readonly list
Use the readonly statement to make a variable read-only. This means that its current value is frozen, so that no configuration file statement can change it. The purpose of this statement is to allow a system administrator to freeze the value of certain variables before calling out to another configuration file using the include statement. By safely freezing certain variable values, control over the other configuration file can safely be given to other, less-trusted personnel, knowing that they will not be able to abuse their privilege and gain unauthorized access to parts of the system that they should not be tampering with.
runuser = "jamie"; readonly {"runuser","runhost","runcommand"}; runuser = robyn; print(runuser);
This policy will cause an execution error. Running pmcheck displays a message similar to this:
**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser
readonlyexcept list
The readonlyexcept statement is related to the readonly statement. The readonlyexcept statement makes all variables read-only, except those listed in the statement. The readonlyexcept statement has the same syntax as the readonly statement.
runhost = "myhost"; runuser = "jamie"; readonlyexcept {"runuser"}; runhost = "newhost"; // fails, runhost still equals "myhost" runuser = "corey"; // runuser now equals "corey"
This policy will cause an execution error. Running pmcheck displays a message similar to this:
**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser
reject [rejectmsg]
The reject statement rejects the job request submitted by a user. After a command is accepted, nothing else in the configuration script runs. If a configuration is not explicitly accepted or rejected, it is rejected by default. A default reject message is displayed to the user if no message is specified with the reject statement. If a null string is specified, then the command is rejected silently.
adminusers = {"dan","robyn"}; adminprogs = {"hostname","kill","csh","ksh"}; if (user in adminusers && command in adminprogs) { runuser = "root"; if (user == "dan" && !officehours) { reject "You can't use “ + runcommand + “ outside office hours\n"; #custom msg } if (user == "robyn" && !officehours) { if (!getuserpasswd(user)) reject ; #use default reject msg } accept; } else { reject ""; #reject silently – no msg displayed to the user }
return [expression];
return exits the current procedure/function and returns the value of expression.
function square (n){ n2 = n * n; return n2; } print(square(10)); // prints "100"
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy