Basics of pdadmin: How to create ACLs

A year ago I posted an explanation about unauthenticated junctions for WebSEAL. Let’s do the similar task with pdadmin – create a "passthrough" ACL for WebSEAL.

[ Note: This post assumes that you have authenticated ‘pdadmin’ session opened! ]

First, we will create a fresh ACL:

pdadmin sec_master> acl create webseal-passthrough
pdadmin sec_master> acl show webseal-passthrough
    ACL name: webseal-passthrough
    Description:
    Entries:
        User sec_master TcmdbsvaBRl
pdadmin sec_master>

You can list all the ACLs in the system and spot your fresh ACL appears there. Note the default WebSEAL ACL – we’ll use it in a moment!

pdadmin sec_master> acl list
default-webseal
default-management-proxy
default-management
default-root
default-gso
default-policy
default-config
webseal-passthrough
default-domain
default-replica
pdadmin sec_master>

At this moment the ACL we just created contains basic ‘sec_master’ permissions only. Let’s copy the default set of permissions (for system administrator, groups etc) from the default system ACL. We can skip ‘any-other’ and ‘unauthenticated’ entries for now – we will take care about them later.

pdadmin sec_master> acl show default-webseal
    ACL name: default-webseal
    Description:
    Entries:
        Group iv-admin TcmdbsvaBRrxl
        Group webseal-servers Tgmdbsrxl
        User sec_master TcmdbsvaBRrxl
        Any-other Trx
        Unauthenticated T
pdadmin sec_master> acl modify webseal-passthrough set group iv-admin TcmdbsvaBRrxl
pdadmin sec_master> acl modify webseal-passthrough set group webseal-servers Tgmdbsrxl
pdadmin sec_master> acl modify webseal-passthrough set user sec_master TcmdbsvaBRrxl
pdadmin sec_master> acl show webseal-passthrough
    ACL name: webseal-passthrough
    Description:
    Entries:
        Group iv-admin TcmdbsvaBRrxl
        Group webseal-servers Tgmdbsrxl
        User sec_master TcmdbsvaBRrxl
pdadmin sec_master>

As you can see, our new ACL (almost) is a clone of the default ACL. Now let’s configure proper access rights for both authenticated and unauthenticated users. Spot the difference with default WebSEAL ACL!

pdadmin sec_master> acl modify webseal-passthrough set any-other Trx
pdadmin sec_master> acl modify webseal-passthrough set unauthenticated Trx
pdadmin sec_master> acl show webseal-passthrough
    ACL name: webseal-passthrough
    Description:
    Entries:
        Group iv-admin TcmdbsvaBRrxl
        Group webseal-servers Tgmdbsrxl
        User sec_master TcmdbsvaBRrxl
        Any-other Trx
        Unauthenticated Trx
pdadmin sec_master>

In the next post I’ll explain how to use ACLs via pdadmin.

One thought on “Basics of pdadmin: How to create ACLs

Leave a Reply