Skip to Main Content
Due to the recent acquisition by IBM, the Adabas & Natural Ideas Portal does not contain ideas from products ApplinX and EntireX any longer. Please refer to the IBM Ideas Portal for these products from now on (IBMid required). Existing content will be migrated during the next few weeks.
Status Under Review
Created by Andreas Heitzer
Created on Jul 13, 2021

[RBAC]: Authorization for Adabas LUW Utilities

If activating the feature in adaauth.ini with parameter ACTION = YES the USER_ROLE in adarbac.ini using UserID = * 
is changed to the real Unix User and the utility adarep  (example: adarep dbid=3) gets error  
ADAREP-E-ACNOPERM, Security violation. Permission denied, even the Username is identical to the Unix Users entry.

We are expecting the "effective" user ID to be used for authorization purposes;
e.g. "ADA" - the value of getpwuid( geteuid() ).

The audit log shows that the name associated with the "current login activity" is being used for authorization purposes;
e.g. "andreas.heitzer" - the value of getlogin().
BACKGROUND INFORMATION
==========================================================

Processing Logic:
Authorization for Adabas Utilities uses as user ID for authorization purposes:

a) The name associated with the "current login activity"; e.g. "andreas.heitzer" - the value of getlogin().

b) When the name is not available, for example in batch, -
     the name associated with the "real" user ID of the process; e.g. the value of getpwuid( getuid() ).

The reasoning behind this processing logic, is the desire to ensure accountability; e.g. who is the "persona" executing the function.
LINKS:
---------
https://www.gnu.org/software/libc/manual/html_node/Process-Persona.html#Process-Persona
http://pubs.opengroup.org/onlinepubs/007904875/functions/getlogin.html

The Chapter "The Persona of a Process" in the The GNU C Library documentation states:

At any time, each process has an "effective" user ID, an "effective" group ID, and a set of "supplementary" group IDs.
These IDs determine the privileges of the process.
They are collectively called the persona of the process,
because they determine “who it is” for purposes of access control.
The description of the - getlogin() function from OpenGroup

APPLICATION USAGE
Three names associated with the current process can be determined:
getpwuid( geteuid() ) shall return the name associated with the __effective__ user ID of the process;
getpwuid( getuid() ) shall return the name associated with the __real__ user ID of the process.
getlogin() shall return the name associated with the __current log
---

28-06-2021: itrac number was wrong...

Use Case Re-Hosting
Created on Brainstorm 06.07.2017 04:38 pm
Brainstorm ID 4878