lslpracl Command

Purpose

Displays the access controls for a least-privilege (LP) resource.

Syntax

To display the access controls for an LP resource:
  • On the local node:

    lslpracl [ -l | -i | -t | -d | -D delimiter ] [-L] [-p] [-E] [-x] [-h] [-TV] [name]

  • On all nodes in a domain:

    lslpracl -a [ -l | -i | -t | -d | -D delimiter ] [-L] [-p] [-E] [-x] [-h] [-TV] [name]

  • On a subset of nodes in a domain:

    lslpracl { -n host1[,host2,… ] } [ -l | -i | -t | -d | -D delimiter ] [-L] [-p] [-E] [-x] [-h] [-TV] [name]

Description

The lslpracl command displays the access control list (ACL) that is associated with a least-privilege (LP) resource. The accesses contained in the ACL entries are displayed. The Resource ACL controls access to the LP resources. If no LP resource name is specified, the Resource ACLs for all LP resources are listed. By default, this command displays information in table format (-t).

This command displays the following ACL information:
Field Description
Name The name of the LP resource. See lpacl Information for a description of the network identity.
Identity The network identity of the user.
Permissions The permissions allowed for Identity. The valid values are:
a
Administrator permission
r
Read permission (consists of the e, l, q, and v permissions)
w
Write permission (consists of the c, d, o, and s permissions)
x
Execute permission
c
Refresh permission
d
Define and undefine permission
e
Event permission
l
Enumerate permission
o
Online, offline, and reset permission
q
Query permission
s
Set permission
v
Validate permission
0
No permission
NodeName The location of the LP resource (for management domain scope or peer domain scope).
PeerDomain The name of the RSCT peer domain in which the LP resource is defined. This field is displayed when the -p flag is specified.

If the Resource ACL indicates that the Resource Shared ACL controls access to the LP resource, the ID is displayed as Uses Resource Shared ACL and there is no permission value. Use the -L flag to display the Resource Shared ACL when it is used by the Resource ACLs that are being displayed.

This command runs on any node. If you want this command to run on all of the nodes in a domain, use the -a flag. If you want this command to run on a subset of nodes in a domain, use the -n flag. Otherwise, this command runs on the local node.

Parameters

name
Specifies the name of the LP resource.

Flags

-a
Displays the Resource ACLs on all nodes in the domain. The CT_MANAGEMENT_SCOPE environment variable setting determines the cluster scope. If CT_MANAGEMENT_SCOPE is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope
The lslpracl command runs once for the first valid scope that the LP resource manager finds. For example, suppose that a management domain and a peer domain exist and the CT_MANAGEMENT_SCOPE environment variable is not set. In this case, lslpracl –a runs in the management domain. To run lslpracl –a in the peer domain, you must set CT_MANAGEMENT_SCOPE to 2.
-i
Generates a template in a form that can be used, after appropriate editing, as file input to the chlpracl command.
-l
Displays the information about separate lines (long format).
-t
Displays the information in separate columns (table format). It is the default.
-d
Displays the information using delimiters. The default delimiter is a pipe symbol (|). Use the -D flag if you want to change the default delimiter.
-D delimiter
Displays the information using the specified delimiter. Use this flag to specify a delimiter other than the default pipe symbol (|) when the information you want to display contains pipe symbols, for example. You can use this flag to specify a delimiter of one or more characters.
-n host1[,host2,…]
Specifies the node in the domain from which the Resource ACL is displayed. By default, the Resource ACL is displayed on the local node. This flag is valid only in a management domain or a peer domain. If CT_MANAGEMENT_SCOPE is not set, first the management domain scope is chosen if it exists, then the peer domain scope is chosen if it exists, and then local scope is chosen, until the scope is valid for the command. The command runs once for the first valid scope found.
-L
Displays the accesses of the Resource Shared ACL if the Resource ACL indicates that access is controlled by the Resource Shared ACL.
-p
Displays the name of the RSCT peer domain in which the LP resource is defined.
-E
Displays read permission as elqv instead of r and write permission as cdos instead of w.
-x
Excludes the header (suppresses header printing).
-h
Writes the command usage statement to standard output.
-T
Writes the command trace messages to standard error.
-V
Writes the command verbose messages to standard output.

Environment variables

CT_CONTACT
Determines the system where the session with the resource monitoring and control (RMC) daemon occurs. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the resource classes or resources that are processed.
CT_IP_AUTHENT
When the CT_IP_AUTHENT environment variable exists, the RMC daemon uses IP-based network authentication to contact the RMC daemon on the system that is specified by the IP address to which the CT_CONTACT environment variable is set. CT_IP_AUTHENT has meaning only if CT_CONTACT is set to an IP address; it does not rely on the domain name system (DNS) service.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon in processing the resources of the least-privilege (LP) resource manager. The management scope determines the set of possible target nodes where resources can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.
If this environment variable is not set, local scope is used, unless the -a flag or the -n flag is specified.

Standard output

When the -h flag is specified, this command usage statement is written to standard output. When the -V flag is specified, this command verbose messages are written to standard output.

Standard error

All trace messages are written to standard error.

Exit status

0
The command ran successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Security

To run the lslpracl command, you need:
  • read permission in the Class ACL of the IBM.LPCommands resource class.
  • read permission in the Resource ACL.

    As an alternative, the Resource ACL can direct the use of the Resource Shared ACL if this permission exists in the Resource Shared ACL.

Permissions are specified in the LP ACLs on the contacted system. See lpacl Information for general information about LP ACLs and the Administering RSCT guide for information about modifying them.

Implementation specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for the AIX® and Linux® operating systems.

Location

/opt/rsct/bin/lslpracl

Examples

  1. To list the Resource ACLs for the LP resource lpcommand1 on nodeA in table format, run this command on nodeA: 
    lslpracl lpcommand1
    The following output is displayed: 
    Resource ACLs for LPRM
Name            Identity                Permissions     NodeName
lpcommand1      joe@LOCALHOST           rx              nodeA
lpcommand1      bill@0x374bdcbe384ed38a rx              nodeA
lpcommand1      jane@0x374bdcbe384ed38a rwax            nodeA
  2. To list the Resource ACLs for the LP resource lpcommand1 on nodeA in long format, run this command on nodeA: 
    lslpracl -l lpcommand1
    The following output is displayed: 
    Resource ACLs for LPRM
Name lpcommand1, NodeName nodeA
    Identity    =     joe@LOCALHOST
    Permissions =     rx

    Identity    =     bill@0x374bdcbe384ed38a
    Permissions =     rx

    Identity    =     jane@0x374bdcbe384ed38a
    Permissions =     rwax
  3. To list the Resource ACLs for the LP resource lpcommand1 on nodeA in delimited format, run this command on nodeA: 
    lslpracl -d lpcommand1
    The following output is displayed: 
    Resource ACLs for LPRM
Name|Identity|Permissions|NodeName
lpcommand1|joe@LOCALHOST|rx|nodeA
lpcommand1|bill@0x374bdcbe384ed38a|rx|nodeA
lpcommand1|jane@0x374bdcbe384ed38a|rwax|nodeA
  4. To list the Resource ACLs for the LP resource lpcommand1 in the active domain, run this command on nodeA: 
    lslpracl -a lpcommand1
    The following output is displayed: 
    Resource ACLs for LPRM
Name            Identity                Permissions     NodeName
lpcommand1      joe@LOCALHOST           rx              nodeA.pok.ibm.com
lpcommand1      bill@0x374bdcbe384ed38a rx              nodeA.pok.ibm.com
lpcommand1      jane@0x374bdcbe384ed38a rwax            nodeA.pok.ibm.com
lpcommand1      joe@LOCALHOST           rx              nodeB.pok.ibm.com
lpcommand1      jane@0x374bdcbe384ed38a rwax            nodeB.pok.ibm.com
  5. To list the Resource ACLs for all LP resources on nodeA, run this command on nodeA: 
    lslpracl
    The following output is displayed: 
    Resource ACLs for LPRM
Name            Identity                Permissions     NodeName
lpcommand1      joe@LOCALHOST           rx              nodeA
lpcommand1      bill@0x374bdcbe384ed38a rx              nodeA
lpcommand1      jane@0x374bdcbe384ed38a rwax            nodeA
lpcommand2      jim@LOCALHOST           rx              nodeA
lpcommand2      jane@0x374bdcbe384ed38a rwax            nodeA
lpcommand3      mary                    rwax            nodeA
lpcommand4      bob@LOCALHOST           rx              nodeA
lpcommand4      sam@0x374bdcbe384ed38a  rwax            nodeA
  6. To list the Resource ACLs for the LP resource lpcommand1 in the active domain and list the peer domain name, run this command on nodeA: 
    lslpracl -ap lpcommand1
    The following output is displayed: 
    Resource ACLs for LPRM
Name            Identity                Permission NodeName             PeerDomain
lpcommand1      joe@LOCALHOST           rx         nodeA.pok.ibm.com    PD1
lpcommand1      bill@0x374bdcbe384ed38a rx         nodeA.pok.ibm.com    PD1
lpcommand1      jane@0x374bdcbe384ed38a rwax       nodeA.pok.ibm.com    PD1
lpcommand1      joe@LOCALHOST           rx         nodeB.pok.ibm.com    PD1
lpcommand1      jane@0x374bdcbe384ed38a rwax       nodeB.pok.ibm.com    PD1
  7. To list the Resource ACLs for the LP resource lpcommand2 on nodeA, run this command on nodeA: 
    lslpracl lpcommand2
    The following output is displayed: 
    Resource ACLs for LPRM
Name            Identity                   Permissions   NodeName                
lpcommand2      Uses Resource Shared ACL                 nodeA
  8. To list the Resource ACLs for the LP resource lpcommand2 on nodeA, and show the Resource Shared ACL if it is used, run this command on nodeA: 
    lslpracl -L lpcommand2
    The following output is displayed: 
    Resource ACLs for LPRM
Name            Identity                Permissions     NodeName
lpcommand2      bill@0x374bdcbe384ed38a rx              nodeA	
lpcommand2      jane@0x374bdcbe384ed38a rwax            nodeA