LISTREFERENCES

Description

List the references to and from a user, group, class, or resource.

Security objects (users, groups, classes, and resources) refer to one another in various ways. A user may refer to a default group, and be referred to by groups as a member of those groups. A user may also be referred to by access control entries (ACEs) in resource rules. Groups refer to users and may be referred to by users and resources. Resources refer to users and groups and are referred to by the class they belong to. Classes refer to the resources they contain.

Often administrators need to understand these relationships, for example to find out what explicit permissions a group has been granted, or to ensure a user has been removed from all groups before deleting that user. The LISTREFERENCES command can be used to discover them.

Each reference is listed with three attributes: its name, its type (user, group, etc), and a comment indicating how it is related to the object being queried.

Note: Currently LISTREFERENCES does not include references due to ACEs with wildcard user or group names, such as allow:*:read.

Required parameters

For listing a user's references:

USER=name: The user to list references for.

For listing a group's references:

GROUP=name: The group to list references for.

For listing a class's references:

CLASS=name: The class to list references for.

For listing a resource's references:

RESOURCE=name: The resource to list the references for. Usually the optional CLASS parameter will also be specified.

Optional parameters

CLASS=name: When listing a resource, specify the class of the resource. If this is not specified, references for matching resources in all classes will be listed.
LITERAL=NO: Tells ESF to treat "*" characters as wildcards, and list references for all matching objects.

The command esfadmin LISTREFERENCES USER=SYSAD, run against the sample security configuration supplied with Enterprise Server, produces output similar to this:

ESF EM 1000 I ESM1: MLDAP ESM initialized
ESF MI 200 I Loaded module mldap_esm for ESM (1) "mldap_esm": MLDAP ESM version
2.0.2
ESF PI 101 I External Security Manager version 2.1.0 initialized

LIST Command results:

List      1 contains      6 items.
NAME=CICSUSER
TYPE=USER
COMMENT=The user itself

NAME=ALLUSER
TYPE=GROUP
COMMENT=User's default group

NAME=ALLUSER
TYPE=GROUP
COMMENT=Explicit group member

NAME=DEVGROUP
TYPE=GROUP
COMMENT=Explicit group member

NAME=*
TYPE=RESOURCE
COMMENT=Class TCICSTRN, ACE allow:CICSUSER:read


ESF EM 1002 I ESM1: MLDAP ESM exiting
Command processing completed successfully

The list output shows the following references: the CICSUSER object itself, its default group, the groups it is an explicit member of, and a resource that has an ACL that names the user specifically.