The information in the database is organized into classes. A class's definition includes information that is common to all records, or objects, of that class. Records that belong to the same class have a similar meaning. For example, every record in the USER class represents a user; every record in the GROUP class represents a group of users; and every record in the TERMINAL class represents a terminal from which users can access the current host. Every class contains a properties definition table that includes a list of properties that you can assign to records belonging to the class.
A record is a single entity that represents an instance of its class. For example, a record in the USER class represents an individual user. Each class contains properties, or fields, that are specific to the class. Information is stored in a record by assigning values to its properties. The definition of a property includes information on the layout of the data and attributes that define how the data is stored in the database. You can assign values to every property of a record. The definition of the record's class determines which properties you can assign to the record and what values you can assign to each property.
The structure of the database is best described by an example. Consider the USER class. Every record in the USER class represents a user of the system. The properties definition table of the USER class contains a list of properties that you can assign to user records. Some of the properties in the list are FULL_NAME, ORGANIZATION, and GROUPS. You can assign values for these properties to every user represented by a record in the database. For example, the FULL_NAME property stores the user's full name; the ORGANIZATION property stores information about the organization the user belongs to; and the GROUPS property contains a list of the groups to which the user belongs. The properties of a record are similar to fields in a database record. The format of a property can vary depending on the property definition. In this example, the FULL_NAME and ORGANIZATION properties have only a single value, whereas the GROUPS property is a list that consists of a variable number of repetitive elements. A user can belong to an unlimited number of groups.
Each class in the database has a name and an ID associated with the name. The database engine uses the class ID internally to achieve better performance and smaller database file sizes. The class IDs do not have any meaning beyond their internal use and may differ between different databases. Use class names; do not use class IDs.
Each property of a class in the database has a name and an ID associated with the property name. The database engine uses the property ID internally to achieve better performance and smaller database file sizes. Note that every class has its own properties definition table; thus, a property name can appear in more than one class and the property may have different attributes in different classes. A property is identified either by its name and the name of the class in which it resides or by its unique property ID.
Every record in the database has a name and belongs to a class. Records in different classes can have the same name. Each record in the database is associated with a record ID. The record ID is a 32‑bit number that is unique to each record in the database. CA ControlMinder uses the record ID internally. When referring to a record, you can use the record name or the record ID.
Every record in the database can have values assigned to its properties. CA ControlMinder sets some properties automatically, and the user sets others explicitly. The security administrator or a delegated responsible person sets most properties by using the tools included with CA ControlMinder.
Note: For detailed information about the properties supported by each class, see the selang Reference Guide.
The database consists of the following data files:
The class description file contains the class definition table.
The objects description file contains the records definition table.
The properties description file contains the properties definition table.
The properties value file contains the values assigned to every CA ControlMinder property.
The data files also have indexing files that are not mentioned here because they are transparent to the Administration API.
The class description file stores information on all classes defined to CA ControlMinder. The information stored therein includes the name of the class, the class ID, and other flags used internally by CA ControlMinder. The class information is stored in a structure called SEOSDB_CDF.
The properties description file stores information on each property defined to CA ControlMinder. The property information includes:
Some properties are defined as single value, and others are defined as a list value. The properties description information is stored in a structure called SEOSDB_PDF.
The objects description file stores basic information on each record defined to CA ControlMinder. The following data is stored in the objects description file:
The objects description information is stored in a structure called SEOSDB_ODF.
The properties values file contains the values assigned to every property of every record defined in the database. Each entry consists of:
Information used for integrity checking is also stored in the properties values file; however, this information cannot be accessed using the Administration API.
This section describes the various types of lists that exist in the database.
Both user records and group records contain data that define the connections of users to groups.
The user record contains a list of groups to which the user belongs. The following information is stored in the user record:
The group record contains a list of users who are connected to the group. The list contains only the record IDs of the users.
When connecting a user to a group, the list of groups connected to the user, and the list of users connected to the group, must be updated. When a user is connected to a group, CA ControlMinder automatically updates both lists. If a user is subsequently deleted from the database, the user cannot be deleted from every group record containing the user's ID. Thus, some group records may contain user IDs of users who no longer exist in the database. CA ControlMinder generates new object IDs in a manner that ensures that an ID cannot be assigned to an object more than once in the lifetime of the database. The unused user IDs in the group records do not pose a security threat.
Like a user‑group connection, the connection of a resource to a resource group is stored in both the resource record and the resource group record. The resource record contains a list of record IDs that identifies the resource groups to which the resource is connected. The resource group record contains a list of resource IDs that identifies the resources that are connected to the resource group. The resource and resource group records are automatically updated whenever a resource is connected to a resource group.
The access control list (ACL) is a list of zero or more entries in a resource record. Each entry in the ACL defines the access an accessor object in the database has to the resource. Each ACL entry consists of:
This entry determines what the accessor is allowed to do to the resource represented by the resource record.
CA ControlMinder also provides program access control lists (PACLs), also known as conditional ACLs, which are similar to regular ACLs. In addition to the record ID of the accessor and the accessor's level of authority, PACL entries consist of a PROGRAM record ID.
By convention, CA ControlMinder does not assign the object ID of zero to any object. In ACLs and PACLs, an object ID of zero represents user (*)-that is, all CA ControlMinder defined users.
Note: For more information about ACLs, see the authorize command in the selang Reference Guide.
CA ControlMinder assigns an accessor environment element (ACEE) to each user when the user logs into the system. The ACEE is a data structure containing the user's credentials and definitions of various security parameters. Every process created by the login process inherits the parent process's ACEE. The ACEE is maintained even if the process substitutes user by executing the system's su utility or the sesu utility.
Each ACEE has a handle that uniquely describes the process's credentials and other information at any point in time. The ACEE and its associated handle exist until the login session that created them terminates.
The Administration API and all CA ControlMinder authorization processes use the ACEE handle to identify and describe the user making the request.
The Administration API includes functions that fetch a user's ACEE or ACEE handle. In UNIX, the information obtained by these functions can be viewed using the sewhoami utility with the appropriate options.
Note: For more information about the sewhoami utility, see the Reference Guide.
The Administration API uses a simpler security scope method than the CA ControlMinder language interpreter, so as not to adversely affect performance.
The Administration API uses the attributes set in the users' USER records, but ignores other privileges that use ownership, group attributes, and the ADMIN class. This means that users cannot perform some operations using the Administration API that they can perform by using selang, selangx, the CA ControlMinder Administrator (seadm), or Policy Manager. For example, in selang a user can display or update an object that the user owns. The Administration API, however, does not allow an owner of an object to update it unless the owner also has the ADMIN attribute.
The Administration API uses the following conventions:
To use this API, you are required to include in your source code the header files with prototypes and structure definitions. All prototypes are in the seadmapi.h file, while most of the data types are in other headers. The seostype.h header file provides structure definitions of all data stored in the database. The structure definitions of auditing and error logging records are located in the header file selogtype.h.
This section discusses the libraries that must be used with this API.
seadmapi consists of a single library file, seadmapi.a, that you should link with every compiled source file that uses this API.
CA ControlMinder includes a shared library version of this API called libseadmapi.xx, where xx is the standard operating system convention (usually so or sl) for shared library names. Before executing programs that use the shared library, such as sample_TermOwn.c, check that an environment variable points to the path of the shared library. To point an environment to the shared path, enter:
setenv LD_LIBRARY_PATH /opt/CA/AccessControl/lib
To compile and link your program with seadmapi functions, make sure you include the static library seadmapi.lib in your link path. This library is usually found in ACDir\lib (where ACDir is the directory you installed CA ControlMinder in, by default C:\Program Files\CA\Access Control).
Before executing programs that use this library, check that an environment variable points to the path of the library.
There are no special flags required to compile with seadmapi. Linking, on the other hand, may require additional settings. Unfortunately, these flags are machine and operating system dependent. Use the makefiles provided by the samples of this API, and look at those samples for up‑to‑date information.
Important! To avoid deadlocks, do not use any Administration API functions inside a seosd exit.
All functions provided by this API are thread‑safe. If a function is not thread‑safe, then the Notes section of the function specifies that fact.
Note: You must call the seadmapi_init or seadmapi_IsSeOSSyscallLoaded function before calling any other function in the seadmapi library.
The Administration API includes functions that are categorized as follows:
The following functions operate on the CA ControlMinder classes:
Retrieves a specific class from the database.
Retrieves first class from the database.
Retrieves next class from the database.
The following functions operate on properties:
Retrieves description of a specific property.
Retrieves first property description of a class.
Retrieves next property description of a class.
The following functions operate on objects:
Frees the list of objects retrieved by ObjInClassList.
Retrieves information on a specific object.
Retrieves information of the first object in a class.
Retrieves information on an object whose object ID is greater than or equal to the specified object ID.
Retrieves information on next object in a class.
Retrieves a list of objects in a specified class.
The following functions operate on values:
Gets the values for a list type property.
Gets the values for a single value property.
Free the list of values from FetchListPropVal.
Sets the value of one property value type.
The following functions perform queries:
Retrieves an entire object and its properties values, using the previously initialized entity ruler.
Retrieves an entire object and its properties values, including the object and class names, using the previously initialized entity ruler.
Retrieves grace information about the user.
Initializes an entity query buffer used for GetEntity and GetExEntity operations.
Frees memory allocated for entity style query by the InitEntityRuler function.
Frees the list of properties descriptors allocated by the MakePDFList function.
Creates a property descriptors list from a list of properties names.
Translates an object ID to object name.
The following functions operate on the log files:
Submits an ADMIN audit record.
Provides interface to submit audit record.
Submits a connect-with-service resource audit record.
Submits a note to the error log.
Submits a general‑resource audit record.
Submits a TCP/IP audit record.
Submits a login audit record.
Submits an audit record of shutdown.
Submits an audit record of startup.
Submits a user audit record.
Submits a watchdog audit record.
Submits an ADMIN notification record.
Submits a connect-with-service resource notification record.
Submits a general‑resource notification record.
Submits a TCP/IP notification record.
Submits a login notification record.
Submits a notification record of shutdown.
Submits a notification record of startup.
Submits a user notification record.
Submits a watchdog notification record.
The following functions provide console operations:
Disables all login to system.
Enables all login to system.
Gets status of global‑login control.
Sends a message to CA ControlMinder trace.
Refreshes host name to IP address resolution.
Gets runtime statistics information.
Shuts down CA ControlMinder.
Clears the trace file.
Disables CA ControlMinder trace.
Enables CA ControlMinder trace.
Returns status of CA ControlMinder trace.
Toggles CA ControlMinder trace.
Disables login for user ID.
Enables login for user ID.
Gets UID concurrent login status.
The following functions perform functions that do not fall into any of the previous categories:
Frees memory allocated by the seadmapi_GetACEE function.
Retrieves the current process user's ACEE.
Retrieves an error string from a given error code, using the CA ControlMinder message file.
Retrieves information on the user type of the current process.
Initializes the communication channel with CA ControlMinder.
Determines if CA ControlMinder system call is loaded.
Provides control over current process.
Retrieves information on current process
Retrieves attribute information about the user.
Replaces the user password with a new password.
These functions retrieve information on a class that is defined in the database.
To scan all the classes in the database, first call the seadmapi_ClassGetFirst function, and then call the seadmapi_ClassGetNext function for each subsequent class.
These functions can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
If the function succeeds, it returns zero; if it fails, it returns an error code.
int seadmapi_ClassGetEqual(const char *szClass, \
SEOS_CID cid, \
SEOSDB_CDF *p_seclass);
int seadmapi_ClassGetFirst(SEOSDB_CDF *p_seclass);
int seadmapi_ClassGetNext(SEOSDB_CDF *p_seclass);
The name of the class whose information is to be retrieved. If a class ID is specified in the cid parameter, set this parameter to NULL.
The class ID of the class whose information is to be retrieved. If a class name is specified for the szClass parameter, set this parameter to ‑1.
A pointer to the structure that is to hold the information retrieved by the function. For seadmapi_ClassGetNext, the data structure must contain the values from a previous call to the ClassGetNext function or the ClassGetFirst function.
Example
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : sample_ListClass.c
Purpose : Sample seadmapi: List class names.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <seadmapi.h>
int main (void)
{ SEOSDB_CDF cdf;
int rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get the first class from the database. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_ClassGetFirst(&cdf);
if ( rv )
{ printf("seadmapi_ClassGetFirst returned 0x%04x\n", rv );
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* If successful, continue looping for all the classes. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
while (!rv)
{ printf( "%s\n", cdf.szCName );
rv = seadmapi_ClassGetNext(&cdf);
}
return 0;
}
These functions retrieve information on one or more properties defined in the database.
To scan all the properties in a specific class, first call the seadmapi_PropGetFirstInClass function, and then call the seadmapi_PropGetNextInClass function for each subsequent property.
These functions can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions. Any process can issue a seadmapi_PropGetEqual request on any property.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_PropGetEqual(const char *szClass,
SEOSDB_CDF *p_seclass,
const char *szProp,
SEOS_PID pid,
SEOSDB_PDF *p_seprop);
int seadmapi_PropGetFirstInClass(const char *szClass,
SEOSDB_CDF *p_seclass,
SEOSDB_PDF *p_seprop);
int seadmapi_PropGetNextInClass(SEOSDB_PDF *p_seprop);
The class name. When specifying a class description instead of a class name, set this parameter to NULL.
The class description. When specifying a class name instead of a class descriptor, set this parameter to NULL. Note that when this parameter is NULL, szClass must not be NULL.
The property name. When specifying a property ID instead of a property name, set this parameter to NULL.
The property ID. When specifying a property name instead of a property ID, set this parameter to ‑1.
A pointer to the data structure that is to hold the information retrieved by the function.
Example
The following example demonstrates the use of seadmapi_PropGetFirstInClass and seadmapi_PropGetNextInClass to retrieve the values of a property in a class.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : sample_ListProp.c
Purpose : List properties of a specific class.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <seadmapi.h>
static int ErrorMessage( int rv );
int main(int argc, char *argv[])
{ SEOSDB_CDF cdf; /* Class Description */
SEOSDB_PDF prop; /* Property Description */
char Class[CNAME_SIZE+1];
unsigned props_cnt = 0;
int rv;
if ( argc < 2 )
{ fprintf(stderr, "Required parameter (class name) is
missing.\n");
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set class name by specified parameter. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
strcpy(Class, argv[1]);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Clear property descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
memset( &prop, 0, sizeof(prop) );
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check if class exists by getting the class descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_ClassGetEqual(Class, 0, &cdf);
if (rv) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set the class ID in the property descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
prop.sCId = cdf.sCId;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Loop for all the properties in the class.
*/
/* Check for rv 0 or 1 to find all */
/* the properties that are equal to or greater than */
/* the supplied property, which is 0. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_PropGetFirstInClass( NULL, &cdf, &prop );
while ( (rv == 0) || (rv == 1) )
{ if ( prop.sCId == cdf.sCId )
{ props_cnt++;
printf("%s %s\n", Class, prop.szPName);
}
rv = seadmapi_PropGetNextInClass( &prop );
}
if ( props_cnt == 0 )
printf("Class %s, does not contain this property.\n",
Class);
return 0;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display error message. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )
{
char msg_buff[1024];
seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);
fprintf(stderr, "%s.\n", msg_buff);
return rv;
}
These functions retrieve information on an object (record) in the database.
To scan all the objects in a class sequentially, first call seadmapi_ObjGetFirstInClass and then seadmapi_ObjGetNextInClass for each subsequent object.
These functions can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
The seadmapi_ObjGetGreaterEqual function returns one of the following values:
The function retrieved information on the object whose object ID is equal to the object ID of the specified object.
The function retrieved information on the object whose object ID is greater than the object ID of the specified object.
The function failed.
The remaining functions return 0 on success and an error code on failure.
int seadmapi_ObjGetEqual(const char *szClass,
SEOSDB_CDF *p_seclass,
const char *szObj,
SEOS_OID
oid,
SEOSDB_ODF *p_seobj);
int seadmapi_ObjGetFirstInClass(const char *szClass,
SEOSDB_CDF *p_seclass,
SEOSDB_ODF *p_seobj);
int seadmapi_ObjGetNextInClass(SEOSDB_ODF *p_seobj);
int seadmapi_ObjGetGreaterEqual(const char *szClass,
SEOSDB_CDF *p_seclass,
const char *szObj,
SEOS_OID oid,
EOSDB_ODF *p_seobj);
The name of the class to which the object belongs. If the class is specified using the p_seclass parameter, set this parameter to NULL.
A pointer to a structure containing the class descriptor. If the szClass parameter is specified, set this parameter to NULL.
The name of the object whose value is to be fetched. If an object ID is specified instead of an object name, set this parameter to NULL.
The object ID of the object whose information is to be retrieved. When specifying an object name instead of an object ID, set this parameter to ‑2.
A pointer to the structure that is to hold the information retrieved by the function.
Example
The following example demonstrates the use of seadmi_ObjGetFirstInClass and seadmi_ObjGetNextInClass to retrieve all the objects in a specific class.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : sample_ListObjs.c
Purpose : Display the objects in a class.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <seadmapi.h>
static int ErrorMessage( int rv );
int main(int argc, char *argv[])
{ SEOSDB_ODF odf; /* Current ODF in loop */
SEOSDB_CDF cdf; /* Class Description */
char Class[CNAME_SIZE+1];
unsigned ents = 0;
int rv;
if ( argc < 2 )
{ fprintf(stderr, "Required parameter missing.\n");
fprintf(stderr, "Usage: '%s CLASS_NAME'\n", argv[0]);
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set class name by specified parameter. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
strcpy(Class, argv[1]);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Clear object descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
memset( &odf, 0, sizeof(odf) );
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check if class exists by getting the class descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_ClassGetEqual(Class, 0, &cdf);
if (rv) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set the class ID in the object descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
odf.sCId = cdf.sCId;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Loop for all the objects in the class. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_ObjGetFirstInClass( NULL, &cdf, &odf );
while ( (rv == 0) || (rv == 1) )
{ if ( odf.sCId == cdf.sCId )
{ ents++;
printf("%s %s\n", Class, odf.szOName);
}
rv = seadmapi_ObjGetNextInClass( &odf );
}
if ( ents > 0 )
printf("Total of %d objects found in Class=%s\n", ents,
Class);
else
printf("Class %s, does not have any object.\n", Class);
return 0;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display error message from security daemon. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )
{ char msg_buff[1024];
seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);
fprintf(stderr, "%s.\n", msg_buff);
return rv;
}
The seadmapi_ObjInClassList function retrieves a list of objects in a specified class.
The field SEADMAPI_MAXOBJSLIST specifies the limit on the number of entries that can be retrieved in a single call.
After calling this function, you should call the seadmapi_FreeObjList function to free the memory allocated for the query. Use the ptr argument returned from this function.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_ObjInClassList (SEOSDB_CDF *pcdf,
char *start,
void **ptr,
char **names,
int *count);
A pointer to the class description.
A string representing the object name that should start the list.
A pointer to a "void *" that is used to free memory allocated for the list query.
A pointer to a vector of char pointers. Each element points to an object name.
On entry, the size of the names vector. On return, the number of entries in the vector.
The seadmapi_FreeObjList function frees the memory allocated by the seadmapi_ObjInClassList function.
The function assigns NULL to *ptr.
There is no return value.
int seadmapi_FreeObjList (void **ptr);
The pointer as obtained by the most recent call to the seadmapi_ObjInClassList function.
The seadmapi_FetchListPropVal function retrieves the values of a property that contains a list. The function cannot retrieve the value of a single‑value property; use the seadmapi_FetchSinglePropVal function instead.
The function allocates a vector of void pointers, each pointing to an allocated buffer that holds a single element in the list. The caller has to define a variable of type void ** or any other type that is a pointer to a pointer (that is, int **). The caller sends a pointer to this variable, as shown in the following example.
{ int **list;
unsigned int psize, count;
int rc;
...
rc = seadmapi_FetchListPropVal(..,
(void ***)&list, &psize, &count);
Memory layout after call:
|
Argument |
Description |
|
[elem0] |
1st data element |
|
[elem1] |
2nd data element |
|
[elemN] |
N+1 data element |
where elemN is stored in the variable count.
All data fetched by this function is allocated and must be freed. To free the data, call the seadmapi_FreeListPropVal function.
The function can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use this function.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_FetchListPropVal(const char *szClass,
SEOSDB_CDF *p_seclass,
const char *szObj,
SEOSDB_ODF *p_seobj,
const char *szProp,
SEOSDB_PDF *p_seprop,
void ***val,
unsigned int *psize,
unsigned int *count);
The name of the class to which the object belongs. If the class is identified by the p_seclass parameter, set this parameter to NULL.
A pointer to a structure containing the class description. If the class is identified by the szClass parameter, set this parameter to NULL.
The name of the record whose property value is to be fetched. If the object is identified by the p_seobj parameter, set this parameter to NULL.
A pointer to the structure containing the object description. If the object is identified by the szObj parameter, set this parameter to NULL.
The name of the property whose value is to be fetched. If the property is identified by the p_seprop parameter, set this parameter to NULL.
A pointer to the structure containing the property description. If the property is identified by the szProp parameter, set this parameter to NULL.
A pointer to a pointer to a pointer of the type of value fetched. For more information, see the description following this list.
The size of the fetched value.
The number of elements in the allocated vector.
Example
The following example demonstrates using the seadmapi_FetchListPropVal function to retrieve the values of a property that contains a list. This example also demonstrates the use of the seadmapi_gconn structure to display all the groups to which a user is linked.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : sample_FetchList.c
Purpose : Sample for seadmapi, Display a property that
contains a list. Display list of groups user is
connected to.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <stdio.h>
#include <string.h>
#include <seadmapi.h>
static int ErrorMessage( int rv );
int main(int argc, char *argv[])
{ SEOSDB_ODF odf;
SEOS_GCONN **list;
char Object[ONAME_SIZE+1];
unsigned int elem_size;
unsigned int list_cnt;
int rv;
int cnt;
if ( argc < 2 )
{ fprintf(stderr, "Required parameter (User Name)
missing.\n");
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set object name by specified parameter. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
strcpy(Object, argv[1]);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Get the list for class=USER, property=GROUPS, */
/* object=Specified_Parm */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
rv = seadmapi_FetchListPropVal("USER", NULL,
Object, NULL,
"GROUPS", NULL,
(void ***)&list,
&elem_size, &list_cnt);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Exit with error message in case we fail to get the list. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( rv != 0 ) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display all groups from the list in a loop. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
for(cnt=0; cnt<list_cnt; cnt++)
{ rv = seadmapi_ObjGetEqual("GROUP", NULL, NULL,
list[cnt]‑>oidGroup, &odf);
if ( rv == 0 )
{ printf("Group Name: %‑10s (id=%6ld)", odf.szOName,
list[cnt]‑>oidGroup);
if ( list[cnt]‑>ugmUserMode
{ printf(", Group");
if ( list[cnt]‑>ugmUserMode & SEOS_UGMODE_AUDITOR )
printf(" auditor");
if ( list[cnt]‑>ugmUserMode & SEOS_UGMODE_PWMANAGER )
printf(" pwmanager");
if ( list[cnt]‑>ugmUserMode & SEOS_UGMODE_ADMIN )
printf(" administrator");
}
else
printf(", Regular");
printf(".\n");
}
else
printf("Group id: %ld, no longer exits in database.\n",
list[cnt]‑>oidGroup);
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Free the list. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
seadmapi_FreeListPropVal((void ***)&list, &list_cnt);
return 0;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display an error message from the security daemon. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )
{ char msg_buff[1024];
seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);
fprintf(stderr, "%s.\n", msg_buff);
return rv;
}
The seadmapi_FetchSinglePropVal function retrieves the value of a property that contains a single value. The function cannot be used to retrieve lists; for properties that contain lists, use the function seadmapi_FetchListPropVal. To store the property's data, the calling program must allocate the space in memory pointed to by the val variable. To determine the size required, use the property descriptor sPVSize member or some other means.
The seadmapi_FetchSinglePropVal function can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are allowed to use this function.
This function can be used by any user who wants to view private data. The values are set to those of the user's own record.
This function can be used by any user to retrieve values for records of the SUDO class or the SEOS class.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_FetchSinglePropVal(const char *szClass,
SEOSDB_CDF *p_seclass,
const char *szObj,
SEOSDB_ODF *p_seobj,
const char *szProp,
SEOSDB_PDF *p_seprop,
void *val,
int *size);
The name of the class to which the object belongs. If the class is identified by the p_seclass parameter, set this parameter to NULL.
A pointer to a structure containing the class description. If the class is identified by the szClass parameter, set this parameter to NULL.
The name of the record whose property value is to be fetched. If the record is identified by the p_seobj parameter, set this parameter to NULL.
A pointer to the structure containing the object description. If the object is identified by the szObj parameter, set this variable to NULL.
The name of the property that is to be fetched. If the property is identified by the p_seprop parameter, set this variable to NULL.
A pointer to the structure containing the property description. If the property is identified by the sz_Prop parameter, set this variable to NULL.
A pointer to a location in memory where the result is to be stored.
On entry, this value is the size of the memory area pointed to by the parameter val. On return, this value is the size of the data stored in the memory area.
UNIX Example
In UNIX, the following example demonstrates the use of seadmapi_FetchSinglePropVal to retrieve the value of a single property.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : sample_FetchSingle.c
Purpose : Sample for seadmapi, List the value for a given
property in a specific object in a specific class
in a UNIX system.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <seadmapi.h>
static int ErrorMessage( int rv );
int main(int argc, char *argv[])
{ SEOSDB_PDF prop; /* Property Description */
char Class[CNAME_SIZE+1];
char Object[ONAME_SIZE+1];
char Property[PNAME_SIZE+1];
char *prop_val;
int data_size;
int rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check if SeOS_syscall is loaded. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_IsSeOSSyscallLoaded();
if ( rv != 0 )
{ fprintf(stderr, "Database server is not running.\n");
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check if the user supplied all required parameters. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( argc < 4 )
{ fprintf(stderr, "Required parameter(s) missing.\n");
fprintf(stderr, "Usage: '%s CLASS_NAME PROPERTY_NAME
OBJECT_NAME'\n", argv[0]);
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set the class, property, and object fields. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
strcpy(Class, argv[1]);
strcpy(Property, argv[2]);
strcpy(Object, argv[3]);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Clear the property and object fields. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
memset( &prop, 0, sizeof(prop) );
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get the property descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_PropGetEqual( Class, NULL, Property, 0, &prop );
if (rv) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check for string type. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( prop.cPType != SEOSDB_PTYPE_STR )
{ fprintf(stderr, "This sample can display only character
values.\n");
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Allocate memory for the value's data according to the */
/* property size */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
prop_val = (char *)malloc( (size_t)prop.sPVSize );
if ( prop_val == NULL )
{ fprintf(stderr, "Failed to allocate required memory for
property value.\n");
return 1;
}
data_size = prop.sPVSize;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get the requested property value. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_FetchSinglePropVal(Class, NULL,
Object, NULL,
NULL, &prop,
prop_val, &data_size);
if (rv)
{ free(prop_val);
return ErrorMessage(rv);
}
printf("%s\n", prop_val);
free(prop_val);
return 0;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display error message from security daemon. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )
{ char msg_buff[1024];
seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);
fprintf(stderr, "%s.\n", msg_buff);
return rv;
}
Windows Example
In Windows, the following example demonstrates the use of seadmapi_FetchSinglePropVal to retrieve the value of a single property.
/*=========================================================
Project : eTrust
Module : eTrust Version: 4.10
File : sample_FetchSingle.c
Purpose : Sample for seadmapi, List the value for a given
property in a specific object in a specific class.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <seadmapi.h>
static int ErrorMessage( int rv );
int main(int argc, char *argv[])
{ SEOSDB_PDF prop; /* Property Description */
char Class[CNAME_SIZE+1];
char Object[ONAME_SIZE+1];
char Property[PNAME_SIZE+1];
char *prop_val;
int data_size;
int rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check if the user supplied all required parameters. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( argc < 4 )
{ fprintf(stderr, "Required parameter(s) missing.\n");
fprintf(stderr, "Usage: '%s CLASS_NAME PROPERTY_NAME
OBJECT_NAME'\n", argv[0]);
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set the class, property, and object fields. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
strcpy(Class, argv[1]);
strcpy(Property, argv[2]);
strcpy(Object, argv[3]);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Clear the property and object fields. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
memset( &prop, 0, sizeof(prop) );
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get the property descriptor. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_PropGetEqual( Class, NULL, Property, 0, &prop );
if (rv) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check for string type. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( prop.cPType != SEOSDB_PTYPE_STR )
{ fprintf(stderr, "This sample can display only character
values.\n");
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Allocate memory for the value's data according to the */
/* property size */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
prop_val = (char *)malloc( (size_t)prop.sPVSize );
if ( prop_val == NULL )
{ fprintf(stderr, "Failed to allocate required memory for
property value.\n");
return 1;
}
data_size = prop.sPVSize;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get the requested property value. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_FetchSinglePropVal(Class, NULL,
Object, NULL,
NULL, &prop,
prop_val, &data_size);
if (rv)
{ free(prop_val);
return ErrorMessage(rv);
}
printf("%s\n", prop_val);
free(prop_val);
return 0;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display error message from security daemon. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
static int ErrorMessage( int rv )
{ char msg_buff[1024];
seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);
fprintf(stderr, "%s.\n", msg_buff);
return rv;
}
The seadmapi_FreeListPropVal function must be used after fetching the list values using the seadmapi_FetchListPropVal function to free the memory allocated for the values. The parameters supplied to this function must be the same as those supplied to the seadmapi_FetchListPropVal function.
Any process can call this function.
There is no return value.
void seadmapi_FreeListPropVal(void ***list, unsigned int *count);
A pointer to the vector allocated by the seadmapi_FetchListPropVal function.
A pointer to the number of elements in the allocated vector.
The seadmapi_SetSinglePropVal function sets the value of a single‑value property. The function is used by the Watchdog and the agent. To prevent damage to the database, no other process is permitted to use this function.
The seadmapi_SetSinglePropVal function can be used only by the Watchdog and the agent.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_SetSinglePropVal(const char *szClass, const char *szObj, const char *szProp, void *val, int size);
The name of the class to which the record belongs.
The name of the record whose property is to be set.
The name of the property whose value is to be set.
The value to be assigned to the property.
The size, in bytes, of the value.
The seadmapi_MakePDFList function retrieves the entire list of properties of a given class. The function allocates memory for the properties vector.
After using the seadmapi_MakePDFList function, free the allocated memory using the seadmapi_KillPDFList function.
These functions can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
If the seadmapi_MakePDFList function succeeds, it returns 0; if it fails, it returns an error code.
void seadmapi_KillPDFList(SEOSDB_PDF **ppPdf, unsigned int nCount); int seadmapi_MakePDFList(const char *szClass, SEOSDB_PDF **ppPdf, unsigned int *nCount);
The class name.
A pointer to the SEOSDB_PDF pointer that points to the allocated region of memory that holds the properties vector.
The number of properties in the vector.
The seadmapi_GetEntity and seadmapi_GetExEntity functions retrieve into the ObjPVs vector all the values for the properties of a database object.
These functions are used by CA ControlMinder utilities and provide a convenient method to fetch the information from the database. To use these functions, first call the seadmapi_InitEntityRuler function to initialize the list of properties that are of interest to the caller. Next, call the seadmapi_GetEntity or seadmapi_GetExEntity function to fetch the information on a single object.
Note: For more information about the rdbdump utility, see the Reference Guide.
When you use the seadmapi_GetEntity function, the vector receives all the information about the property (the property description) and the property values. All properties are retrieved and stored as if they were list property values. Single‑value properties are also stored as lists, with one entry.
When you use the seadmapi_GetExEntity function, the vector receives the same information, except that all property values that contain IDs of other objects are expanded. For example, instead of receiving an owner's ID, the function retrieves the expanded OID that contains the ID and the owner's class and name.
After using the information, call the seadmapi_KillEntityMem or seadmapi_KillExEntityMem function to free all memory required for the operation.
A user can initialize the ObjPVs vector from a previous call to the seadmapi_MakePDFList function. The vector pointed to by the ObjPVs parameter should contain the last element with the property name set to NULL. The functions use this method to determine the size of the vector.
The SEOSDB_ENTDAT, SEOS_X_OID, SEOS_X_GCONN, SEOS_X_ACL, and SEOS_X_PACL structures are defined in the seostypes.h header file.
After each call to seadmapi_GetEntity or seadmapi_GetExEntity, make sure you call seadmapi_KillEntityMem or seadmapi_KillExEntityMem, respectively, to free the memory allocated by the seadmapi_GetEntity or seadmapi_GetExEntity function.
These functions can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_GetEntity(const char *szCName,
const char *szOName,
SEOSDB_ODF *podf,
SEOSDB_ENTDAT *ObjPVs);
int seadmapi_GetExEntity(const char *szCName,
const char *szOName,
SEOSDB_ODF *podf,
SEOSDB_ENTDAT *ObjPVs);
int seadmapi_InitEntityRuler(const char *szCName, SEOSDB_ENTDAT *ObjPvs);
void seadmapi_KillEntityMem(SEOSDB_ENTDAT *ObjPVs);
void seadmapi_KillExEntityMem(SEOSDB_ENTDAT *ObjPVs);
The class name.
The object name.
A pointer to a memory area to be filled with the object description.
A pointer to a vector with both property description and value list.
Example
The following example demonstrates the use of the seadmapi_InitEntityRuler and seadmapi_GetExEntity functions.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : sample_TermOwn.c
Purpose : Display terminal's owner.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
When working in UNIX, remember to point an environment
variable to the shared library path by entering the command
setenv LD_LIBRARY_PATH/opt/CA/eTrustAccessControl/lib/
‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
#include <ctype.h>
#include <stdio.h>
#include <sys/types.h>
#include <memory.h>
#include <seadmapi.h>
static int ErrorMessage( int rv );
int main(int argc, char *argv[])
{ SEOSDB_ODF odf; /* Object definition */
SEOSDB_ENTDAT entdat[2]; /* Entity data */
SEOS_X_OID *owner;
int rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Check if user specified the terminal name.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( argc == 1 )
{ printf("Usage: '%s terminal_name'\n", argv[0]);
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Initialize entity data.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
memset(entdat, 0, sizeof(entdat));
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Set the ruler for the database request.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
entdat[0].szPName = "OWNER"; /* Owner */
entdat[1].szPName = NULL; /* Null terminator */
rv = seadmapi_InitEntityRuler("TERMINAL", entdat);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Exit with error message in case we fail to set the ruler.*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( rv != 0 ) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get all data.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_GetExEntity("TERMINAL", /* Class name */
argv[1], /* Terminal name */
&odf, /* Object definition */
entdat); /* Entity data */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Exit with error message in case we fail to get the data */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( rv != 0 ) return ErrorMessage(rv);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display OWNER information.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( entdat[0].nPVQty != 0 )
{ owner = (SEOS_X_OID *)entdat[0].pPVList[0];
if ( owner‑>pCName != NULL )
printf("OWNER = %s %s, id=%d\n", owner‑>pCName,
owner‑>pOName, owner‑>oid);
else
printf("OWNER = (id=%d)\n", entdat[0].pPVList);
}
else
printf("OWNER = \n");
return 0;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display error message. */
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
static int ErrorMessage( int rv )
{ char msg_buff[1024];
seadmapi_GetMessage(rv, sizeof(msg_buff), msg_buff);
fprintf(stderr, "%s.\n", msg_buff);
return rv;
}
This function retrieves information regarding a user's password, date of last login, and the number of grace logins that the user still has.
The function can be called by processes executed by users who have the ADMIN attribute.
All users can execute this function for themselves.
int seadmapi_GetGraceInfo(SEGRACE_RES *p_sgr);
A pointer to the structure that contains the information regarding user logins and grace days.
UNIX Example
The following example demonstrates the use of the seadmapi_GetGraceInfo function in a UNIX system.
/*=========================================================
Project : eTrust
Module : eTrust Version: 4.10
File : sample_grace.c
Purpose : Sample for seadmapi: Display information from the
Access Control database about the user's grace
logins.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <sys/types.h>
#include <seadmapi.h>
int main(void)
{ SEGRACE_RES sgr; /*Grace information structure */
int rv; /*Return value */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Quit if the kernel extension is not running. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
rv = seossfr_IsSeOSSyscallLoaded();
if ( rv )
{ fprintf(stderr, "The kernel extension is not loaded.\n");
return rv;
}
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Quit if the security daemon is not running. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
rv = seadmapi_IsServerRunning();
if ( rv )
{fprintf(stderr, "Security daemon is not running.\n");
return rv;
}
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Set username to '0' to get current user's */
/* grace information */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
sgr.uname[0] = 0;
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Get grace information from the database. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
rv = seadmapi_GetGraceInfo(&sgr);
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* If rv is not zero, display an error message and quit. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
if ( rv )
{ if ( sgr.step )
{ if (sgr.msg[0] != 0 )
fprintf(stderr, "%s\n", sgr.msg);
return 1;
}
}
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Display the number of grace logins. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
printf("User %s has %d grace logins.\n", sgr.uname, sgr.grace);
return 0;
}
Windows Example
The following example demonstrates the use of the seadmapi_GetGraceInfo function in the Windows environment.
/*=========================================================
Project : eTrust
Module : eTrust Version: 4.10
File : sample_grace.c
Purpose : Sample for seadmapi: Display information from the
Access Control database about the user's grace
logins.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <sys/types.h>
#include <seadmapi.h>
int main(void)
{ SEGRACE_RES sgr; /*Grace information structure */
int rv; /*Return value */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Quit if the kernel extension is not running */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
rv = seossfr_IsSeOSSyscallLoaded();
if ( rv )
{ fprintf(stderr, "The kernel extension is not loaded.\n");
return rv;
}
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Set username to '0' to get current user's grace information*/
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
sgr.uname[0] = 0;
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Get grace information from the database. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
rv = seadmapi_GetGraceInfo(&sgr);
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* If rv is not zero, display an error message and quit. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
if ( rv )
{ if ( sgr.step )
{ if (sgr.msg[0] != 0 )
fprintf(stderr, "%s\n", sgr.msg);
return 1;
}
}
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
/* Display the number of grace logins. */
/*‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
printf("User %s has %d grace logins.\n", sgr.uname, sgr.grace);
return 0;
}
This function provides a convenient way of translating an object ID to a string containing the object name. If the object does not exist in the database-for instance, if the object has been deleted-the string returned by this function is NULL.
The pointer returned by this function is a pointer to a static area, overwritten by each subsequent call. This makes the function unsafe when using multi‑threads.
The function can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
If the function succeeds, it returns the name of an object; if it fails, it returns NULL.
char *seadmapi_OidToName(SEOS_OID oid);
The object ID of the record.
This function provides information about the current process to the Engine. The information returned by the function may be used to fetch other information from the database or from the Authorization Engine.
Things you should know about this function include:
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_WhoAmI(uid_t *uid, int *handle, char *szUName, SEOS_UMODE *objtype);
The UID associated with the current process. In UNIX, this is equivalent to and safer than using the getlogin UNIX function.
The ACEE handle associated with the current process. See the Notes in this section.
The user name associated with the current process.
The user type as saved in the database. This specifies the attributes assigned to the user.
Example
The following example demonstrates the use of the seadmapi_WhoAmI function.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
Purpose : Display information about the user from the
Access Control database.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <ctype.h>
#include <stdio.h>
#include <sys/types.h>
#include <seadmapi.h>
int main(void)
{ SEOS_UMODE objtype; /* Object type */
uid_t
uID; /* User ID */
char uName[256]; /* User name */
int handle;
/* Handle */
int regular = 1; /* Mode flag */
int rv;
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Get user information from the database.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
rv = seadmapi_WhoAmI(&uID, &handle, uName, &objtype);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* If failed, display message and quit.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
if ( (rv != 0) || (uName[0] == '?') )
{ fprintf(stderr, "Can't find current user name.\n",
uName, rv);
return 1;
}
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display the user information:
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
printf("User Name : %s\n", uName);
printf("User ID : %ld\n", uID);
printf("User Handle : %ld\n", handle);
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
/* Display user authorization attributes by using the
*/
/* SEOS_UMODE_is macro.
*/
/* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
printf("User Mode :");
if ( SEOS_UMODE_is_auditor(objtype) )
{ printf(" AUDITOR");
regular = 0;
}
if ( SEOS_UMODE_is_operator(objtype) )
{ printf(" OPERATOR");
regular = 0;
}
if ( SEOS_UMODE_is_admin(objtype) )
{ printf(" ADMIN");
regular = 0;
}
if ( SEOS_UMODE_is_pwmanager(objtype) )
{ printf(" PWMANAGER");
regular = 0;
}
if ( regular )
printf(" REGULAR\n");
else
printf("\n");
return 0;
}
The seadmapi_WhoIs function supplies information about the specified user. The function gets the user type-attribute-from the database. The memory area pointed to by the szUName parameter must be large enough to accommodate 255 characters.
The seadmapi.h header file contains several macros that operate on the objtype variable data to determine whether a user has a specific attribute. These macros have the common notation of SEOS_UMODE_is_attribute. Any process in the system can all this function.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_WhoIs(char *szUName, SEOS_UMODE *objtype);
The user name associated with the current process.
The user type as saved in the database. This specifies the attributes assigned to the user.
When given a handle, seadmapi_GetACEE retrieves the relevant ACEE information. The function is also capable of scanning all ACEEs currently allocated for users in CA ControlMinder. The information is loaded into a memory area allocated by the function itself. The information filled in the CLIENT_ACEE structure contains all the credentials for a given ACEE.
Things you should know about this function include:
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_GetACEE(int hAcee, CLIENT_ACEE **ppAcee); void seadmapi_FreeAceeMemory(CLIENT_ACEE **ppAcee);
A pointer to a pointer that is assigned to point to the memory area allocated by seadmapi_GetACEE. The function seadmapi_FreeAceeMemory receives this same address to free the allocated memory.
This function retrieves an error description from the message file and places it in the buffer pointed to by the buff parameter.
Every process in the system can use this function.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_GetMessage(int err_code, int size, char *buff);
The error code as returned by one of the CA ControlMinder functions.
The size of the buffer in bytes. Normally a 2 KB buffer is sufficient.
A pointer to a buffer that contains the text describing the error.
This function retrieves the object type stored in the current process's ACEE. This information can be used with several macros to determine whether the current process belongs to a user with one of the special attributes that can be assigned to a user-ADMIN, AUDITOR, PWMANAGER, and so forth.
The seadmapi.h header file contains several macros that operate on this variable data to determine whether a user has a specific attribute. These macros have the common notation of SEOS_UMODE_is_attribute.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_GetObjType(SEOS_UMODE *objtype);
A pointer to a SEOS_UMODE type variable that is filled from the current process's ACEE.
Example
The following example shows how to use the seadmapi_GetObjType.
/*=========================================================
Project : eTrust
Module : eTrust Version: 8.0
File : mymode.c
Purpose : Sample for seadmapi_GetObjType
Display user's mode:
REGULAR AUDITOR ADMIN OPERATOR SERVER or PWMANAGER.
===========================================================
Copyright :
Copyright 2004 Computer Associates International, Inc.
===========================================================*/
#include <stdio.h>
#include <seostype.h>
#include <seadmapi.h>
int main(void)
{ int rv;
SEOS_UMODE umode;
if ( (rv = seadmapi_GetObjType(&umode)) == 0)
{
printf("My mode is 0x%x : ", umode);
if ( umode != 0 )
{
if ( umode & SEOS_UMODE_AUDITOR )
printf("Auditor ");
if ( umode & SEOS_UMODE_OPERATOR )
printf("Operator ");
if ( umode & SEOS_UMODE_ADMIN )
printf("Admin ");
if ( umode & SEOS_UMODE_SERVER )
printf("Server ");
if ( umode & SEOS_UMODE_PWMANAGER )
printf("PwManager ");
}
else
printf("Regular ");
printf("\n");
return 0;
}
fprintf(stderr, "Error 0x%X for seadmapi_GetObjType.\n", rv);
return 1;
}
This function initializes the communication channel with CA ControlMinder.
Every process in the system can use this function. The function is not used in the Windows environment.
You must call the seadmapi_init or seadmapi_IsSeOSSyscallLoaded function before calling any other function in the seadmapi library. However, if you use both functions, seadmapi_init must precede seadmapi_IsSeOSSyscallLoaded.
This function returns 0 if initialization is successful or an error code on failure. It verifies the exact CA ControlMinder system call loaded on the computer.
int seadmapi_init(void)
This function checks whether the CA ControlMinder system call is loaded. For Solaris, HP-UX, and Linux systems, it resolves the dynamic CA ControlMinder system call number.
This function can be used by every process in the system. It is not used in the Windows environment.
For all UNIX systems except AIX, if the function succeeds, it returns 0; if it fails, it returns an error code.
On AIX systems, the function always returns 0 because the AIX system loader cannot load any process that requires the CA ControlMinder system call to be loaded unless the system call actually is loaded.
int seadmapi_IsSeOSSyscallLoaded(void)
Note: You must call the seadmapi_init or seadmapi_IsSeOSSyscallLoaded function before calling any other function in the seadmapi library.
The seadmapi_SendAuditRecord function sends any type of audit information to the audit log. This function is used internally by other functions provided with this API to submit specific types of audit log records to the log file. We recommend that you use the specific functions for each audit record type rather than using this function, although in several cases, the use of this one may be easier.
Things you should know about this function include:
The Watchdog and the agent are also allowed to use these functions.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_SendAuditRecord(int type, int result, void *data);
The type of the audit record. For a list of valid values, see the selogtype.h header file.
One of the valid result codes supported by CA ControlMinder. For valid values, see the selogtype.h header file.
A pointer to the audit record data. This pointer must point to valid data according to the type of record being submitted.
These functions send audit records to the audit log. The functions use the seadmapi_SendAuditRecord function. We recommend that you use these functions rather than directly calling the seadmapi_SendAuditRecord function.
Following are the seadmapi_SendAudit functions:
Sends audit records to the audit log in the format of administrative records.
Sends audit records to the audit log in the format of connect-with-service records.
Sends audit records to the audit log in the format of general resource records.
Sends audit records to the audit log in the format of TCP/IP records.
Sends audit records to the audit log in the format of login event records.
Sends audit records to the audit log in the format of shutdown records.
Sends audit records to the audit log in the format of startup records.
Valid on UNIX only
Sends audit records to the audit log in the format of user records.
Sends audit records to the audit log in the format of Watchdog records.
CA ControlMinder uses a compression algorithm on the auditing information. Therefore, you should initialize the structure with 0s before filling in the information. The structure can be initialized by calling the memset function provided by the standard C library of every system.
The function can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
If the function succeeds, it returns 0; if it fails, it returns an error code.
A pointer to the structure containing event‑specific data.
One of the valid result codes supported by CA ControlMinder. For a list of valid result codes, see the selogtype.h header file.
These functions send notification records to the audit log. The functions use the seadmapi_SendAuditRecord function. We recommend that you use these functions rather than directly calling the seadmapi_SendAuditRecord function. Notification records are generated for resources that have an associated user to notify for the event (NOTIFY property).
Following are the seadmapi_SendNotificationAudit functions:
Sends notification records to the audit log in the format of administrative records.
Sends notification records to the audit log in the format of connect-with-service records.
Sends notification records to the audit log in the format of general resource records.
Sends notification records to the audit log in the format of TCP/IP records.
Sends notification records to the audit log in the format of login event records.
Sends notification records to the audit log in the format of shutdown records.
Sends notification records to the audit log in the format of startup records.
Valid on UNIX only
Sends notification records to the audit log in the format of user records.
Sends notification records to the audit log in the format of Watchdog records.
CA ControlMinder uses a compression algorithm on the auditing information. Therefore, you should initialize the structure with 0s before filling in the information. The structure can be initialized by calling the memset function provided by the standard C library of every system.
The function can be called by processes executed by users who have any of the following attributes:
The Watchdog and the agent are also allowed to use these functions.
If the function succeeds, it returns 0; if it fails, it returns an error code.
A pointer to the structure containing event‑specific data.
One of the valid result codes supported by CA ControlMinder. For a list of valid result codes, see the selogtype.h header file.
This function is used by the Watchdog and the agent to place a trace‑back to note a possible error or malfunction. The error description is common for all error records in the error log file.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_SendErrorLog(SEOS_REQ_ERRORDESCP *rec);
A pointer to the structure containing a description of the error and the trace‑back data.
This function is used by a process to control its auditing level and security. Any process can call this function to turn on auditing for all operations or to delete the credentials associated with the process. Using the flags parameter, a process can control these values. The flags parameter can contain any of the values described in the following table or a bit‑wise OR value of them.
The following flags are currently supported:
A request by a process to remove its ACEE and use the credentials of a user who is not defined to CA ControlMinder. The new NULL credentials are assigned to the process and any child processes.
A request to audit every request made by the process and its child processes.
The senone utility uses this function; every process in the system can call it.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_ProcessControl(unsigned long flags);
One or more bit‑wise values.
These functions control the trace logging. The trace function is used to help diagnose problems and to help understand how CA ControlMinder behaves.
All functions return the trace status after the call. A value of 1 means the trace is enabled, while 0 means the trace is disabled. If the CurrStatus parameter specified to any of these functions is NULL, the function does not fill in current status of the trace.
These functions and the ‑t option of the secons utility provide the same functionality.
Things you should know about this function include:
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_consTraceClear(int *CurrStatus); int seadmapi_consTraceDisable(int *CurrStatus); int seadmapi_consTraceEnable(int *CurrStatus); int seadmapi_consTraceGetStatus(int *CurrStatus); int seadmapi_consTraceToggle(int *CurrStatus);
Status of the trace after the call.
These functions operate on a user's concurrent login setting. The functions do the following:
The user is identified by the uid parameter.
These functions and the ‑d and ‑u options of the secons utility provide the same functionality.
The seadmapi_consUidLoginDisable function disables concurrent logins for the specified user ID. The seadmapi_consUidLoginEnable function reenables concurrent logins for the specified user ID.
The seadmapi_consUidLoginGetStatus function retrieves the status of the user's concurrent logins setting as provided by the authorization daemon.
Things you should know about this function include:
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_consUidLoginDisable(int uid); int seadmapi_consUidLoginEnable(int uid); int seadmapi_consUidLoginGetStatus(int uid, nt *CurrStatus);
The user ID on which the function is to operate.
The current status of the user's concurrent logins setting.
These functions control users' ability to log into the system. If login is disabled, no user is permitted to log into the system while CA ControlMinder is running.
These functions and secons ‑L option provide the same functionality.
Things you should know about this function include:
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_consAllLoginDisable(void); int seadmapi_consAllLoginEnable(void); int seadmapi_consAllLoginGetStatus(int *CurrStatus);
The current status of the system‑wide disable login flag.
This function refreshes the host name to IP address resolution at the kernel run time tables.
If the function succeeds, it returns 0; if it fails, it returns an error code.
Note: This function can only be called by users who have the ADMIN attribute.
int seadmapi_ReloadIni(unsigned int* puiNumberOfRefreshedResources);
When the function completes successfully, holds the number of resources that have been refreshed.
This function retrieves runtime statistics on the seosd. This information can be viewed using the secons utility. The information is placed in the structure pointed to by the rtsStat parameter. The structure contains the following information:
The number of TCP/IP requests that were denied.
The number of TCP/IP requests that were granted.
The number of TCP/IP requests that could not be resolved because of an error.
The number of unwritten audit records in the queue.
The number of unwritten error records in the queue.
Last used object ID.
Last used property ID.
Last used class ID.
Number of classes in the database.
Number of properties in the database.
Number of objects (records) in the database.
Number of records in the properties‑values database.
Number of ACEE entries currently used.
Number of protected clients. (This field is reserved for future use.)
Number of trusted programs loaded into the cache.
Number of programs marked as non‑trusted in the cache.
This function and the ‑i option of the secons utility provide the same information.
Things you should know about this function include:
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_consRunTimeStatisticsGet SEADMAPI_RTSTAT *rtsStat);
A structure containing the run‑time statistics, as discussed in the description.
This function submits a message to the CA ControlMinder trace.
This function and the ‑m option of the secons utility provide the same functionality.
Any process can call this function.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_consMessageSend(const char *szMessage);
String of the message to place in the trace log.
This function causes CA ControlMinder to exit and disables the three daemons that compose the CA ControlMinder basic configuration-seosd, seoswd, and seagent. (seagent is also known as the agent.) After shutting down the CA ControlMinder UNIX daemons (Windows services), the kernel extension remains loaded but is not active until seosd is executed again. This disables all protection provided by CA ControlMinder.
In UNIX, other daemons that are part of CA ControlMinder, such as serevu, selogrd, and selogrcd are not affected by this function. These processes can be killed explicitly.
The seadmapi_consShutdown function and the ‑s option of the secons utility provide the same functionality.
This function can only be called by users who have the ADMIN or OPERATOR attribute.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_consShutdown(void);
This function reloads the configuration tokens of the seosd daemon. The tokens are in the seos.ini file. The daemon actually uses only part of the newly reloaded tokens.
This function can only be called by users who have the ADMIN or OPERATOR attribute.
If the function succeeds, it returns 0; if it fails, it returns an error code.
int seadmapi_ReloadIni(void);
The sepass_ReplacePassword function replaces the user password with a new password.
Assuming the user is defined locally, and SEPASS_API_DOMAIN_PMD is not given in the domainCode arguments, sepass_ReplacePassword replaces the user's password in the local UNIX file.
The password can be replaced according to these criteria:
int sepass_ReplacePassword (char *userName,
char *oldPasswd,
char *newPasswd,
char *szPmd,
char* szMsg,
int msgLen,
int domainCodes,
int debug,
int ignoreRules,
int keep_grace,
int do_as_user,
int onlySeOS,
int ChangeGrace);
A NULL‑terminated string containing the name of the user whose password is to be replaced.
A NULL‑terminated string containing the current (old) password of the named user or the administrator invoking the function.
A NULL‑terminated string containing the new (desired) password.
A NULL‑terminated string containing the name of the Policy Model on which to change the password model (if any).
A pointer to the buffer in which the success for failure messages will be stored.
The size of the message buffer.
One of these values:
A flag indicating the detailed description that should be printed.
This argument can have one of three values:
Reset the grace attribute for the user after passwords.
Change the password as if the named user is changing it, and not as an administrative change.
This argument can have one of the following two values:
1 - Change password only in CA ControlMinder environment;
0 - Change password in UNIX and CA ControlMinder environments.
Set the users' grace period for login to the specified number of days.
-1 => use the default (1).
In the database, each property has its data type. Some data types defined in the database are simple, such as strings or integer values; others are structures with several fields.
The following section describes the major data structures and data types.
Each of the data types CA ControlMinder defines and saves in the database has a symbolic constant defined using the following naming convention:
SEOSDB_PTYPE_Access_Control_data_type
For example, the type SEOS_OID has a symbolic constant of SEOSDB_PTYPE_OID.
An ASCII‑Z string. Size of property determined by the maximum length of the string.
An object ID in the database.
A date and time. (The format is time_t.)
An integer, with 1, 2, or 4 bytes. The property size determines the actual type.
An unsigned integer, with 1, 2, or 4 bytes. The property size determines the actual type.
User mode, that is, whether a user is ADMIN, AUDITOR, and so on. The value is stored in an integer as a bit field.
The connection information of a user to group.
The access type allowed. The access is a 32‑bit field value.
An ACL entry.
A program conditional ACL entry.
The audit triggers for a user account. It is a bit field value.
A day and time restriction on access to a resource.
A trusted program information of the file characteristics.
An ACL entry for HOST and other internet classes.
The audit triggers for a resource. It is a 16‑bit field value.
An unsigned char that represents a Boolean value.
A combination of a mask and match values for IP addresses.
A TCP/IP services range ACL entry.
The information stored in each and every data member of these structures and the values are listed in the seostypes.h file. In some of the cases, the structure is only a single value or a list of entries each of the same type. For example, an ACL is a list of 0 or more ACL entries. The list of groups a user is connected to is a list of SEOS_GCONN structures. The latter case also represents a case in which entities are pointing one to another. The user object has the list of groups to which it is connected. The group has the list of users connected to it.
Note: For a complete description of each property in every class, see the selang Reference Guide.
The following list briefly describes database structures and data types for Administration API functions:
Contains the information for a given ACEE
Contains the runtime statistics
Contains the grace login information
Contains a list of access flags
Contains a list of ACLs
Contains the class identification descriptor
Contains a list of groups to which a user is connected and the attributes the user has, if any, with respect to each group
Contains the object identification descriptor
Contains the property identification descriptor
Contains a list of ACLs with more information that SEOS_ACL
Similar to SEOS_GCONN but contains more information
Holds an expanded object identification descriptor
Contains an expanded list of PACLs
Contains the definition of a specific class in the database
Contains information about a property in the database
Contains the definition of a specific object in the database
Contains the definition of a specific property in the database
CA ControlMinder uses a binary compressed file to store audit and error log records. The log files consist of a fixed portion and a variable‑length portion for every record. The fixed portion contains some commonly used data (like time of record submission) and the size and type of the variable‑length portion. CA ControlMinder defines several structures for different auditing records. The current version of CA ControlMinder provides the following audit records.
The following structures are used by both the Administration API and the LogRoute API.
CA ControlMinder updates and language parser interface requests
CA ControlMinder daemon and service shutdown events
General resource audit events
CA ControlMinder TCP/IP events auditing information
Login events and password events audit record
CA ControlMinder daemon and service startup events
Trace records for audited users
Watchdog audit records for marking trusted programs as untrusted
CA ControlMinder error trace‑back information
All these structures are defined in the header file selogtype.h.
The CLIENT_ACEE structure contains information for a given ACEE. The fields are:
The handle of the ACEE.
The number of group connections.
The group connection array.
The number of categories.
The array of category names.
The security label.
The user's name.
The user's audit mode.
The user's security level.
The source terminal.
The process count for the ACEE.
The user's mode.
The creation time for the ACEE.
The SEADMAPI_RTSTAT structure contains information retrieved from the seadmapi_consRunTimeStatisticsGet function.
The fields are:
The number of inet requests that were denied.
The number of inet requests that were granted.
The number of inet requests that contained errors.
The audit log queue size.
The error log queue size.
The first free object ID in the database.
The first free property ID in the database.
The first free class ID in the database.
The number of classes in the database.
The number of properties in the database.
The number of objects in the database.
The number of property values in the database.
The number of ACEE handles currently in the system.
The number of protected clients.
The number of trusted programs currently in the database.
The number of untrusted programs currently in the database.
The SEGRACE_RES structure contains information retrieved by the seadmapi_GetGraceInfo function.
The fields are:
An integer that represents the type of information contained in the structure. Values include:
No data is available to display.
Display a warning to the user such as the number of grace days the user has left or the number of days until the user's password expires.
The user's password has expired; it must be replaced now.
The message that appears for the user.
A message containing information regarding the user's last login.
The number of grace logins left to the user.
The number of days until the user must replace the password.
The name of the user for whom the inquiry is done.
The SEOS_ACL structure describes the access permitted to the accessor.
The fields are:
The object ID of the accessor.
The user's level of access to the resource.
The SEOS_GCONN structure contains the list of groups to which the user is connected and the special attributes, if any, that the user has with respect to those groups.
The fields are:
The object ID of the group.
The owner of the connection.
The date and time the connection was established.
The attributes of the user in the group.
The SEOS_PACL structure contains a list of conditional access control lists.
The fields are:
The object ID of the accessor.
The object ID of the trusted program.
The user's level of access to the resource.
The SEOS_REQ_ERRORDESCP structure contains information sent to the audit log.
The fields are:
The number of the module that sent the error record.
The error code.
The name of the module that sent the error record.
The source file of the error.
The stage in which the error was noticed.
The severity of the error.
The SEOS_X_ACL structure is an expanded version of the SEOS_ACL structure.
The fields are:
The object ID of the accessor.
The user's level of access to the resource.
The class to which the accessor belongs.
The accessor's name.
The SEOS_X_GCONN structure is an expanded version of the SEOS_GCONN structure.
The fields are:
The object ID of the group.
The owner of the connection.
The date and time the connection was established.
The attributes of the user in the group.
The group's name.
The author's name.
The SEOS_X_PACL structure is an expanded version of the SEOS_PACL structure.
The fields are:
The object ID of the accessor.
The object ID of the trusted program.
The user's level of access to the resource.
The class name.
The object name.
The name of the program through which access is allowed.
The SEOSDB_CDF structure contains the definition of a specific class in the database.
The fields are:
The ID of the class.
The name of the class.
The flags of the class.
Reserved for future use.
Reserved for future use.
Reserved for future use.
The SEOSDB_ENTDAT structure contains the information returned by the seadmapi_GetEntity and seadmapi_GetExEntity functions.
The fields are:
The property name.
The class ID of the object's class.
The property ID of the object.
The property's flags.
The property's size.
Reserved for future use.
Reserved for future use.
Reserved for future use.
The number of values in pPVList.
The value list.
The error code if the function was not able to return the requested data.
The SEOS_X_OID data type is an expanded version of the SEOS_OID data type.
The fields are:
The object ID of the record as an unsigned long integer.
The object's class.
The object's name.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|