Username Substitution

Beginning with version 2 of the MLDAP ESM Module (available in Enterprise Server 2.3 and some hotfixes for Enterprise Server 2.2 Update 2), you can also define resource-rule names based on the name of the user who is requesting access. This lets you create generic rules that apply to resources that include the user's name in the resource name. Typically this is used for rules in the DATASET and JESSPOOL classes, to give users access to resources that include their name as a qualifier.

To use this feature:
  • You must be using MLDAP ESM Module version 2 with the new rule-matching algorithm defined. That is the default for Enterprise Server 2.3. For Enterprise Server 2.2 Update 2 Hotfix 7 and later, you must enable the new algorithm by setting Version 1 authentication=no in the [Operation] section of the Security Manager configuration.
  • In the Security Manager configuration area, set Rule substitutions=yes in the [Operation] section.
  • Use the token ${user} in resource access rule names where you would like the requesting user's name to be substituted; for example, USER.${user}.**. In the ACL for such a rule you can simply use * as the actor name, since the rule will only have effect for resources that contain the user's name.

When determining rule precedence, rules with username substitution rank as high as if the user's name appeared literally in the rule. A rule like USER.${user}.** will take precedence over one named USER.*.** when the user's name appears as the second qualifier in the dataset name.

Configuration to enable username substitution

[Operation]
Version 1 authentication=no
Rule substitutions=yes

The Version 1 authentication line is not needed (but allowed) in Enterprise Server 2.3 and later.

Dataset rule with username substitution

LDIF syntax for a pair of rules that gives each user access to their own datasets under USER.**, while denying other users access to them:

dn: CN=USER.${user}.**,CN=DATASET,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
objectClass: microfocus-MFDS-Resource
microfocus-MFDS-Resource-Class: DATASET
microfocus-MFDS-Resource-ACE: allow:*:alter
microfocus-MFDS-UID: USER.${user}.**
description: Allow full access to user's own area

dn: CN=USER.**,CN=DATASET,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
objectClass: microfocus-MFDS-Resource
microfocus-MFDS-Resource-Class: DATASET
microfocus-MFDS-Resource-ACE: allow:*:none
microfocus-MFDS-UID: USER.**
description: Users don't have access to each other's areas

Rule to give users access to their own spool output

LDIF syntax for a rule that gives each user control over their own spool output:

dn: CN=*.${user}.**,CN=JESSPOOL,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
objectClass: microfocus-MFDS-Resource
microfocus-MFDS-Resource-Class: JESSPOOL
microfocus-MFDS-Resource-ACE: allow:*:control
microfocus-MFDS-UID: *.${user}.**
description: Give each user control over their own spool output

In the JESSPOOL class, resources have the format localnodeid.userid.jobname.jobid.dsnumber.name. This rule matches when the requesting user's name appears as the userid qualifier, and gives that user control authority.