Technical Notes

My online notepad

  • Social


  • Support

    Donate towards my web hosting bill!

Basics of pdadmin: How to work with object policies

Posted by Anton Khitrenovich on April 9, 2013

Working with protected object policies (or, in short, POPs) is pretty similar to working with ACLs. In this example we will create a POP that requires the end user to authenticate himself with protection level 1 on access to a junction.

First, we’ll create a new POP and display it’s content:

pdadmin sec_master> pop create level1 
pdadmin sec_master> pop show level1
    Protected object policy:  level1
    Description:
    Warning:  No
    Audit level:  none
    Quality of protection:  none
    Time of day access:  sun, mon, tue, wed, thu, fri, sat, :anytime:local
    IP Endpoint Authentication Method Policy
        Auth Level: 0          Network: Any Other Network

pdadmin sec_master> 

As you can see, by default this POP does not enforce any access restrictions. We are going to change that!

pdadmin sec_master> pop modify level1 set ipauth anyothernw 1
pdadmin sec_master> pop show level1
    Protected object policy:  level1
    Description:
    Warning:  No
    Audit level:  none
    Quality of protection:  none
    Time of day access:  sun, mon, tue, wed, thu, fri, sat, :anytime:local
    IP Endpoint Authentication Method Policy
        Auth Level: 1          Network: Any Other Network

pdadmin sec_master> 

In order to attach a POP to some object, you need to know the object path. Let’s take a junction from our previous post as an example and attach our fresh POP to this junction:

pdadmin sec_master> pop attach /WebSEAL/isam-70.lab.mycompany.com-default/myjunction level1
pdadmin sec_master> pop find level1
/WebSEAL/isam-70.lab.mycompany.com-default/myjunction
pdadmin sec_master> 

Now you can see your POP attached to this junction!

There are much more POP-related options available. The full list is accessible via the build-in help system:

pdadmin sec_master> pop help
Error: Unknown or incomplete command.  Try one of:
    pop list <pop-name> attribute
    pop modify <pop-name> delete attribute <attr-name>
    pop modify <pop-name> delete attribute <attr-name> <attr-value>
    pop modify <pop-name> set attribute <attr-name> <attr-value>
    pop show <pop-name> attribute <attr-name>
    pop create <pop-name>
    pop delete <pop-name>
    pop modify <pop-name> set description <description>
    pop modify <pop-name> set tod-access <{anyday|weekday|<day-list>}>:<{anytime|<time-spec>-<time-spec>}>[:{utc|local}]
    pop modify <pop-name> set ipauth remove <network> <netmask>
    pop modify <pop-name> set ipauth anyothernw {<auth_level>|forbidden}
    pop modify <pop-name> set ipauth add <network> <netmask> {<auth_level>|forbidden}
    pop modify <pop-name> set warning {yes|no}
    pop modify <pop-name> set audit-level {all|none|<audit-level-list>}
    pop modify <pop-name> set qop {none|integrity|privacy}
    pop list
    pop show <pop-name>
    pop attach <object-name> <pop-name>
    pop detach <object-name>
    pop find <pop-name>
pdadmin sec_master> 

Leave a Comment

Your email address will not be published. Required fields are marked *