How to control access from the command line
OverviewThe command line tool "VISULOX policy access" allows to control the Access Policy. |
Usage
The following subcommands are available:
| Command | Description |
|---|---|
| list | List and print Access Policies. |
| fields | List available fields in the database (-raw = enhanced output) |
| add | Add an Access Policy for a user or a group to the top of the Access Policy list. A ticket string is mandatory. The new access policy can be either "allow" or "deny" |
| edit | Modify fields of an Access Policy. The modification will not change the position in the Access Policy. |
| delete | Remove an Access Policy. |
| purge | Remove outdated entries. Can be used via cron-job. |
Access Policy elements (edit)
| Element | Description |
|---|---|
| -mode <> | Mode of access: allow, deny, request, group, disabled. Default value: allow. |
| -name <> | Name of policy or use AUTO <> If not defined during add within the command line, a name is generated in the form "BATCH-yyyymmdd-hhmmss". Compared to the GUI, no field validation is done. |
| -object <> | Policy filter: mask or unique distinguished object of user or group <> Mandatory in add, update, remove to identify a unique object in the datasource table (attached user repositories). |
| -applicationgroup <> | Policy filter: mask or applicationgroup name or applicationgroup mask <> |
| -application <> | Policy filter: mask or application name or application mask <> |
| -remoteip <> | Policy filter: remote IP or remote IP mask <> |
| -accesspoint <> | Policy filter: Access Point <> |
| -ticket <> | Assign ticket to this access <> Mandatory. In comparison to the GUI, no field validation is done. |
| -region <> | Name of region in the database. Default value: @LOCAL. |
| -timeprofile <> | Name of time profile in the database. Default value: 24x7. |
| -starttime <> | Start of access: now or timestring. Default value: now. |
| -endtime <> | End of access: endless or timestring. Default value: endless. |
| -script <> | Trigger script. Usage: -script "<script-name>: args". Example with arguments: -script "Dump: -arg arg -arg1 <>" |
| -mailinggroup | Name of the preconfigured mailinggroup |
| -mailinggroup_emails | Individual list of email addresses |
| -comment <> | Comment for policy. Default value: CLI. The comment can have multiple lines. "\n" can be used as a line separator. |
| -grant <> | Set granted user in database record <> |
Each usage which changes the Access Policy (add, update, remove, clean) is running in "dry" mode until -run is applied to the command line.
Configuration of ticket ID as a regular expression
It is possible to configure the entry format of the ticket ID as a regular expression:
visulox config -name entry.access.ticketid
----------------------------------------------
| parameter | type | value |
----------------------------------------------
| entry.access.ticketid | OPERATION | ^A-.+$ |
----------------------------------------------Examples
List current available Access Policies
visulox policy access list
-------------------------------
| basicname | policymode |
-------------------------------
| Access | allowaccess.map |
-------------------------------List available fields
visulox policy access fieldsDisplay selected fields
visulox policy access list -fields basicname,policymode,acc_scriptGrant access for Miller - 1 month from now
visulox policy access add -name ACC1 -mode allow -object miller.si@t-online.de -ticket "TK-097612" -endtime "+ 1 month" -runDeny access for every user who belongs to group CN=EXTERNAL-STAFF
visulox policy access add -mode deny -name ACC2 -object CN=EXTENAL -ticket "TK-1234" -endtime endless -runAssign a new object to APP1
visulox policy access edit -name ACC1 -object cn=partner -runExtend access for Miller
./visulox policy access edit -name ACC1 -endtime "+ 1 year" \
-comment "Miller can have access for one year from now.\nHe is a trustfully guy." -runRemove an entry
visulox policy access delete -name ACC1 -runDisabling the "Send request" button for users:
visulox config -name scx.button.request=false -force