Note the following points when using
esfadmin:
- You cannot move or rename an object in the security manager because you cannot specify the parameter once to identify it, and then again to give it a new name. You must use
ADDx to create the new one, and then
DELx to delete the old one. The
ALTx commands will let you change the other parameters of an object, for the most part.
- You can't change a resource's class by changing its CLASS attribute. That attribute exists (and must have a value), but that's a historical vestige. To change a resource's class, you have to create a new resource of the same name under the new class using
ADDRESOURCE, and then delete the old one.
- LISTUSER shows a user's group memberships, for convenience, but that's not actually an attribute of a user. So you can't use
ALTUSER to change what groups a user belongs to (except for the user’s default group). You have to use
ALTGROUP to change a group to add or delete a user from it.
- LISTRESOURCE can only list resources from a single class. To list all resource definitions matching a certain pattern, you must use one
LISTRESOURCE command per resource class.
- When you change a group member list with
ALTGROUP, you completely rewrite it. Be careful to ensure that only one administrator is changing a group’s membership at a time, or changes could be lost.
- To change a resource's access control list (ACL), you list the ACEs as the value of the ACL parameter, separated by semicolons or newlines. For example:
esfadmin ... ALTRESOURCE ...
ACL="allow:SYSADM group:read;allow:CICSUSER:read"
This has the same issue as updating group membership—it replaces the entire ACL, so make sure you have all the ACEs you want in the string, and watch out for races if multiple people might be making updates at the same time.
