Note the following points when using
esfadmin:
- You cannot move or rename an object in the security manager because you cannot specify the parameter once to identify it,
and then again to give it a new name. You must use
ADDx to create the new one, and then
DELx to delete the old one. The
ALTx commands will let you change the other parameters of an object, for the most part.
- You can't change a resource's class by changing its CLASS attribute. That attribute exists (and must have a value), but that
is a historical vestige. To change a resource's class, you have to create a new resource of the same name under the new class
using
ADDRESOURCE, and then delete the old one.
- LISTUSER shows a user's group memberships, for convenience, but that is not actually an attribute of a user. You can't use
ALTUSER to change what groups a user belongs to (except for the user’s default group). You have to use
ALTGROUP,
ADDMEMBER, or
DELMEMBER to change a group to add or delete a user from it.
- If you are listing many users, or have many groups, it might take a long time for
LISTUSER to generate the group-membership information. You can tell
LISTUSER not to include group membership by adding
COMPUTED=NO to the
esfadmin command line.
- LISTRESOURCE can only list resources from a single class. To list all resource definitions matching a certain pattern, you must use one
LISTRESOURCE command per resource class.
- By default, the
LISTUSER,
LISTGROUP,
LISTCLASS, and
LISTRESOURCE commands will perform wildcard searches if you specify a name with the "*" wildcard character. For example,
esfadmin LISTUSER USER=A* will list all users with names beginning with "A".
This might not be the desired behavior, particularly when listing resource rules, since those often contain wildcard characters.
You can tell the LIST commands to treat the "*" character as a literal character (and not a wildcard) by adding
LITERAL=YES to your
esfadmin command line.
- When you change a group member list with
ALTGROUP, you completely rewrite it. Be careful to ensure that only one administrator is changing a group’s membership at a time,
or changes could be lost. Alternatively, use the new
ADDMEMBER and
DELMEMBER commands.
- To change a resource's access control list (ACL), you list the ACEs as the value of the ACL parameter, separated by semicolons
or newlines. For example:
esfadmin ... ALTRESOURCE ...
ACL="allow:SYSADM group:read;allow:CICSUSER:read"
This has the same issue as updating group membership—it replaces the entire ACL, so make sure you have all the ACEs you want
in the string, and watch out for races if multiple people might be making updates at the same time. Alternatively, use the
new
ADDACE,
ALTACE, and
DELACE commands.
- Currently, only one ESM Module (specified with the
-M option) can be used by
esfadmin. It cannot use a "stacked" security configuration.