サポートと今すぐチャット
サポートとのチャット

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

for loop

Syntax
for (variable in expression ) statement
Description

The for statement is a looping statement. The specified expression must be an array. It runs the specified statement once for each array element, and assigns it to the specified variable in turn. The for statement terminates when the specified expression does not evaluate to an array value, either when each element of the array has been iterated, or it encounters a break statement.

Use a statement block in the form { statement ... } to run multiple statements. One Identity recommends using a statement block for readability.

Examples

This prints the values 1,2,3,4,5:

for (x in {1,2,3,4,5}) print(x);

This does not print any value, since the expression does not evaluate to an array:

for (x in "foo") print(x);

This prints the values 1,2,3 because the break statement terminates the loop:

values = {1,2,3,4,5}; 
for (x in values) { 
   if (x > 3) break; 
   print(x); 
}

function

Syntax
function ( parameter = expression, ... ) { statement ... }
Description

See procedure / function for a full description of function.

if-else

Syntax
if ( expression ) statement
if ( expression ) statement else statement
Description

The if-else statement is a conditional statement. It runs the specified statement if the specified expression evaluates to true (a non-zero value). If the else part is present, it runs the associated statement if the expression evaluates to false (the value 0).

Use a statement block of the form { statement ... } to run multiple statements. One Identity recommends using a statement block for readability.

Examples

Accept if the user is contained in the set of trusted users, otherwise continue execution at the next statement:

trustedusers = {"jamie","corey","robyn"}; 
if (user in trustedusers) 
   accept;

Accept if the user is contained in the set of trusted users, otherwise reject:

trustedusers = {"jamie","corey","robyn"}; 
if (user in trustedusers) 
   accept; 
else 
   reject;

Note the use of statement block to handle multiple statements:

trustedusers = {"jamie","corey","robyn"}; 
if (user in trustedusers) { 
   print("accepted"); 
   accept; 
} else { 
   print("rejected"); 
   reject; 
}

include

Syntax
include file-name
Description

The Privilege Manager for Unix configuration language contains the include statement, which is used to call out to other configuration files. By splitting your configuration file up into several smaller files, you can eliminate clutter. You can also hand-off control over certain aspects of configuration to different people, by giving them access to the subsidiary configuration files.

If an accept or reject is done within the included file, control never returns to the original file. On the other hand, if no accept or reject is done in the included file, execution will proceed to the end of that file, and then resume in the original file immediately after the include statement.

If a full pathname is not specified, the value of the policydir setting from the /etc/opt/quest/qpm4u/pm.settings file will be pre-pended to the filename.

When handing off control to a subsidiary configuration file whose contents are controlled by a questionable person, you might want to "fix" certain Privilege Manager for Unix variable values so that they cannot be changed by the subsidiary file. Use the readonly and readonlyexcept statements for this purpose.

As an example, you may have an Oracle® database administrator, who you want to be able to administer certain Oracle® programs. Each of those programs is to run as the "oracle" user. You would like the DBA to be able to grant or deny access to these programs and this account without your involvement, but you certainly do not want to give this person power over non-Oracle® parts of the system.

Specify the file to be included as a string expression; it may contain variables. For example, include "/etc/ + usr + ".conf";.

The following configuration file fragment hands off control to a subsidiary configuration file called, /etc/pmorcle.conf, and ensures that if an accept is done within this file, the job being accepted can only run as the oracle user.

Examples
oraclecmds = {"oradmin", "oraprint", "orainstall"}; 
if(command in oraclecmds) 
{ 
   runuser = "oracle"; 
   readonly {"runuser"}; 
   include "/etc/pmoracle.conf"; 
   reject; 
}
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択