Micro Focus Visual COBOL 2.3 Update 1 for Eclipse (UNIX) > Deployment > Deploying to Enterprise Server > Enterprise Server Security > Securing an Enterprise Server Installation > Configuring External Security Facility (ESF) from the Command Line > About the esfadmin Command > esfadmin Usage Notes

esfadmin Usage Notes

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Note the following points when using esfadmin:

You cannot move or rename an object in the security manager because you cannot specify the parameter once to identify it, and then again to give it a new name. You must use ADDx to create the new one, and then DELx to delete the old one. The ALTx commands will let you change the other parameters of an object, for the most part.
You can't change a resource's class by changing its CLASS attribute. That attribute exists (and must have a value), but that is a historical vestige. To change a resource's class, you have to create a new resource of the same name under the new class using ADDRESOURCE, and then delete the old one.
LISTUSER shows a user's group memberships, for convenience, but that is not actually an attribute of a user. You can't use ALTUSER to change what groups a user belongs to (except for the user’s default group). You have to use ALTGROUP to change a group to add or delete a user from it.
If you are listing many users, or have many groups, it might take a long time for LISTUSER to generate the group-membership information. You can tell LISTUSER not to include group membership by adding COMPUTED=NO to the esfadmin command line.
LISTRESOURCE can only list resources from a single class. To list all resource definitions matching a certain pattern, you must use one LISTRESOURCE command per resource class.
By default, the LISTUSER, LISTGROUP, LISTCLASS, and LISTRESOURCE commands will perform wildcard searches if you specify a name with the "*" wildcard character. For example, esfadmin LISTUSER USER=A* will list all users with names beginning with "A".
This might not be the desired behavior, particularly when listing resource rules, since those often contain wildcard characters. You can tell the LIST commands to treat the "*" character as a literal character (and not a wildcard) by adding LITERAL=YES to your esfadmin command line.
When you change a group member list with ALTGROUP, you completely rewrite it. Be careful to ensure that only one administrator is changing a group’s membership at a time, or changes could be lost. Alternatively, use the new ADDMEMBER and DELMEMBER commands.
To change a resource's access control list (ACL), you list the ACEs as the value of the ACL parameter, separated by semicolons or newlines. For example:
esfadmin ... ALTRESOURCE ...

ACL="allow:SYSADM group:read;allow:CICSUSER:read"

This has the same issue as updating group membership—it replaces the entire ACL, so make sure you have all the ACEs you want in the string, and watch out for races if multiple people might be making updates at the same time. Alternatively, use the new ADDACE, ALTACE, and DELACE commands.