Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

readonly

Syntax
readonly list
Description

Use the readonly statement to make a variable read-only. This means that its current value is frozen, so that no configuration file statement can change it. The purpose of this statement is to allow a system administrator to freeze the value of certain variables before calling out to another configuration file using the include statement. By safely freezing certain variable values, control over the other configuration file can safely be given to other, less-trusted personnel, knowing that they will not be able to abuse their privilege and gain unauthorized access to parts of the system that they should not be tampering with.

Examples
runuser = "jamie"; 
readonly {"runuser","runhost","runcommand"}; 
runuser = robyn; 
print(runuser);

This policy will cause an execution error. Running pmcheck displays a message similar to this:

**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser

readonlyexcept

Syntax
readonlyexcept list
Description

The readonlyexcept statement is related to the readonly statement. The readonlyexcept statement makes all variables read-only, except those listed in the statement. The readonlyexcept statement has the same syntax as the readonly statement.

Examples
runhost = "myhost"; 
runuser = "jamie"; 
readonlyexcept {"runuser"}; 
runhost = "newhost"; // fails, runhost still equals "myhost" 
runuser = "corey"; // runuser now equals "corey"

This policy will cause an execution error. Running pmcheck displays a message similar to this:

**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser

reject

Syntax
reject [rejectmsg]
Description

The reject statement rejects the job request submitted by a user. After a command is accepted, nothing else in the configuration script runs. If a configuration is not explicitly accepted or rejected, it is rejected by default. A default reject message is displayed to the user if no message is specified with the reject statement. If a null string is specified, then the command is rejected silently.

Examples
adminusers = {"dan","robyn"}; 
adminprogs = {"hostname","kill","csh","ksh"}; 
if (user in adminusers && command in adminprogs) 
{ 
   runuser = "root"; 
   if (user == "dan" && !officehours) 
   { 
      reject "You can't use “ + runcommand + “ outside office hours\n"; #custom msg 

   } 
   if (user == "robyn" && !officehours) 
   { 
      if (!getuserpasswd(user)) 
         reject ; #use default reject msg 
   } 
   accept; 
} 
else 
{ 
   reject ""; #reject silently – no msg displayed to the user 
}

return

Syntax
return [expression];
Description

return exits the current procedure/function and returns the value of expression.

Examples
function square (n){
   n2 = n * n; 
   return n2; 
} 

print(square(10)); // prints "100"
Related Documents