ADARBA (RBAC Administration)

This document describes the utility "ADARBA".

The following topics are covered:

Functional Overview
Procedure Flow
Checkpoints
Control Parameters

Functional Overview

The ADARBA utility is used to administrate the RBAC security definitions, which are stored in the RBAC system file in the database.

ADARBA creates and modifies basic security objects such as users and roles, and is used to grant or revoke permissions. See Authorization for Adabas Utilities in the Administration documentation for further information.

The database to be used must be online.

Note:
Each ADARBA command represents a transaction. This means that modifications to the security definitions take effect immediately.

Important:
Access to this utility should be strictly limited to the person or persons responsible for database security.

This utility is a multi-function utility.

Procedure Flow

graphics/adarba.png

Data Set	Logical Name	Storage Medium	Additional Information
RBAC Definitions		Database/RBAC System File
Control statements	stdin/SYS$INPUT		Utilities Manual
ADARBA messages	stdout/SYS$OUTPUT		Messages and Codes

Checkpoints

The utility writes no checkpoints.

Control Parameters

The following control parameters are available:

     CREATE  ,{OPERATION|USER|OBJECT|ROLE} = string

M    DBID = number

     DROP ,{OPERATION|USER|OBJECT|ROLE} = string

     [NO]ECHO

     GRANT ,ROLE = string [,TO] ,USER = string

     GRANT ,OPERATION = string [,OBJECT = string] [,TO]  ,ROLE = string

     LIST  ,{OPERATION|USER|OBJECT|ROLE} [= string]

     LIST  ,ASSIGNMENT, {USER|PERMISSION}

     REVOKE ,ROLE = string [,FROM] ,USER = string

     REVOKE ,OPERATION = string [,OBJECT = string] [,FROM] ,ROLE = string

     [NO]STAT

CREATE

CREATE ,{OPERATION|USER|OBJECT|ROLE} = string

This function creates an RBAC definition of a given type and value.

Values are case-sensitive.

The value assigned to items of type USER must be a valid logon credential; e.g. user identification. These values are platform-specific:

Unix/Linux: user_identification
Windows: domain\user_identification

See Authorization for Adabas Utilities in the Administration documentation for futher information.

Example:

adarba: create,user=domain\userid

The user definition domain\userid for Windows is created.

DBID

DBID = number

This parameter selects the database to be used.

Note:
The nucleus must be running.

Example:

adarba: dbid=200

The database currently being used is database 200.

DROP

DROP ,{OPERATION|USER|OBJECT|ROLE} = string

This function deletes an RBAC definition with the given type and value

Example:

adarba: drop,user=NEWUSER

The user definition NEWUSER is deleted.

[NO]ECHO

[NO]ECHO

This function turns the echo of the command input on or off.

Example:

adarba: echo
%ADARBA-I-INP, echo
%ADARBA-I-PAR, echo input enabled

For this ADARBA session, echo input is enabled.

GRANT (User Assignment)

GRANT ,ROLE = string [,TO] ,USER = string

This function grants a role to a user.

Example:

adarba: grant,role=NEWROLE,to,user=NEWUSER

The user NEWUSER is assigned the role NEWROLE.

GRANT (Permission Assignment)

GRANT ,OPERATION = string [,OBJECT = string] [,TO]  ,ROLE = string

This function grants a role the permission to perform an operation on an object.

Example:

adarba: grant,operation=ada.uti.opr,to,role=ANYROLE

The role ANYROLE is assigned the permission to perform the operation ada.uti.opr on the default object (DBID.CURRENT).

LIST

LIST ,{OPERATION|USER|OBJECT|ROLE} [= string]

This function displays the RBAC definition, if a string value is supplied and the specified definition exists.

This function displays all active RBAC definitions of the type specified if no value is supplied.

Examples:

adarba: list,role=PUBLIC
PUBLIC

The role PUBLIC is displayed.

adarba: list,role=
PUBLIC

The role PUBLIC is displayed because it is the only active role definition.

LIST ASSIGNMENT

LIST ,ASSIGNMENT ,{USER|PERMISSION}

This function displays, according to the type specified, all active user or permission assignments.

Example:

adarba: list,assignment,user
PUBLIC,PUBLIC

All user assignments are displayed.

REVOKE (User Assignment)

REVOKE ,ROLE = string [,FROM] ,USER = string

This function revokes a role, which was granted to the user.

Example:

adarba: revoke,role=NEWROLE,from,user=NEWUSER

The role NEWROLE is revoked from user NEWUSER.

REVOKE (Permission Assignment)

REVOKE ,OPERATION = string [,OBJECT = string] [,FROM] ,ROLE = string

This function revokes a permission, which a role was granted, to execute an operation on an object.

Example:

adarba: revoke,operation=ada.uti.dbm,from,role=NEWROLE

The permission, which the role NEWROLE had been granted, to perform the operation ada.uti.dbm on the default object DBID.CURRENT, is revoked.

[NO]STAT

[NO]STAT

This function enables or disables command statistics.

Example:

adarba: stat
%ADARBA-I-INP, stat
%ADARBA-I-PAR, command statistics enabled

Command statistics are enabled for this ADARBA session.