allocated for entity style query by the InitEntityRuler function.

seadmapi_KillPDFList

Frees the list of properties descriptors allocated by the MakePDFList function.

seadmapi_MakePDFList

Creates a property descriptors list from a list of properties names.

seadmapi_OidToName

Translates an object ID to object name.

Log Files Interface

The following functions operate on the log files:

seadmapi_SendAdminAudit

Submits an ADMIN audit record.

seadmapi_SendAuditRecord

Provides interface to submit audit record.

seadmapi_SendCwsAudit

Submits a connect-with-service resource audit record.

seadmapi_SendErrorLog

Submits a note to the error log.

seadmapi_SendGenrAudit

Submits a general‑resource audit record.

seadmapi_SendInetAudit

Submits a TCP/IP audit record.

seadmapi_SendLoginAudit

Submits a login audit record.

seadmapi_SendShutdownAudit

Submits an audit record of shutdown.

seadmapi_SendStartupAudit

Submits an audit record of startup.

seadmapi_SendUserAudit

Submits a user audit record.

seadmapi_SendWatchdogAudit

Submits a watchdog audit record.

seadmapi_SendNfAdminAudit

Submits an ADMIN notification record.

seadmapi_SendNfCwsAudit

Submits a connect-with-service resource notification record.

seadmapi_SendNfGenrAudit

Submits a general‑resource notification record.

seadmapi_SendNfInetAudit

Submits a TCP/IP notification record.

seadmapi_SendNfLoginAudit

Submits a login notification record.

seadmapi_SendNfShutdownAudit

Submits a notification record of shutdown.

seadmapi_SendNfStartupAudit

Submits a notification record of startup.

seadmapi_SendNfUserAudit

Submits a user notification record.

seadmapi_SendNfWatchdogAudit

Submits a watchdog notification record.

Console Operations

The following functions provide console operations:

seadmapi_consAllLoginDisable

Disables all login to system.

seadmapi_consAllLoginEnable

Enables all login to system.

seadmapi_consAllLoginGetStatus

Gets status of global‑login control.

seadmapi_consMessageSend

Sends a message to CA ControlMinder trace.

seadmapi_consRefreshIPAddresses

Refreshes host name to IP address resolution.

seadmapi_consRunTimeStatisticsGet

Gets runtime statistics information.

seadmapi_consShutdown

Shuts down CA ControlMinder.

seadmapi_consTraceClear

Clears the trace file.

seadmapi_consTraceDisable

Disables CA ControlMinder trace.

seadmapi_consTraceEnable

Enables CA ControlMinder trace.

seadmapi_consTraceGetStatus

Returns status of CA ControlMinder trace.

seadmapi_consTraceToggle

Toggles CA ControlMinder trace.

seadmapi_consUidLoginDisable

Disables login for user ID.

seadmapi_consUidLoginEnable

Enables login for user ID.

seadmapi_consUidLoginGetStatus

Gets UID concurrent login status.

Miscellaneous Operations

The following functions perform functions that do not fall into any of the previous categories:

seadmapi_FreeAceeMemory

Frees memory allocated by the seadmapi_GetACEE function.

seadmapi_GetACEE

Retrieves the current process user's ACEE.

seadmapi_GetMessage

Retrieves an error string from a given error code, using the CA ControlMinder message file.

seadmapi_GetObjType

Retrieves information on the user type of the current process.

seadmapi_init

Initializes the communication channel with CA ControlMinder.

seadmapi_IsSeOSSyscallLoaded

Determines if CA ControlMinder system call is loaded.

seadmapi_ProcessControl

Provides control over current process.

seadmapi_WhoAmI

Retrieves information on current process

seadmapi_WhoIs

Retrieves attribute information about the user.

sepass_ReplacePassword

Replaces the user password with a new password.

seadmapi_ClassGet Functions

These functions retrieve information on a class that is defined in the database.

To scan all the classes in the database, first call the seadmapi_ClassGetFirst function, and then call the seadmapi_ClassGetNext function for each subsequent class.

These functions can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

If the function succeeds, it returns zero; if it fails, it returns an error code.

int seadmapi_ClassGetEqual(const char *szClass, \
                     SEOS_CID   cid, \
                     SEOSDB_CDF *p_seclass);     
int seadmapi_ClassGetFirst(SEOSDB_CDF *p_seclass);     
int seadmapi_ClassGetNext(SEOSDB_CDF *p_seclass);
szClass

The name of the class whose information is to be retrieved. If a class ID is specified in the cid parameter, set this parameter to NULL.

cid

The class ID of the class whose information is to be retrieved. If a class name is specified for the szClass parameter, set this parameter to ‑1.

p_seclass

A pointer to the structure that is to hold the information retrieved by the function. For seadmapi_ClassGetNext, the data structure must contain the values from a previous call to the ClassGetNext function or the ClassGetFirst function.

Example

/*=========================================================
Project          : eTrust
Module          : eTrust                              Version: 8.0
File          : sample_ListClass.c
Purpose          : Sample seadmapi: List class names.
===========================================================

Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h> 
#include <seadmapi.h>
int main (void)     
{ SEOSDB_CDF     cdf;
  int            rv;      
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  Get the first class from the database.                  */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_ClassGetFirst(&cdf);      
  if ( rv )       
     { printf("seadmapi_ClassGetFirst returned 0x%04x\n", rv );      
       return 1;     
     } 
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  If successful, continue looping for all the classes.   */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  while (!rv)      
    { printf( "%s\n", cdf.szCName );      
      rv = seadmapi_ClassGetNext(&cdf);      
    }      
  return 0;     
}

seadmapi_PropGet Functions

These functions retrieve information on one or more properties defined in the database.

To scan all the properties in a specific class, first call the seadmapi_PropGetFirstInClass function, and then call the seadmapi_PropGetNextInClass function for each subsequent property.

These functions can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions. Any process can issue a seadmapi_PropGetEqual request on any property.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_PropGetEqual(const char *szClass,     
                    SEOSDB_CDF *p_seclass,     
                    const char *szProp,     
                    SEOS_PID   pid,     
                    SEOSDB_PDF *p_seprop);     
int seadmapi_PropGetFirstInClass(const char *szClass,     
                    SEOSDB_CDF *p_seclass,     
                    SEOSDB_PDF *p_seprop);     
int seadmapi_PropGetNextInClass(SEOSDB_PDF *p_seprop);
szClass

The class name. When specifying a class description instead of a class name, set this parameter to NULL.

p_seclass

The class description. When specifying a class name instead of a class descriptor, set this parameter to NULL. Note that when this parameter is NULL, szClass must not be NULL.

szProp

The property name. When specifying a property ID instead of a property name, set this parameter to NULL.

pid

The property ID. When specifying a property name instead of a property ID, set this parameter to ‑1.

p_seprop

A pointer to the data structure that is to hold the information retrieved by the function.

Example

The following example demonstrates the use of seadmapi_PropGetFirstInClass and seadmapi_PropGetNextInClass to retrieve the values of a property in a class.

/*=========================================================
Project          : eTrust
Module          : eTrust                                            Version: 8.0
File          : sample_ListProp.c
Purpose          : List properties of a specific class.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>     
#include <stdio.h>     
#include <string.h>     
#include <sys/types.h>      
#include <unistd.h>      
#include <seadmapi.h>      
static int ErrorMessage( int rv ); 
int main(int argc, char *argv[])     
{ SEOSDB_CDF    cdf;                      /* Class Description    */     
  SEOSDB_PDF    prop;                     /* Property Description */     
  char          Class[CNAME_SIZE+1];     
  unsigned      props_cnt = 0;     
  int           rv;      
  if ( argc < 2 )      
     { fprintf(stderr, "Required parameter (class name) is     
                        missing.\n");      
       return 1;      
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set class name by specified parameter.                     */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  strcpy(Class, argv[1]); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Clear property descriptor.                                  */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  memset( &prop, 0, sizeof(prop) ); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Check if class exists by getting the class descriptor.    */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_ClassGetEqual(Class, 0, &cdf);     
  if (rv) return ErrorMessage(rv); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set the class ID in the property descriptor.                */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  prop.sCId = cdf.sCId; 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Loop for all the properties in the class.     
 */
  /* Check for rv 0 or 1  to find all                               */     
  /* the properties that are equal to or greater than       */     
  /* the supplied property, which is 0.                          */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_PropGetFirstInClass( NULL, &cdf, &prop );
  while ( (rv == 0) || (rv == 1) )      
     { if ( prop.sCId == cdf.sCId )      
                      { props_cnt++;     
                        printf("%s %s\n", Class, prop.szPName);     
                      } 
       rv = seadmapi_PropGetNextInClass( &prop );     
     } 
  if ( props_cnt == 0 )     
     printf("Class %s, does not contain this property.\n",     
Class);     
  return 0;     
} 
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Display error message.                                        */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )     
{      
  char msg_buff[1024];     
  seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);      
  fprintf(stderr, "%s.\n", msg_buff);     
  return rv;     
}

seadmapi_ObjGet Functions

These functions retrieve information on an object (record) in the database.

These functions can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

The seadmapi_ObjGetGreaterEqual function returns one of the following values:

0

The function retrieved information on the object whose object ID is equal to the object ID of the specified object.

1

The function retrieved information on the object whose object ID is greater than the object ID of the specified object.

other

The function failed.

The remaining functions return 0 on success and an error code on failure.

int seadmapi_ObjGetEqual(const char *szClass,     
                    SEOSDB_CDF *p_seclass,     
                    const char *szObj,     
                    SEOS_OID  
                    oid,     
                    SEOSDB_ODF *p_seobj);     
int seadmapi_ObjGetFirstInClass(const char *szClass,     
                      SEOSDB_CDF *p_seclass,     
                     SEOSDB_ODF *p_seobj);     
int seadmapi_ObjGetNextInClass(SEOSDB_ODF *p_seobj);     
int seadmapi_ObjGetGreaterEqual(const char *szClass,     
                       SEOSDB_CDF *p_seclass,     
                    const char *szObj,     
                    SEOS_OID   oid,     
                    EOSDB_ODF *p_seobj);
szClass

The name of the class to which the object belongs. If the class is specified using the p_seclass parameter, set this parameter to NULL.

p_seclass

A pointer to a structure containing the class descriptor. If the szClass parameter is specified, set this parameter to NULL.

szObj

The name of the object whose value is to be fetched. If an object ID is specified instead of an object name, set this parameter to NULL.

oid

The object ID of the object whose information is to be retrieved. When specifying an object name instead of an object ID, set this parameter to ‑2.

p_seobj

A pointer to the structure that is to hold the information retrieved by the function.

Example

The following example demonstrates the use of seadmi_ObjGetFirstInClass and seadmi_ObjGetNextInClass to retrieve all the objects in a specific class.

/*=========================================================
Project          : eTrust
Module          : eTrust                                 Version: 8.0
File          : sample_ListObjs.c
Purpose          : Display the objects in a class.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>      
#include <stdio.h>     
#include <string.h>      
#include <sys/types.h>     
#include <unistd.h>     
#include <seadmapi.h>      
static int ErrorMessage( int rv );      
int main(int argc, char *argv[])     
{ SEOSDB_ODF    odf;                       /* Current ODF in loop */     
  SEOSDB_CDF    cdf;                       /* Class Description   */     
  char          Class[CNAME_SIZE+1];      
  unsigned      ents = 0;      
  int           rv;      
  if ( argc < 2 )      
     { fprintf(stderr, "Required parameter missing.\n");     
       fprintf(stderr, "Usage: '%s CLASS_NAME'\n", argv[0]);     
       return 1;      
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set class name by specified parameter.                      */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  strcpy(Class, argv[1]); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Clear object descriptor.                                    */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  memset( &odf, 0, sizeof(odf) ); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Check if class exists by getting the class descriptor.  */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_ClassGetEqual(Class, 0, &cdf); 
  if (rv) return ErrorMessage(rv);
 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set the class ID in the object descriptor.                  */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  odf.sCId = cdf.sCId; 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Loop for all the objects in the class.                   */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_ObjGetFirstInClass( NULL, &cdf, &odf ); 
  while ( (rv == 0) || (rv == 1) )      
     { if ( odf.sCId == cdf.sCId )      
                     { ents++;     
                       printf("%s %s\n", Class, odf.szOName);     
     } 
       rv = seadmapi_ObjGetNextInClass( &odf ); 
     } 
  if ( ents > 0 )      
     printf("Total of %d objects found in Class=%s\n", ents,     
Class);     
  else     
     printf("Class %s, does not have any object.\n", Class);     
  return 0;     
} 
 /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
 /* Display error message from security daemon.              */     
 /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )      
{ char msg_buff[1024];     
  seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);     
  fprintf(stderr, "%s.\n", msg_buff);     
  return rv;     
}

More information:

seadmapi_ObjInClassList Function

seadmapi_ObjInClassList Function

The seadmapi_ObjInClassList function retrieves a list of objects in a specified class.

The field SEADMAPI_MAXOBJSLIST specifies the limit on the number of entries that can be retrieved in a single call.

After calling this function, you should call the seadmapi_FreeObjList function to free the memory allocated for the query. Use the ptr argument returned from this function.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_ObjInClassList (SEOSDB_CDF  *pcdf,     
                    char        *start,     
                    void        **ptr,     
                    char        **names,     
                    int         *count);
pcdf

A pointer to the class description.

start

A string representing the object name that should start the list.

ptr

A pointer to a "void *" that is used to free memory allocated for the list query.

names

A pointer to a vector of char pointers. Each element points to an object name.

count

On entry, the size of the names vector. On return, the number of entries in the vector.

More information:

seadmapi_FreeObjList Function

seadmapi_ObjGet Functions

seadmapi_FreeObjList Function

The seadmapi_FreeObjList function frees the memory allocated by the seadmapi_ObjInClassList function.

The function assigns NULL to *ptr.

There is no return value.

int seadmapi_FreeObjList (void **ptr);
ptr

The pointer as obtained by the most recent call to the seadmapi_ObjInClassList function.

More information:

seadmapi_ObjInClassList Function

seadmapi_FetchListPropVal Function

The seadmapi_FetchListPropVal function retrieves the values of a property that contains a list. The function cannot retrieve the value of a single‑value property; use the seadmapi_FetchSinglePropVal function instead.

The function allocates a vector of void pointers, each pointing to an allocated buffer that holds a single element in the list. The caller has to define a variable of type void ** or any other type that is a pointer to a pointer (that is, int **). The caller sends a pointer to this variable, as shown in the following example.

{ int          **list;
  unsigned int   psize, count;
  int            rc;
  ...
rc = seadmapi_FetchListPropVal(..,     
     (void ***)&list, &psize, &count);

Memory layout after call:

Argument

Description

[elem0]

1st data element

[elem1]

2nd data element

[elemN]

N+1 data element

where elemN is stored in the variable count.

All data fetched by this function is allocated and must be freed. To free the data, call the seadmapi_FreeListPropVal function.

The function can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use this function.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_FetchListPropVal(const char    *szClass,
                     SEOSDB_CDF    *p_seclass,
                     const char    *szObj,
                     SEOSDB_ODF    *p_seobj,
                     const char    *szProp,
                     SEOSDB_PDF    *p_seprop,
                     void          ***val,
                     unsigned int  *psize,
                     unsigned int  *count);
szClass

The name of the class to which the object belongs. If the class is identified by the p_seclass parameter, set this parameter to NULL.

p_seclass

A pointer to a structure containing the class description. If the class is identified by the szClass parameter, set this parameter to NULL.

szObj

The name of the record whose property value is to be fetched. If the object is identified by the p_seobj parameter, set this parameter to NULL.

p_seobj

A pointer to the structure containing the object description. If the object is identified by the szObj parameter, set this parameter to NULL.

szProp

The name of the property whose value is to be fetched. If the property is identified by the p_seprop parameter, set this parameter to NULL.

p_seprop

A pointer to the structure containing the property description. If the property is identified by the szProp parameter, set this parameter to NULL.

val

A pointer to a pointer to a pointer of the type of value fetched. For more information, see the description following this list.

psize

The size of the fetched value.

count

The number of elements in the allocated vector.

Example

The following example demonstrates using the seadmapi_FetchListPropVal function to retrieve the values of a property that contains a list. This example also demonstrates the use of the seadmapi_gconn structure to display all the groups to which a user is linked.

/*=========================================================
Project          : eTrust
Module          : eTrust                                         Version: 8.0
File          : sample_FetchList.c
Purpose          : Sample for seadmapi, Display a property that
            contains a list. Display list of groups user is
            connected to.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <stdio.h>      
#include <string.h>     
#include <seadmapi.h>     
static int ErrorMessage( int rv ); 
int main(int argc, char *argv[])     
{ SEOSDB_ODF        odf;     
  SEOS_GCONN      **list;      
  char              Object[ONAME_SIZE+1];     
  unsigned int      elem_size;      
  unsigned int      list_cnt;      
  int               rv;      
  int               cnt;       
  if ( argc < 2 )      
     { fprintf(stderr, "Required parameter (User Name)     
missing.\n");     
       return 1;      
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set object name by specified parameter.                     */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  strcpy(Object, argv[1]);
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /* Get the list for class=USER, property=GROUPS,                */     
  /*                  object=Specified_Parm                       */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  rv = seadmapi_FetchListPropVal("USER", NULL,      
                                 Object,  NULL,      
                                 "GROUPS", NULL,      
                                 (void ***)&list,      
                                 &elem_size, &list_cnt); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Exit with error message in case we fail to get the list.  */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( rv != 0 ) return ErrorMessage(rv); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Display all groups from the list in a loop.                 */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  for(cnt=0; cnt<list_cnt; cnt++)     
       { rv = seadmapi_ObjGetEqual("GROUP", NULL, NULL,      
                                  list[cnt]‑>oidGroup, &odf); 
         if ( rv == 0 )      
            { printf("Group Name: %‑10s (id=%6ld)", odf.szOName,     
                    list[cnt]‑>oidGroup);     
            if ( list[cnt]‑>ugmUserMode     
               { printf(", Group");     
               if ( list[cnt]‑>ugmUserMode & SEOS_UGMODE_AUDITOR )     
                    printf(" auditor");     
               if ( list[cnt]‑>ugmUserMode & SEOS_UGMODE_PWMANAGER )     
                    printf(" pwmanager");     
               if ( list[cnt]‑>ugmUserMode & SEOS_UGMODE_ADMIN )     
                  printf(" administrator");     
               }     
            else     
               printf(", Regular");     
            printf(".\n");     
            }     
       else      
          printf("Group id: %ld, no longer exits in database.\n",     
                list[cnt]‑>oidGroup);     
       } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /* Free the list.                                              */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  seadmapi_FreeListPropVal((void ***)&list, &list_cnt);     
  return 0;     
} 
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Display an error message from the security daemon.       */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )      
{ char msg_buff[1024];      
  seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);     
  fprintf(stderr, "%s.\n", msg_buff);      
  return rv;      
}

seadmapi_FetchSinglePropVal Function

The seadmapi_FetchSinglePropVal function retrieves the value of a property that contains a single value. The function cannot be used to retrieve lists; for properties that contain lists, use the function seadmapi_FetchListPropVal. To store the property's data, the calling program must allocate the space in memory pointed to by the val variable. To determine the size required, use the property descriptor sPVSize member or some other means.

The seadmapi_FetchSinglePropVal function can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are allowed to use this function.

This function can be used by any user who wants to view private data. The values are set to those of the user's own record.

This function can be used by any user to retrieve values for records of the SUDO class or the SEOS class.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_FetchSinglePropVal(const char  *szClass,
                     SEOSDB_CDF  *p_seclass,
                     const char  *szObj,
                     SEOSDB_ODF  *p_seobj,
                     const char  *szProp,
                     SEOSDB_PDF  *p_seprop,
                     void        *val,
                     int         *size);
szClass

The name of the class to which the object belongs. If the class is identified by the p_seclass parameter, set this parameter to NULL.

p_seclass

A pointer to a structure containing the class description. If the class is identified by the szClass parameter, set this parameter to NULL.

szObj

The name of the record whose property value is to be fetched. If the record is identified by the p_seobj parameter, set this parameter to NULL.

p_seobj

A pointer to the structure containing the object description. If the object is identified by the szObj parameter, set this variable to NULL.

szProp

The name of the property that is to be fetched. If the property is identified by the p_seprop parameter, set this variable to NULL.

p_seprop

A pointer to the structure containing the property description. If the property is identified by the sz_Prop parameter, set this variable to NULL.

val

A pointer to a location in memory where the result is to be stored.

size

On entry, this value is the size of the memory area pointed to by the parameter val. On return, this value is the size of the data stored in the memory area.

UNIX Example

In UNIX, the following example demonstrates the use of seadmapi_FetchSinglePropVal to retrieve the value of a single property.

/*=========================================================
Project          : eTrust
Module          : eTrust                              Version: 8.0
File          : sample_FetchSingle.c
Purpose          : Sample for seadmapi, List the value for a given
            property in a specific object in a specific class
            in a UNIX system.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>     
#include <stdio.h>     
#include <string.h>      
#include <sys/types.h>     
#include <unistd.h>     
#include <stdlib.h>     
#include <seadmapi.h>     
static int ErrorMessage( int rv ); 
int main(int argc, char *argv[])     
{ SEOSDB_PDF    prop;                     /* Property Description */     
  char          Class[CNAME_SIZE+1];      
  char          Object[ONAME_SIZE+1];     
  char          Property[PNAME_SIZE+1];      
  char         *prop_val;     
  int           data_size;     
  int           rv; 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Check if SeOS_syscall is loaded.                     */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_IsSeOSSyscallLoaded();     
  if ( rv != 0 )      
     { fprintf(stderr, "Database server is not running.\n");      
       return 1;     
     } 
 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Check if the user supplied all required parameters. */
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( argc < 4 )     
     { fprintf(stderr, "Required parameter(s) missing.\n");      
       fprintf(stderr, "Usage: '%s CLASS_NAME PROPERTY_NAME     
                           OBJECT_NAME'\n", argv[0]);     
       return 1;     
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set the class, property, and object fields.            */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  strcpy(Class,    argv[1]);      
  strcpy(Property, argv[2]);      
  strcpy(Object,   argv[3]);
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Clear the property and object fields.                       */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  memset( &prop, 0, sizeof(prop) ); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Get the property descriptor.                                */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_PropGetEqual( Class, NULL, Property, 0, &prop ); 
  if (rv) return ErrorMessage(rv); 
     /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
     /* Check for string type.                                      */     
     /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( prop.cPType != SEOSDB_PTYPE_STR )     
     { fprintf(stderr, "This sample can display only character     
                        values.\n");      
       return 1;     
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Allocate memory for the value's data according to the */     
  /*     property size                                       */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  prop_val = (char *)malloc( (size_t)prop.sPVSize );     
  if ( prop_val == NULL )     
     { fprintf(stderr, "Failed to allocate required memory for     
                        property value.\n");      
       return 1;     
     } 
  data_size = prop.sPVSize;     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Get the requested property value.                           */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_FetchSinglePropVal(Class,  NULL,      
                                   Object, NULL,      
                                   NULL,  &prop,      
                                   prop_val, &data_size); 
  if (rv)      
     { free(prop_val);     
       return ErrorMessage(rv);      
     } 
  printf("%s\n", prop_val);      
  free(prop_val);      
  return 0;     
} 
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Display error message from security daemon. */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )      
{ char msg_buff[1024];      
  seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);      
  fprintf(stderr, "%s.\n", msg_buff);     
  return rv; 
}

Windows Example

In Windows, the following example demonstrates the use of seadmapi_FetchSinglePropVal to retrieve the value of a single property.

/*=========================================================
Project          : eTrust
Module          : eTrust                              Version: 4.10
File          : sample_FetchSingle.c
Purpose          : Sample for seadmapi, List the value for a given
            property in a specific object in a specific class.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>     
#include <stdio.h>     
#include <string.h>      
#include <sys/types.h>     
#include <unistd.h>     
#include <stdlib.h>     
#include <seadmapi.h>     
static int ErrorMessage( int rv ); 
int main(int argc, char *argv[])     
{ SEOSDB_PDF    prop;                     /* Property Description */     
  char          Class[CNAME_SIZE+1];      
  char          Object[ONAME_SIZE+1];     
  char          Property[PNAME_SIZE+1];      
  char         *prop_val;     
  int           data_size;     
  int           rv; 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Check if the user supplied all required parameters.  */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( argc < 4 )     
     { fprintf(stderr, "Required parameter(s) missing.\n");      
       fprintf(stderr, "Usage: '%s CLASS_NAME PROPERTY_NAME     
                           OBJECT_NAME'\n", argv[0]);     
       return 1;     
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Set the class, property, and object fields.          */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  strcpy(Class,    argv[1]);      
  strcpy(Property, argv[2]);      
  strcpy(Object,   argv[3]); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Clear the property and object fields.                */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  memset( &prop, 0, sizeof(prop) ); 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Get the property descriptor.                         */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_PropGetEqual( Class, NULL, Property, 0, &prop ); 
  if (rv) return ErrorMessage(rv); 
     /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
     /* Check for string type.                            */     
     /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( prop.cPType != SEOSDB_PTYPE_STR )     
     { fprintf(stderr, "This sample can display only character     
                        values.\n");      
       return 1;     
     } 
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Allocate memory for the value's data according to the */     
  /*     property size                                            */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  prop_val = (char *)malloc( (size_t)prop.sPVSize );     
  if ( prop_val == NULL )     
     { fprintf(stderr, "Failed to allocate required memory for     
                        property value.\n");      
       return 1;     
     } 
  data_size = prop.sPVSize;     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
  /* Get the requested property value.                           */     
  /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_FetchSinglePropVal(Class,  NULL,      
                                   Object, NULL,      
                                   NULL,  &prop,      
                                   prop_val, &data_size); 
  if (rv)      
     { free(prop_val);     
       return ErrorMessage(rv);      
     } 
  printf("%s\n", prop_val);      
  free(prop_val);      
  return 0;     
} 
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Display error message from security daemon.            */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
static int ErrorMessage( int rv )      
{ char msg_buff[1024];      
  seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);      
  fprintf(stderr, "%s.\n", msg_buff);     
  return rv; 
}

seadmapi_FreeListPropVal Function

The seadmapi_FreeListPropVal function must be used after fetching the list values using the seadmapi_FetchListPropVal function to free the memory allocated for the values. The parameters supplied to this function must be the same as those supplied to the seadmapi_FetchListPropVal function.

Any process can call this function.

There is no return value.

void seadmapi_FreeListPropVal(void ***list, unsigned int *count);    
list

A pointer to the vector allocated by the seadmapi_FetchListPropVal function.

count

A pointer to the number of elements in the allocated vector.

More information:

seadmapi_FetchListPropVal Function

seadmapi_SetSinglePropVal Function

The seadmapi_SetSinglePropVal function sets the value of a single‑value property. The function is used by the Watchdog and the agent. To prevent damage to the database, no other process is permitted to use this function.

The seadmapi_SetSinglePropVal function can be used only by the Watchdog and the agent.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_SetSinglePropVal(const char *szClass,     
const char *szObj,     
const char *szProp,     
void       *val,     
int        size);
szClass

The name of the class to which the record belongs.

szObj

The name of the record whose property is to be set.

szProp

The name of the property whose value is to be set.

val

The value to be assigned to the property.

size

The size, in bytes, of the value.

seadmapi_MakePDFList Function

The seadmapi_MakePDFList function retrieves the entire list of properties of a given class. The function allocates memory for the properties vector.

After using the seadmapi_MakePDFList function, free the allocated memory using the seadmapi_KillPDFList function.

These functions can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

If the seadmapi_MakePDFList function succeeds, it returns 0; if it fails, it returns an error code.

void seadmapi_KillPDFList(SEOSDB_PDF      **ppPdf,     
   unsigned int    nCount);     
int seadmapi_MakePDFList(const char      *szClass,     
SEOSDB_PDF      **ppPdf,     
unsigned int    *nCount);
szClass

The class name.

ppPdf

A pointer to the SEOSDB_PDF pointer that points to the allocated region of memory that holds the properties vector.

nCount

The number of properties in the vector.

seadmapi_Entity Functions

The seadmapi_GetEntity and seadmapi_GetExEntity functions retrieve into the ObjPVs vector all the values for the properties of a database object.

These functions are used by CA ControlMinder utilities and provide a convenient method to fetch the information from the database. To use these functions, first call the seadmapi_InitEntityRuler function to initialize the list of properties that are of interest to the caller. Next, call the seadmapi_GetEntity or seadmapi_GetExEntity function to fetch the information on a single object.

Note: For more information about the rdbdump utility, see the Reference Guide.

When you use the seadmapi_GetEntity function, the vector receives all the information about the property (the property description) and the property values. All properties are retrieved and stored as if they were list property values. Single‑value properties are also stored as lists, with one entry.

When you use the seadmapi_GetExEntity function, the vector receives the same information, except that all property values that contain IDs of other objects are expanded. For example, instead of receiving an owner's ID, the function retrieves the expanded OID that contains the ID and the owner's class and name.

After using the information, call the seadmapi_KillEntityMem or seadmapi_KillExEntityMem function to free all memory required for the operation.

A user can initialize the ObjPVs vector from a previous call to the seadmapi_MakePDFList function. The vector pointed to by the ObjPVs parameter should contain the last element with the property name set to NULL. The functions use this method to determine the size of the vector.

The SEOSDB_ENTDAT, SEOS_X_OID, SEOS_X_GCONN, SEOS_X_ACL, and SEOS_X_PACL structures are defined in the seostypes.h header file.

After each call to seadmapi_GetEntity or seadmapi_GetExEntity, make sure you call seadmapi_KillEntityMem or seadmapi_KillExEntityMem, respectively, to free the memory allocated by the seadmapi_GetEntity or seadmapi_GetExEntity function.

These functions can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_GetEntity(const char    *szCName,
                     const char    *szOName,
                     SEOSDB_ODF    *podf,
                     SEOSDB_ENTDAT *ObjPVs);
int seadmapi_GetExEntity(const char    *szCName,
                       const char    *szOName,     
                       SEOSDB_ODF    *podf,     
                       SEOSDB_ENTDAT *ObjPVs);
int seadmapi_InitEntityRuler(const char *szCName, SEOSDB_ENTDAT *ObjPvs);
void seadmapi_KillEntityMem(SEOSDB_ENTDAT *ObjPVs);    
void seadmapi_KillExEntityMem(SEOSDB_ENTDAT *ObjPVs);    
szCName

The class name.

szOName

The object name.

podf

A pointer to a memory area to be filled with the object description.

ObjPVs

A pointer to a vector with both property description and value list.

Example

The following example demonstrates the use of the seadmapi_InitEntityRuler and seadmapi_GetExEntity functions.

/*=========================================================
Project          : eTrust
Module           : eTrust                              Version: 8.0
File          : sample_TermOwn.c
Purpose          : Display terminal's owner.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
    When working in UNIX, remember to point an environment
    variable to the shared library path by entering the command
          setenv LD_LIBRARY_PATH/opt/CA/eTrustAccessControl/lib/
    ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
#include <ctype.h>     
#include <stdio.h>     
#include <sys/types.h>     
#include <memory.h>     
#include <seadmapi.h>     
static int ErrorMessage( int rv );
int main(int argc, char *argv[])

{ SEOSDB_ODF          odf;                               /* Object definition */     
  SEOSDB_ENTDAT       entdat[2];                         /* Entity data       */     
  SEOS_X_OID          *owner;     
  int                 rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Check if user specified the terminal name.     
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( argc == 1 )     
     { printf("Usage: '%s terminal_name'\n", argv[0]);     
       return 1;     
     }
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Initialize entity data.     
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  memset(entdat, 0, sizeof(entdat));
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Set the ruler for the database request.     
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  entdat[0].szPName = "OWNER";               /* Owner             */     
  entdat[1].szPName = NULL;                  /* Null terminator   */     
  rv = seadmapi_InitEntityRuler("TERMINAL", entdat);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  Exit with error message in case we fail to set the ruler.*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( rv != 0 ) return ErrorMessage(rv);     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Get all data.     
 */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_GetExEntity("TERMINAL",    /* Class name         */     
                     argv[1],              /* Terminal name       */     
                     &odf,                 /* Object definition   */     
                     entdat);              /* Entity data         */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  Exit with error message in case we fail to get the data */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( rv != 0 ) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  Display OWNER information.     
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( entdat[0].nPVQty != 0 )     
     { owner = (SEOS_X_OID *)entdat[0].pPVList[0];     
       if ( owner‑>pCName != NULL )     
          printf("OWNER = %s %s, id=%d\n", owner‑>pCName,     
                  owner‑>pOName, owner‑>oid);     
       else     
          printf("OWNER = (id=%d)\n", entdat[0].pPVList);     
     }     
  else     
     printf("OWNER = \n");     
  return 0;     
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Display error message.                                  */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )     
{ char msg_buff[1024];     
  seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);     
  fprintf(stderr, "%s.\n", msg_buff);     
  return rv;     
}

More information:

seadmapi_FetchListPropVal Function

seadmapi_MakePDFList Function

seadmapi_GetGraceInfo Function

This function retrieves information regarding a user's password, date of last login, and the number of grace logins that the user still has.

The function can be called by processes executed by users who have the ADMIN attribute.

All users can execute this function for themselves.

int seadmapi_GetGraceInfo(SEGRACE_RES *p_sgr);    
p_sgr

A pointer to the structure that contains the information regarding user logins and grace days.

UNIX Example

The following example demonstrates the use of the seadmapi_GetGraceInfo function in a UNIX system.

/*=========================================================
Project          : eTrust
Module          : eTrust                              Version: 4.10
File          : sample_grace.c
Purpose          : Sample for seadmapi: Display information from the
            Access Control database about the user's grace
            logins.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>     
#include <stdio.h>     
#include <sys/types.h>     
#include <seadmapi.h>
int main(void)     
{ SEGRACE_RES    sgr;  /*Grace information structure              */     
  int            rv;   /*Return value                             */
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Quit if the kernel extension is not running.                */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  rv = seossfr_IsSeOSSyscallLoaded();     
  if ( rv )     
     { fprintf(stderr, "The kernel extension is not loaded.\n");     
       return rv;     
     }
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Quit if the security daemon is not running.                */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  rv = seadmapi_IsServerRunning();     
  if ( rv )     
     {fprintf(stderr, "Security daemon is not running.\n");     
      return rv;     
     }
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Set username to '0' to get current user's             */
  /*  grace information                                     */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  sgr.uname[0] = 0;
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Get grace information from the database.                   */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  rv = seadmapi_GetGraceInfo(&sgr);
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  If rv is not zero, display an error message and quit. */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  if ( rv )     
  { if ( sgr.step )     
       { if (sgr.msg[0] != 0 )     
            fprintf(stderr, "%s\n", sgr.msg);     
           return 1;
       }     
  }
 /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
 /*  Display the number of grace logins.                         */     
 /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
 printf("User %s has %d grace logins.\n", sgr.uname, sgr.grace);     
 return 0;
}

Windows Example

The following example demonstrates the use of the seadmapi_GetGraceInfo function in the Windows environment.

/*=========================================================
Project          : eTrust
Module          : eTrust                              Version: 4.10
File          : sample_grace.c
Purpose          : Sample for seadmapi: Display information from the
            Access Control database about the user's grace
            logins.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>     
#include <stdio.h>     
#include <sys/types.h>     
#include <seadmapi.h>
int main(void)     
{ SEGRACE_RES    sgr;  /*Grace information structure              */     
  int            rv;   /*Return value                             */
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Quit if the kernel extension is not running                 */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  rv = seossfr_IsSeOSSyscallLoaded();     
  if ( rv )     
     { fprintf(stderr, "The kernel extension is not loaded.\n");     
       return rv;     
     }
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Set username to '0' to get current user's grace information*/     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  sgr.uname[0] = 0;
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  Get grace information from the database.             */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  rv = seadmapi_GetGraceInfo(&sgr);
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
  /*  If rv is not zero, display an error message and quit. */     
  /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
  if ( rv )     
  { if ( sgr.step )     
       { if (sgr.msg[0] != 0 )     
            fprintf(stderr, "%s\n", sgr.msg);     
           return 1;
       }     
  }
 /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/     
 /*  Display the number of grace logins.                   */     
 /*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
 printf("User %s has %d grace logins.\n", sgr.uname, sgr.grace);     
 return 0;
}

seadmapi_OidToName Function

This function provides a convenient way of translating an object ID to a string containing the object name. If the object does not exist in the database-for instance, if the object has been deleted-the string returned by this function is NULL.

The pointer returned by this function is a pointer to a static area, overwritten by each subsequent call. This makes the function unsafe when using multi‑threads.

The function can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

If the function succeeds, it returns the name of an object; if it fails, it returns NULL.

char *seadmapi_OidToName(SEOS_OID oid);    
oid

The object ID of the record.

More information:

seadmapi_ObjGet Functions

seadmapi_WhoAmI Function

This function provides information about the current process to the Engine. The information returned by the function may be used to fetch other information from the database or from the Authorization Engine.

Things you should know about this function include:

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_WhoAmI(uid_t *uid, int *handle, char *szUName, SEOS_UMODE *objtype);    
uid

The UID associated with the current process. In UNIX, this is equivalent to and safer than using the getlogin UNIX function.

handle
The ACEE handle associated with the current process. See the Notes in this section.
szUName

The user name associated with the current process.

objtype

The user type as saved in the database. This specifies the attributes assigned to the user.

Example

The following example demonstrates the use of the seadmapi_WhoAmI function.

/*=========================================================
Project          : eTrust
Module           : eTrust                              Version: 8.0
Purpose          : Display information about the user from the
            Access Control database.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>     
#include <stdio.h>     
#include <sys/types.h>     
#include <seadmapi.h>
int main(void)     
{ SEOS_UMODE     objtype;        /* Object type     */     
  uid_t     
uID;            /* User ID         */     
  char           uName[256];     /* User name       */     
  int            handle;         
  /* Handle          */     
  int            regular = 1;    /* Mode flag       */     
  int            rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  Get user information from the database.     
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  rv = seadmapi_WhoAmI(&uID, &handle, uName, &objtype);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  If failed, display message and quit.     
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  if ( (rv != 0) || (uName[0] == '?') )     
     { fprintf(stderr, "Can't find current user name.\n", 
    
uName, rv);     
       return 1;     
     }
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/*  Display the user information:    
*/     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  printf("User Name   : %s\n",    uName);       
  printf("User ID     : %ld\n",    uID);       
  printf("User Handle : %ld\n", handle);  
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */     
/* Display user authorization attributes by using the      
*/
/* SEOS_UMODE_is macro.     
    */     
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
  printf("User Mode   :");     
  if ( SEOS_UMODE_is_auditor(objtype) )     
     { printf(" AUDITOR");     
       regular = 0;     
     }

  if ( SEOS_UMODE_is_operator(objtype) )     
     { printf(" OPERATOR");     
       regular = 0;     
     }
  if ( SEOS_UMODE_is_admin(objtype) )     
     { printf(" ADMIN");     
       regular = 0;     
     }
  if ( SEOS_UMODE_is_pwmanager(objtype) )     
     { printf(" PWMANAGER");     
       regular = 0;     
     }
  if ( regular )     
     printf(" REGULAR\n");     
  else     
     printf("\n");     
  return 0;
}

seadmapi_WhoIs Function

The seadmapi_WhoIs function supplies information about the specified user. The function gets the user type-attribute-from the database. The memory area pointed to by the szUName parameter must be large enough to accommodate 255 characters.

The seadmapi.h header file contains several macros that operate on the objtype variable data to determine whether a user has a specific attribute. These macros have the common notation of SEOS_UMODE_is_attribute. Any process in the system can all this function.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_WhoIs(char *szUName, SEOS_UMODE *objtype);    
szUName

The user name associated with the current process.

objtype

The user type as saved in the database. This specifies the attributes assigned to the user.

seadmapi_ACEE Function

When given a handle, seadmapi_GetACEE retrieves the relevant ACEE information. The function is also capable of scanning all ACEEs currently allocated for users in CA ControlMinder. The information is loaded into a memory area allocated by the function itself. The information filled in the CLIENT_ACEE structure contains all the credentials for a given ACEE.

Things you should know about this function include:

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_GetACEE(int hAcee, CLIENT_ACEE **ppAcee);
void seadmapi_FreeAceeMemory(CLIENT_ACEE **ppAcee);
ppAcee

A pointer to a pointer that is assigned to point to the memory area allocated by seadmapi_GetACEE. The function seadmapi_FreeAceeMemory receives this same address to free the allocated memory.

More information:

seadmapi_WhoAmI Function

seadmapi_GetMessage Function

This function retrieves an error description from the message file and places it in the buffer pointed to by the buff parameter.

Every process in the system can use this function.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_GetMessage(int err_code, int size, char *buff);
err_code

The error code as returned by one of the CA ControlMinder functions.

size

The size of the buffer in bytes. Normally a 2 KB buffer is sufficient.

buff

A pointer to a buffer that contains the text describing the error.

More information:

seadmapi_FetchListPropVal Function

seadmapi_FetchSinglePropVal Function

seadmapi_GetObjType Function

This function retrieves the object type stored in the current process's ACEE. This information can be used with several macros to determine whether the current process belongs to a user with one of the special attributes that can be assigned to a user-ADMIN, AUDITOR, PWMANAGER, and so forth.

The seadmapi.h header file contains several macros that operate on this variable data to determine whether a user has a specific attribute. These macros have the common notation of SEOS_UMODE_is_attribute.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_GetObjType(SEOS_UMODE *objtype);    
objtype

A pointer to a SEOS_UMODE type variable that is filled from the current process's ACEE.

Example

The following example shows how to use the seadmapi_GetObjType.

/*=========================================================
Project          : eTrust
Module          : eTrust                              Version: 8.0
File          : mymode.c
Purpose          : Sample for seadmapi_GetObjType
            Display user's mode:     
            REGULAR AUDITOR ADMIN OPERATOR SERVER or PWMANAGER.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <stdio.h>     
#include <seostype.h>     
#include <seadmapi.h>     
int main(void)     
{ int rv;     
  SEOS_UMODE umode;     
  if ( (rv = seadmapi_GetObjType(&umode)) == 0)     
    {     
      printf("My mode is 0x%x : ", umode);     
      if ( umode != 0 )     
        {     
          if ( umode & SEOS_UMODE_AUDITOR )     
            printf("Auditor ");     
          if ( umode & SEOS_UMODE_OPERATOR )     
            printf("Operator ");     
          if ( umode & SEOS_UMODE_ADMIN )     
            printf("Admin ");     
          if ( umode & SEOS_UMODE_SERVER )     
            printf("Server ");     
          if ( umode & SEOS_UMODE_PWMANAGER )     
            printf("PwManager ");     
         }
      else     
        printf("Regular ");     
      printf("\n");     
      return 0;     
    }
  fprintf(stderr, "Error 0x%X for seadmapi_GetObjType.\n", rv);     
  return 1;     
}

More information:

seadmapi_WhoAmI Function

seadmapi_init Function

This function initializes the communication channel with CA ControlMinder.

Every process in the system can use this function. The function is not used in the Windows environment.

You must call the seadmapi_init or seadmapi_IsSeOSSyscallLoaded function before calling any other function in the seadmapi library. However, if you use both functions, seadmapi_init must precede seadmapi_IsSeOSSyscallLoaded.

This function returns 0 if initialization is successful or an error code on failure. It verifies the exact CA ControlMinder system call loaded on the computer.

int seadmapi_init(void)

seadmapi_IsSeOSSyscallLoaded Function

This function checks whether the CA ControlMinder system call is loaded. For Solaris, HP-UX, and Linux systems, it resolves the dynamic CA ControlMinder system call number.

This function can be used by every process in the system. It is not used in the Windows environment.

For all UNIX systems except AIX, if the function succeeds, it returns 0; if it fails, it returns an error code.

On AIX systems, the function always returns 0 because the AIX system loader cannot load any process that requires the CA ControlMinder system call to be loaded unless the system call actually is loaded.

int seadmapi_IsSeOSSyscallLoaded(void)

Note: You must call the seadmapi_init or seadmapi_IsSeOSSyscallLoaded function before calling any other function in the seadmapi library.

More information:

seadmapi_FetchSinglePropVal Function

seadmapi_SendAuditRecord Function

The seadmapi_SendAuditRecord function sends any type of audit information to the audit log. This function is used internally by other functions provided with this API to submit specific types of audit log records to the log file. We recommend that you use the specific functions for each audit record type rather than using this function, although in several cases, the use of this one may be easier.

Things you should know about this function include:

The Watchdog and the agent are also allowed to use these functions.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_SendAuditRecord(int type, int result, void *data);
type

The type of the audit record. For a list of valid values, see the selogtype.h header file.

result

One of the valid result codes supported by CA ControlMinder. For valid values, see the selogtype.h header file.

data

A pointer to the audit record data. This pointer must point to valid data according to the type of record being submitted.

seadmapi_SendAudit Functions

These functions send audit records to the audit log. The functions use the seadmapi_SendAuditRecord function. We recommend that you use these functions rather than directly calling the seadmapi_SendAuditRecord function.

Following are the seadmapi_SendAudit functions:

int seadmapi_SendAdminAudit(SEOS_AUDITADMIN *rec, int result);

Sends audit records to the audit log in the format of administrative records.

int seadmapi_SendCwsAudit(SEOS_AUDITCWS *rec, int result);

Sends audit records to the audit log in the format of connect-with-service records.

int seadmapi_SendGenrAudit(SEOS_AUDITGENR *rec, int result);

Sends audit records to the audit log in the format of general resource records.

int seadmapi_SendInetAudit(SEOS_AUDITINWARN *rec, int result);

Sends audit records to the audit log in the format of TCP/IP records.

int seadmapi_SendLoginAudit(SEOS_AUDITLOGIN *rec, int result);

Sends audit records to the audit log in the format of login event records.

int seadmapi_SendShutdownAudit(SEOS_AUDITDOWN *rec, int result);

Sends audit records to the audit log in the format of shutdown records.

int seadmapi_SendStartupAudit(SEOS_AUDITSTART *rec, int result);

Sends audit records to the audit log in the format of startup records.

int seadmapi_SendUserAudit(SEOS_AUDITUSER *rec, int result);

Valid on UNIX only

Sends audit records to the audit log in the format of user records.

int seadmapi_SendWatchdogAudit(SEOS_AUDITWDWARN *rec, int result);

Sends audit records to the audit log in the format of Watchdog records.

CA ControlMinder uses a compression algorithm on the auditing information. Therefore, you should initialize the structure with 0s before filling in the information. The structure can be initialized by calling the memset function provided by the standard C library of every system.

The function can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

If the function succeeds, it returns 0; if it fails, it returns an error code.

rec

A pointer to the structure containing event‑specific data.

result

One of the valid result codes supported by CA ControlMinder. For a list of valid result codes, see the selogtype.h header file.

seadmapi_SendNotificationAudit Functions

These functions send notification records to the audit log. The functions use the seadmapi_SendAuditRecord function. We recommend that you use these functions rather than directly calling the seadmapi_SendAuditRecord function. Notification records are generated for resources that have an associated user to notify for the event (NOTIFY property).

Following are the seadmapi_SendNotificationAudit functions:

int seadmapi_SendNfAdminAudit(SEOS_AUDITADMIN *rec, int result);

Sends notification records to the audit log in the format of administrative records.

int seadmapi_SendNfCwsAudit(SEOS_AUDITCWS *rec, int result);

Sends notification records to the audit log in the format of connect-with-service records.

int seadmapi_SendNfGenrAudit(SEOS_AUDITGENR *rec, int result);

Sends notification records to the audit log in the format of general resource records.

int seadmapi_SendNfInetAudit(SEOS_AUDITINWARN *rec, int result);

Sends notification records to the audit log in the format of TCP/IP records.

int seadmapi_SendNfLoginAudit(SEOS_AUDITLOGIN *rec, int result);

Sends notification records to the audit log in the format of login event records.

int seadmapi_SendNfShutdownAudit(SEOS_AUDITDOWN *rec, int result);

Sends notification records to the audit log in the format of shutdown records.

int seadmapi_SendNfStartupAudit(SEOS_AUDITSTART *rec, int result);

Sends notification records to the audit log in the format of startup records.

int seadmapi_SendNfUserAudit(SEOS_AUDITUSER *rec, int result);

Valid on UNIX only

Sends notification records to the audit log in the format of user records.

int seadmapi_SendNfWatchdogAudit(SEOS_AUDITWDWARN *rec, int result);

Sends notification records to the audit log in the format of Watchdog records.

CA ControlMinder uses a compression algorithm on the auditing information. Therefore, you should initialize the structure with 0s before filling in the information. The structure can be initialized by calling the memset function provided by the standard C library of every system.

The function can be called by processes executed by users who have any of the following attributes:

The Watchdog and the agent are also allowed to use these functions.

If the function succeeds, it returns 0; if it fails, it returns an error code.

rec

A pointer to the structure containing event‑specific data.

result

One of the valid result codes supported by CA ControlMinder. For a list of valid result codes, see the selogtype.h header file.

seadmapi_SendErrorLog Function

This function is used by the Watchdog and the agent to place a trace‑back to note a possible error or malfunction. The error description is common for all error records in the error log file.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_SendErrorLog(SEOS_REQ_ERRORDESCP *rec);
rec

A pointer to the structure containing a description of the error and the trace‑back data.

seadmapi_ProcessControl Function

This function is used by a process to control its auditing level and security. Any process can call this function to turn on auditing for all operations or to delete the credentials associated with the process. Using the flags parameter, a process can control these values. The flags parameter can contain any of the values described in the following table or a bit‑wise OR value of them.

The following flags are currently supported:

SEADMAPI_PROCCNTL_NOACEE

A request by a process to remove its ACEE and use the credentials of a user who is not defined to CA ControlMinder. The new NULL credentials are assigned to the process and any child processes.

SEADMAPI_PROCCNTL_LOGALL

A request to audit every request made by the process and its child processes.

The senone utility uses this function; every process in the system can call it.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_ProcessControl(unsigned long flags);    
flags

One or more bit‑wise values.

seadmapi_consTrace Functions

These functions control the trace logging. The trace function is used to help diagnose problems and to help understand how CA ControlMinder behaves.

All functions return the trace status after the call. A value of 1 means the trace is enabled, while 0 means the trace is disabled. If the CurrStatus parameter specified to any of these functions is NULL, the function does not fill in current status of the trace.

These functions and the ‑t option of the secons utility provide the same functionality.

Things you should know about this function include:

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_consTraceClear(int *CurrStatus);
int seadmapi_consTraceDisable(int *CurrStatus);
int seadmapi_consTraceEnable(int *CurrStatus);
int seadmapi_consTraceGetStatus(int *CurrStatus);
int seadmapi_consTraceToggle(int *CurrStatus);
CurrStatus

Status of the trace after the call.

seadmapi_consUidLogin Functions

These functions operate on a user's concurrent login setting. The functions do the following:

The user is identified by the uid parameter.

These functions and the ‑d and ‑u options of the secons utility provide the same functionality.

The seadmapi_consUidLoginDisable function disables concurrent logins for the specified user ID. The seadmapi_consUidLoginEnable function reenables concurrent logins for the specified user ID.

The seadmapi_consUidLoginGetStatus function retrieves the status of the user's concurrent logins setting as provided by the authorization daemon.

Things you should know about this function include:

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_consUidLoginDisable(int uid);
int seadmapi_consUidLoginEnable(int uid);
int seadmapi_consUidLoginGetStatus(int uid, nt *CurrStatus);    
uid

The user ID on which the function is to operate.

CurrStatus

The current status of the user's concurrent logins setting.

seadmapi_consAllLogin Functions

These functions control users' ability to log into the system. If login is disabled, no user is permitted to log into the system while CA ControlMinder is running.

These functions and secons ‑L option provide the same functionality.

Things you should know about this function include:

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_consAllLoginDisable(void);
int seadmapi_consAllLoginEnable(void);
int seadmapi_consAllLoginGetStatus(int *CurrStatus);
CurrStatus

The current status of the system‑wide disable login flag.

seadmapi_consRefreshIPAddresses

This function refreshes the host name to IP address resolution at the kernel run time tables.

If the function succeeds, it returns 0; if it fails, it returns an error code.

Note: This function can only be called by users who have the ADMIN attribute.

int seadmapi_ReloadIni(unsigned int* puiNumberOfRefreshedResources);
puiNumberOfRefreshedResources

When the function completes successfully, holds the number of resources that have been refreshed.

seadmapi_consRunTimeStatisticsGet Function

This function retrieves runtime statistics on the seosd. This information can be viewed using the secons utility. The information is placed in the structure pointed to by the rtsStat parameter. The structure contains the following information:

inet_deny

The number of TCP/IP requests that were denied.

inet_grant

The number of TCP/IP requests that were granted.

inet_error

The number of TCP/IP requests that could not be resolved because of an error.

audit_log_q

The number of unwritten audit records in the queue.

error_log_q

The number of unwritten error records in the queue.

oidLast

Last used object ID.

pidLast

Last used property ID.

cidLast

Last used class ID.

classRecCount

Number of classes in the database.

propRecCount

Number of properties in the database.

objRecCount

Number of objects (records) in the database.

pvRecCount

Number of records in the properties‑values database.

nAceeHandles

Number of ACEE entries currently used.

nClients

Number of protected clients. (This field is reserved for future use.)

nTrusted

Number of trusted programs loaded into the cache.

nUntrusted

Number of programs marked as non‑trusted in the cache.

This function and the ‑i option of the secons utility provide the same information.

Things you should know about this function include:

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_consRunTimeStatisticsGet SEADMAPI_RTSTAT *rtsStat);    
rtsStat

A structure containing the run‑time statistics, as discussed in the description.

seadmapi_consMessageSend Function

This function submits a message to the CA ControlMinder trace.

This function and the ‑m option of the secons utility provide the same functionality.

Any process can call this function.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_consMessageSend(const char *szMessage);    
szMessage

String of the message to place in the trace log.

seadmapi_consShutdown Function

This function causes CA ControlMinder to exit and disables the three daemons that compose the CA ControlMinder basic configuration-seosd, seoswd, and seagent. (seagent is also known as the agent.) After shutting down the CA ControlMinder UNIX daemons (Windows services), the kernel extension remains loaded but is not active until seosd is executed again. This disables all protection provided by CA ControlMinder.

In UNIX, other daemons that are part of CA ControlMinder, such as serevu, selogrd, and selogrcd are not affected by this function. These processes can be killed explicitly.

The seadmapi_consShutdown function and the ‑s option of the secons utility provide the same functionality.

This function can only be called by users who have the ADMIN or OPERATOR attribute.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_consShutdown(void);

seadmapi_ReloadIni Function

This function reloads the configuration tokens of the seosd daemon. The tokens are in the seos.ini file. The daemon actually uses only part of the newly reloaded tokens.

This function can only be called by users who have the ADMIN or OPERATOR attribute.

If the function succeeds, it returns 0; if it fails, it returns an error code.

int seadmapi_ReloadIni(void);

sepass_ReplacePassword Function

The sepass_ReplacePassword function replaces the user password with a new password.

Assuming the user is defined locally, and SEPASS_API_DOMAIN_PMD is not given in the domainCode arguments, sepass_ReplacePassword replaces the user's password in the local UNIX file.

The password can be replaced according to these criteria:

userName

A NULL‑terminated string containing the name of the user whose password is to be replaced.

oldPasswd

A NULL‑terminated string containing the current (old) password of the named user or the administrator invoking the function.

newPasswd

A NULL‑terminated string containing the new (desired) password.

szPmd

A NULL‑terminated string containing the name of the Policy Model on which to change the password model (if any).

szMsg

A pointer to the buffer in which the success for failure messages will be stored.

msgLen

The size of the message buffer.

domainCodes

One of these values:

A flag indicating the detailed description that should be printed.

ignoreRules

This argument can have one of three values:

keep_grace

Reset the grace attribute for the user after passwords.

do_as_user

Change the password as if the named user is changing it, and not as an administrative change.

onlySeOS

This argument can have one of the following two values:

1 - Change password only in CA ControlMinder environment;

0 - Change password in UNIX and CA ControlMinder environments.

ChangeGrace

Set the users' grace period for login to the specified number of days.

-1 => use the default (1).

Structures and Data Types: CA ControlMinder Database Data Structures

In the database, each property has its data type. Some data types defined in the database are simple, such as strings or integer values; others are structures with several fields.

The following section describes the major data structures and data types.

Each of the data types CA ControlMinder defines and saves in the database has a symbolic constant defined using the following naming convention:

SEOSDB_PTYPE_Access_Control_data_type

For example, the type SEOS_OID has a symbolic constant of SEOSDB_PTYPE_OID.

C Data type or PTYPE
SEOSDB_PTYPE_STR

An ASCII‑Z string. Size of property determined by the maximum length of the string.

SEOSDB_PTYPE_OID

An object ID in the database.

SEOSDB_PTYPE_TIME

A date and time. (The format is time_t.)

SEOSDB_PTYPE_INT

An integer, with 1, 2, or 4 bytes. The property size determines the actual type.

SEOSDB_PTYPE_UINT

An unsigned integer, with 1, 2, or 4 bytes. The property size determines the actual type.

SEOSDB_PTYPE_UMODE

User mode, that is, whether a user is ADMIN, AUDITOR, and so on. The value is stored in an integer as a bit field.

SEOSDB_PTYPE_GCONN

The connection information of a user to group.

SEOSDB_PTYPE_ACCS

The access type allowed. The access is a 32‑bit field value.

SEOSDB_PTYPE_ACL

An ACL entry.

SEOSDB_PTYPE_PACL

A program conditional ACL entry.

SEOSDB_PTYPE_UAUDITM

The audit triggers for a user account. It is a bit field value.

SEOSDB_PTYPE_DAYTIME

A day and time restriction on access to a resource.

SEOSDB_PTYPE_TRPINFO

A trusted program information of the file characteristics.

SEOSDB_PTYPE_INETACL

An ACL entry for HOST and other internet classes.

SEOSDB_PTYPE_RAUDITM

The audit triggers for a resource. It is a 16‑bit field value.

SEOSDB_PTYPE_BOOL

An unsigned char that represents a Boolean value.

SEOSDB_PTYPE_IPMSKMTCH

A combination of a mask and match values for IP addresses.

SEOSDB_PTYPE_INSRACL

A TCP/IP services range ACL entry.

Description

The information stored in each and every data member of these structures and the values are listed in the seostypes.h file. In some of the cases, the structure is only a single value or a list of entries each of the same type. For example, an ACL is a list of 0 or more ACL entries. The list of groups a user is connected to is a list of SEOS_GCONN structures. The latter case also represents a case in which entities are pointing one to another. The user object has the list of groups to which it is connected. The group has the list of users connected to it.

Note: For a complete description of each property in every class, see the selang Reference Guide.

The following list briefly describes database structures and data types for Administration API functions:

CLIENT_ACEE

Contains the information for a given ACEE

SEADMAPI_RTSTAT

Contains the runtime statistics

SEGRACE_RES

Contains the grace login information

SEOS_ACCS

Contains a list of access flags

SEOS_ACL

Contains a list of ACLs

SEOS_CID

Contains the class identification descriptor

SEOS_GCONN

Contains a list of groups to which a user is connected and the attributes the user has, if any, with respect to each group

SEOS_OID

Contains the object identification descriptor

SEOS_PID

Contains the property identification descriptor

SEOS_X_ACL

Contains a list of ACLs with more information that SEOS_ACL

SEOS_X_GCONN

Similar to SEOS_GCONN but contains more information

SEOS_X_OID

Holds an expanded object identification descriptor

SEOS_X_PACL

Contains an expanded list of PACLs

SEOSDB_CDF

Contains the definition of a specific class in the database

SEOSDB_ENTDAT

Contains information about a property in the database

SEOSDB_ODF

Contains the definition of a specific object in the database

SEOSDB_PDF

Contains the definition of a specific property in the database

More information:

SEOS_ACCS Structure

Structure and Data Types

Log File Structures

CA ControlMinder uses a binary compressed file to store audit and error log records. The log files consist of a fixed portion and a variable‑length portion for every record. The fixed portion contains some commonly used data (like time of record submission) and the size and type of the variable‑length portion. CA ControlMinder defines several structures for different auditing records. The current version of CA ControlMinder provides the following audit records.

Data Structures

The following structures are used by both the Administration API and the LogRoute API.

SEOS_AUDITADMIN

CA ControlMinder updates and language parser interface requests

SEOS_AUDITDOWN

CA ControlMinder daemon and service shutdown events

SEOS_AUDITGENR

General resource audit events

SEOS_AUDITINWARN

CA ControlMinder TCP/IP events auditing information

SEOS_AUDITLOGIN

Login events and password events audit record

SEOS_AUDITSTART

CA ControlMinder daemon and service startup events

SEOS_AUDITUSER

Trace records for audited users

SEOS_AUDITWDWARN

Watchdog audit records for marking trusted programs as untrusted

SEOS_REQ_ERRORDESCP

CA ControlMinder error trace‑back information

All these structures are defined in the header file selogtype.h.

CLIENT_ACEE Structure

The CLIENT_ACEE structure contains information for a given ACEE. The fields are:

long hAcee

The handle of the ACEE.

long nGroups

The number of group connections.

CLIENT_ACEE_GCONN *Groups

The group connection array.

long nCategories

The number of categories.

char *pszCategories

The array of category names.

char *szSecLabel

The security label.

char *szUsername

The user's name.

SEOS_UAUDIT_MODE AuditMode

The user's audit mode.

unsigned char SecLevel

The user's security level.

char *szTerminal

The source terminal.

int count

The process count for the ACEE.

SEOS_UMODE user_mode

The user's mode.

time_t create_time

The creation time for the ACEE.

SEADMAPI_RTSTAT Structure

The SEADMAPI_RTSTAT structure contains information retrieved from the seadmapi_consRunTimeStatisticsGet function.

The fields are:

unsigned int inet_deny

The number of inet requests that were denied.

unsigned int inet_grant

The number of inet requests that were granted.

unsigned int inet_errors

The number of inet requests that contained errors.

long audit_log_q

The audit log queue size.

long error_log_q

The error log queue size.

SEOS_OID oidLast

The first free object ID in the database.

SEOS_PID pidLast

The first free property ID in the database.

SEOS_CID cidLast

The first free class ID in the database.

long classRecCount

The number of classes in the database.

long propRecCount

The number of properties in the database.

long objRecCount

The number of objects in the database.

long pvRecCount

The number of property values in the database.

long nAceeHandles

The number of ACEE handles currently in the system.

long nClients

The number of protected clients.

long nTrusted

The number of trusted programs currently in the database.

long nUnTrusted

The number of untrusted programs currently in the database.

SEGRACE_RES Structure

The SEGRACE_RES structure contains information retrieved by the seadmapi_GetGraceInfo function.

The fields are:

int step

An integer that represents the type of information contained in the structure. Values include:

SEGRACE_STEP_NONE

No data is available to display.

SEGRACE_STEP_WARN

Display a warning to the user such as the number of grace days the user has left or the number of days until the user's password expires.

SEGRACE_STEP_MUST

The user's password has expired; it must be replaced now.

char msg[ ]

The message that appears for the user.

char last_log[ ]

A message containing information regarding the user's last login.

int grace

The number of grace logins left to the user.

int days

The number of days until the user must replace the password.

char uname[ ]

The name of the user for whom the inquiry is done.

SEOS_ACL Structure

The SEOS_ACL structure describes the access permitted to the accessor.

The fields are:

SEOS_OID oidAccessor

The object ID of the accessor.

SEOS_ACCS Accs

The user's level of access to the resource.

More information:

SEOS_ACCS Structure

SEOS_GCONN Structure

The SEOS_GCONN structure contains the list of groups to which the user is connected and the special attributes, if any, that the user has with respect to those groups.

The fields are:

SEOS_OID oidGroup

The object ID of the group.

SEOS_OID oidAuthor

The owner of the connection.

SEOS_TIME tConn

The date and time the connection was established.

SEOS_UGMODE ugmUserMode

The attributes of the user in the group.

SEOS_PACL Structure

The SEOS_PACL structure contains a list of conditional access control lists.

The fields are:

SEOS_OID oidAccessor

The object ID of the accessor.

SEOS_OID oidProg

The object ID of the trusted program.

SEOS_ACCS Accs

The user's level of access to the resource.

More information:

SEOS_ACCS Structure

SEOS_REQ_ERRORDESCP Structure

The SEOS_REQ_ERRORDESCP structure contains information sent to the audit log.

The fields are:

int module

The number of the module that sent the error record.

int code

The error code.

char name[ ]

The name of the module that sent the error record.

char source[ ]

The source file of the error.

int stage

The stage in which the error was noticed.

int severity

The severity of the error.

SEOS_X_ACL Structure

The SEOS_X_ACL structure is an expanded version of the SEOS_ACL structure.

The fields are:

SEOS_OID oidAccessor

The object ID of the accessor.

SEOS_ACCS Accs

The user's level of access to the resource.

char *pAccessorCName

The class to which the accessor belongs.

char *pAccessorOName

The accessor's name.

More information:

SEOS_ACCS Structure

SEOS_X_GCONN Structure

The SEOS_X_GCONN structure is an expanded version of the SEOS_GCONN structure.

The fields are:

SEOS_OID oidGroup

The object ID of the group.

SEOS_OID oidAuthor

The owner of the connection.

SEOS_TIME tConn

The date and time the connection was established.

SEOS_UGMODE ugmUserMode

The attributes of the user in the group.

char *pGName

The group's name.

char *pAuName

The author's name.

SEOS_X_PACL Structure

The SEOS_X_PACL structure is an expanded version of the SEOS_PACL structure.

The fields are:

SEOS_OID oidAccessor

The object ID of the accessor.

SEOS_OID oidProg

The object ID of the trusted program.

SEOS_ACCS Accs

The user's level of access to the resource.

char *pAccessorCName

The class name.

char *pAccessorOName

The object name.

char *pProgName

The name of the program through which access is allowed.

More information:

SEOS_ACCS Structure

SEOSDB_CDF Structure

The SEOSDB_CDF structure contains the definition of a specific class in the database.

The fields are:

SEOS_CID sCId

The ID of the class.

char szCName[]

The name of the class.

unsigned long lCFlags

The flags of the class.

unsigned char cCRLevel

Reserved for future use.

unsigned char cCWLevel

Reserved for future use.

char reserved[]

Reserved for future use.

SEOSDB_ENTDAT Structure

The SEOSDB_ENTDAT structure contains the information returned by the seadmapi_GetEntity and seadmapi_GetExEntity functions.

The fields are:

char *szPName

The property name.

SEOS_CID sCId

The class ID of the object's class.

SEOS_PID sPId

The property ID of the object.

unsigned long int lPFlags

The property's flags.

unsigned short int sPVSize

The property's size.

unsigned char int cPType

Reserved for future use.

unsigned char cPRLevel

Reserved for future use.

unsigned char cPWLevel

Reserved for future use.

unsigned int nPVQty

The number of values in pPVList.

void **pPVList

The value list.

unsigned int nErrorCode

The error code if the function was not able to return the requested data.

SEOS_X_OID Structure

The SEOS_X_OID data type is an expanded version of the SEOS_OID data type.

The fields are:

SEOS_OID oid

The object ID of the record as an unsigned long integer.

char *pCName

The object's class.

char *pOName

The object's name.