chres Command Modify Resource Records

Valid in the AC environment
capamsc141
Valid in the AC environment
Use the chres, editres, and newres commands to work with resource records that belong to a
Privileged Access Manager
class. These commands are identical in structure and only vary in the following way:
  • The chres command
    modifies
    one or more resources.
  • The editres command
    creates or modifies
    one or more resources.
  • The newres command
    creates
    one or more resources.
This command also exists in the native Windows environment but operates differently there.
To add a resource using the newres command, at least one of the following conditions must be true:
  • You have the ADMIN attribute.
  • You have CREATE access authority in the ACL of the record of the resource class in the ADMIN class.
  • If the token use_unix_file_owner in the seos.ini file is set to yes, an owner of a file in UNIX can define it as a new resource to
    Privileged Access Manager
    .
To add or change a resource using the chres or editres commands, you must have sufficient authority over the resource.
Privileged Access Manager
checks in the following order for any
one
of these conditions:
  1. You have the ADMIN attribute.
  2. The resource record is within the scope of a group in which you have the GROUP-ADMIN attribute.
  3. You are the owner of the record.
  4. You are assigned MODIFY (for chres) or CREATE (for editres) access authority in the access control list of the resource class's record in the ADMIN class.
The maximum length of a resource name is 255 single-byte characters.
The following content lists command parameters that apply for each class that can be administered using the chres, editres, and newres commands.
ACVAR supported properties
  • comment
  • owner
  • other: VARIABLE_ TYPE, VARIABLE_ VALUE
ADMIN Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
CALENDAR supported property:
  • comment
CATEGORY supported property:
  • comment
CONNECT Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
CONTAINER Supported Properties:
  • audit
  • calendar
  • comment
  • owner
  • warning
  • other: MEM
DOMAIN Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
FILE Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • other: MEM
GFILE Supported Properties:
  • audit
  • calendar
  • comment
  • notify
  • owner
  • warning
  • other: MEM
GHOST Supported Properties:
  • audit
  • calendar
  • comment
  • owner
  • restrictions[-]
  • warning
  • other: MEM
GSUDO Supported Properties:
  • calendar
  • comment
  • defaccess
  • owner
  • other: MEM
GTERMINAL Supported Properties:
  • audit
  • calendar
  • comment
  • defaccess
  • owner
  • restrictions[-]
  • other: MEM
HNODE Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • other: SUBSCRIBER, POLICY
HOLIDAY Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • other: DATES
HOST Supported Properties:
  • audit
  • calendar
  • comment
  • owner
  • restrictions[-]
  • warning
HOSTNET Supported Properties:
  • audit
  • calendar
  • comment
  • owner
  • warning
  • other: MASK, MATCH
HOSTNP Supported Properties:
  • audit
  • calendar
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
LOGINAPPL Supported Properties:
  • audit
  • calendar
  • comment
  • defaccess
  • notify
  • owner
  • restrictions[-]
  • warning
  • other: LOGINFLAGS, LOGINMETHOD, LOGINPATH, LOGINSEQUENCE
MFTERMINAL Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • label
  • level
  • notify
  • owner
  • warning
  • other: DAYTIME
POLICY Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • other: SIGNATURE, RULESET
PROCESS Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
PROGRAM Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • other: TRUST
PWPOLICY Supported Properties:
  • comment
  • owner
REGKEY Supported Properties:
  • audit
  • calendar
  • comment
  • defaccess
  • notify
  • owner
  • warning
  • Other: DAYTIME
REGVAL Supported Properties:
  • audit
  • calendar
  • comment
  • defaccess
  • notify
  • owner
  • warning
  • Other: DAYTIME
RULESET Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • Other: SIGNATURE, CMD, UNDOCMD
SECFILE Supported Properties:
  • defaccess
  • owner
  • Other: TRUST, FLAGS
SECLABEL Supported Properties:
  • category
  • comment
  • level
  • owner
SEOS Supported Properties:
  • calendar
  • category
  • comment
  • label
  • level
  • Other: HOST
SPECIALPGM Supported Properties:
  • comment
  • owner
SUDO
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
  • Other: TARGUID, PASSWORD
SURROGATE Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
TCP Supported Properties:
  • audit
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
TERMINAL Supported Properties:
  • audit
  • calendar
  • category
  • comment
  • defaccess
  • label
  • level
  • notify
  • owner
  • restrictions[-]
  • warning
UACC Supported Properties:
  • audit
  • category
  • comment
  • defaccess
  • owner
USER-ATTR Supported Properties:
  • owner
  • warning
USER-DIR Supported Properties:
  • audit
  • comment
  • owner
{{chres|cr}|{editres|er}|{newres|nr}} classNameresourceName \
[audit({none|all|success|failure})] \[calendar[-](calendarName)] \[category[-](categoryName)] \[cmd+(selang_command_string)|cmd-] \[comment(string)|comment-] \[container[-](containerName)] \[dates(time-period)] \[dh_dr{-|+}(dh_dr)] \[disable|disable-] \[defaccess(accessAuthority)] \[filepath(filePaths)] \[flags[-|+](flagName)] \[gacc(access-value)] \[gowner(groupName)] \[host(host-name)|host-] \[label(labelName)|label-] \[level(number)|level-] \[mask(inetAddress)|match(inetAddress)] \[mem(resourceName)|mem-(resourceName)] \[node_alias{-|+}(alias)] \[node_ip{-|+}(ip)] \[notify(mailAddress)|notify-] \[of_class(className)] \[owner({userName | groupName})] \[{password | password-}] \[policy(name(policy-name) {{deviation+|dev+}|{deviation-|dev-}})] \[policy(name(policy-name) status(policy-status) {updator|updated_by}(user-name))] \[{restrictions([days({anyday|weekdays|{[mon] [tue] [wed] \[thu] [fri] [sat] [sun]}})] \[time({anytime|startTime:endTime}) \|restrictions-}] \[targuid(userName)] \[trust | trust-] \[value{+|-}(value)] \[warning | warning-]
  • audit
    Indicates which access events
    Privileged Access Manager
    logs:
    • all
      - Both authorized and unauthorized access attempts.
    • failure
      - Unauthorized access attempts. This value is the default.
    • none
      - Does not write any records in the log file.
    • success
      - Authorized access attempts.
  • category(
    categoryName
    [,
    categoryName...
    ])
    Assigns one or more security categories to the resource record.
    If you specify the category parameter when the CATEGORY class is not active,
    Privileged Access Manager
    updates the resource definition in the database. However, the updated category assignment has no effect until the CATEGORY class is activated again.
  • category-(
    categoryName
    [,
    categoryName...
    ])
    Deletes one or more security categories from the resource record.
    The specified security categories are deleted from the resource record, regardless of whether the CATEGORY class is active. Use this parameter only with the chres or editres command.
  • className
    Specifies the name of the class to which the resource belongs. To list the resource classes that are defined to
    Privileged Access Manager
    , use the find command.
  • cmd+(
    selang_command_string
    )
    Specifies a list of selang commands that define the policy. These commands are used to deploy the policy. For example,
    editres RULESET IIS5#02 cmd+("nr FILE /inetpub/* defaccess(none) owner(nobody)")
  • cmd-
    Removes policy deployment command list from the RULESET object.
  • comment(
    string
    )
    Adds an alphanumeric string of up to 255 characters to the resource record. If the string contains any blanks, enclose the entire string in single quotation marks. The string replaces any existing string defined previously.
    For the SUDO class, this string has a special meaning. For more information about defining SUDO records, see the
    Endpoint Administration Guide for UNIX
    .
  • comment-
    Deletes the comment from the resource record. Use this parameter only with the chres or editres command.
  • container(
    containerName
    )
    Represents CONTAINER objects, a generic grouping class.
    containerName
    is the name of one or more CONTAINER records defined in the CONTAINER class. When assigning more than one CONTAINER, separate the names with a space or a comma.
  • container-(
    containerName
    )
    Deletes one or more CONTAINER records from the resource record. Use this parameter with the chres or editres command only.
  • dates(
    time
    -
    period
    )
    Defines one or more periods when users cannot log in, such as holidays. If more than one time period is specified, separate the periods with a space. Use the following format:
    mm/dd[/yy[yy]] [@hh:mm][-mm/dd]/[/yy[yy]] [@hh:mm]
    If you do not specify a year (or you specify a year before 1990), it means that the period or holiday is annual. You can specify the year with two digits or four digits. Example: 98 or 1998.
    If you do not specify a start time, then the start of the day (midnight) is used; if you do not specify an end time then the end of the day (midnight) is used. The format of the hours and the minutes is
    hh:mm
    , where
    hh
    is the hour in 24-hour notation (00 through 23) and
    mm
    is the minutes (00 through 59).
    If you do not specify an interval of time (for example, 12/25@14:00-12/25@17:00), but only a day and a month (12/25), then the holiday lasts for one whole day.
    If you are issuing the command in a different time zone from where the holiday occurs, translate the period to your local time. For example, if you are in New York and Los Angeles has a half-day holiday, you must enter 09/14/98@18:00-09/14/98@20:00. This prevents the users from logging in from 3:00 pm to 5:00 pm in Los Angeles.
  • defaccess([
    accessAuthority
    ])
    Defines the default access authority for the resource. The default access authority is the authority that is granted to any accessor not in the access control list of the resource that requests access to the resource. The default access is also applied to users who are not defined in the database. Valid access authority values vary by class.
    If you omit
    accessAuthority
    ,
    Privileged Access Manager
    assigns the implicit access that is specified in the UACC property of the record that represents the class of the resource in the UACC.
  • dh_dr{+|-}(
    dh_dr
    )
    Defines Distribution Hosts this endpoint uses for disaster recovery.
  • filepath(
    filePaths
    )
    Defines one or more absolute file paths, each of which constitutes a valid kernel module. Multiple file paths are separated by a colon (:).
  • flags(
    flagName
    )
    Defines how the resource is to be trusted and how to check it for trusted status. Available flags are Ctime, Mtime, Mode, Size, Device, Inode, Crc, and Own/All/None.
  • gacc(
    access
    -
    value
    )
    Lets a program access protected, frequently opened files at a much faster rate than otherwise possible.
  • gowner(
    groupName
    )
    Assigns a
    Privileged Access Manager
    group as the owner of the resource record. The group owner of the resource record has unrestricted access to the resource, as long as the following criteria are true: the security level of the group owner, security label, and security category authorities are sufficient to allow access to the resource. The group owner of the resource is always permitted to update and delete the resource record. See the
    Endpoint Administration Guide
    for UNIX
    for more information.
  • label(
    labelName
    )
    Assigns a security label to the resource record.
  • label-
    Deletes the security label from the resource record. Use this parameter only with the chres or editres command.
  • level(
    number
    )
    Assigns a security level to the resource record. Enter a positive integer from 1 through 255.
  • level-
    Removes any security level from the resource. Use this parameter only with the chres or editres command.
  • mask (
    IPv4
    -
    address
    )
    and
    match (
    IPv4
    -
    address
    )
    The
    mask
    and
    match
    parameters are applicable only to HOSTNET records. They are required when creating a HOSTNET record and are optional when modifying a record.
    Use mask and match together to define the group of hosts defined by a HOSTNET record. A host is a member of a HOSTNET record group if an AND of the host IP address with the mask address produces the match address.
    For example, specifying mask(255.255.255.0) and match(192.16.133.0) means that a host is a member of the group if it has an IP address in the range 192.16.133.0 to 192.16.133.255.
    The mask and match parameters require IPv4 addresses.
  • mem(
    resourceName
    )
    Adds a member resource to a resource group. If you are adding more than one member resource, separate each name with a comma.
    You can use the mem parameter only with resource records of the following classes:
    • CONTAINER - This class defines a group of objects from other resource classes.
    • GFILE - This class contains resource records that define groups of files.
    • GHOST - This class contains resource records that define groups of hosts.
    • GSUDO - This class contains resource records that define groups of commands.
    • GTERMINAL - This class contains resource records that define groups of terminals.
    • GPOLICY - This class contains resource records that define a logical policy.
    • GHNODE - This class contains resource records that define a host group.
    • GDEPLOYMENT - This class contains resource records that define the policy deployment.
    Use the mem parameter to add a record of the appropriate type to a resource group, for example, to add a FILE record to a resource group of class GFILE.
    If you are using the mem parameter for CONTAINER resources, you must also include the of_class parameter.
    Both the member resource and the resource group must already be defined in
    Privileged Access Manager
    . To create a resource group, create a resource of the class you want. For example, the following command creates a GFILE resource group:
    newres GFILE myfiles
  • mem-(
    resourceName
    )
    Removes member resources from a resource group. If you are removing more than one member resource, separate the resource names with a space or a comma. Use this parameter only with the chres or editres command.
  • node_alias{-|+}(
    alias
    )
    Defines an endpoint alias.
    Defining aliases for the endpoint aliases lets
    Privileged Access Manager
    send advanced policy management commands to the actual endpoint based on the alias.
  • node_ip[-|+](
    ip
    )
    Defines the IP address of the host. Advanced policy management uses the IP address, with the name of the endpoint, to locate the required endpoint.
  • notify(
    mailAddress
    )
    Instructs
    Privileged Access Manager
    to send notification messages whenever the resource that is represented by the resource record is accessed. Enter a user name, an email address of a user, or the email address of a mail group if an alias is specified.
    Notification takes place only when the Log Routing System is active. The notification messages are sent either to the screen or to the mailbox of the users, depending on the setup of the Log Routing System.
    Each time a notification message is sent, an audit record is written in the audit log. For information about filtering and viewing audit records, see the
    Endpoint Administration Guide for UNIX
    .
    The recipient of notify messages should log in frequently to respond to the unauthorized access attempts described in each message.
    Limit:
    30 characters.
  • notify-
    Specifies that no one is notified when the resource that is represented by the resource record is successfully accessed. Use this parameter only with the chres or editres command.
  • of_class(
    className
    )
    Specifies the resource type for the record you are adding to the CONTAINER class with the mem parameter.
  • owner(
    Name
    )
    Assigns a
    Privileged Access Manager
    user or group as the owner of the resource record. The owner of the resource record has unrestricted access to the resource, provided the security level of the owner, security label, and security category authorities are sufficient to allow access to the resource. The owner of the resource is always permitted to update and delete the resource record. See the
    Endpoint Administration Guide for UNIX
    for more information.
  • password
    Specifies, for the SUDO class, that the sesudo command requires the original password of the user.
  • password-
    Cancels the password parameter, so that the sesudo command no longer requires the original password of the user. Use this parameter with the chres or editres command only. If the password parameter was not used previously, then this parameter is unnecessary.
  • policy(name(
    name
    #
    xx
    ) status(
    status
    ) updated_by(
    name
    )) | policy(name(
    name
    #
    xx
    ) deviation{+|-})
    Adds a subscriber of the node in the propagation tree and specifies its status. Alternatively, updates an existing policy version to specify whether a policy deviation exists or not. The updated_by property must be updated when updating policy status. It is a string representing the name of the user that changed the policy status.
    Policy status can be one of Transferred, Deployed, Undeployed, Failed, SigFailed, Queued, UndeployFailed, or TransferFailed.
  • policy-[(name(
    name
    #
    xx
    ))]
    Removes the named policy version from the node. If no policy is specified, all policies that are deployed to this node are removed.
  • resourceName
    Defines the name of the resource record to modify or add. When changing or adding more than one resource, enclose the list of resource names in parentheses. Separate the resource names with a space or a comma. At least one resource name must be specified.
    Privileged Access Manager
    processes each resource record independently in accordance with the specified parameters. If an error occurs while processing a resource,
    Privileged Access Manager
    issues a message and continues processing with the next resource in the list.
    Note:
    If you use a variable in a resource name, use the following syntax to refer to the variable: <!
    variable
    >, for example, <!AC_ROOT_PATH>\bin. You can only use variables in selang rules in policies.
  • restrictions([days] [time])
    Specifies the days of the week and the hours in the day when users can access the file.
    If you omit the days argument and specify the time argument, the time restriction applies to any day-of-week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the users may access the system only during the specified time period on the specified days.
    • [Days] specifies the days on which users may access the file. The days argument takes the following subarguments:
      1. anyday
        -Allow users access to the file on any day.
      2. weekdays
        -Allow users access to the resource only on weekdays-Monday through Friday.
      3. Mon
        ,
        Tue
        ,
        Wed
        ,
        Thu
        ,
        Fri
        ,
        Sat
        ,
        Sun
        -Allow users access to the resource only on the specified days. You can specify the days in any order. If you specify more than one day, separate the days with a space or a comma.
    • [Time] specifies the period during which users may access the resource. The time argument takes the following subarguments:
      1. anytime
        -Allow users access to the resource at any time of the day.
      2. startTime:endTime
        -Allow access to the resource only during the specified period. The format of both startTime and endTime is
        hhmm
        , where
        hh
        is the hour in 24-hour notation (00 through 23) and
        mm
        is the minutes (00 through 59). Note that 2400 is not a valid time value. startTime must be less than endTime, and both times must occur on the same day. If the terminal is in a different time zone from the processor, adjust the time values by translating the start and end times for the terminal to the equivalent local times for the processor. For example, if the processor is in New York and the terminal is in Los Angeles, to allow access to the terminal from 8:00 am to 5:00 pm in Los Angeles, specify time (1100:2000).
  • restrictions-([days] [time])
    Deletes any restrictions that limit the ability of the user to access the file.
  • ruleset+(
    name
    )
    Specifies a rule set to associate with the policy.
  • ruleset-(
    name
    )
    Deletes a rule set from the policy. If no ruleset is specified, removes all rulesets from the policy.
  • signature(
    hash_value
    )
    Specifies a hash value. For a policy, this is based on signatures of RULESET objects associated with the policy. For a ruleset, this is based on the policy deployment command list and policy undeployment (removal) command list.
  • subscriber(name(
    sub_name
    ) status(
    status
    ))
    Adds a subscriber of the node in the propagation tree and specifies its status. Status can be one of
    unknown
    ,
    available
    ,
    unavailable
    , or
    sync
    .
  • subscriber-(name(
    sub_name
    )) | sub-
    Removes a subscriber database from the node. If no subscriber is specified, all subscribers are removed.
  • targuid(
    userName
    )
    Specifies, for the SUDO class, the name of the user whose authority is borrowed for executing the command. Default is root.
  • trust
    Specifies that the resource is trusted. The trust parameter applies only to resources of the PROGRAM and SECFILE classes. Users can execute the program as long as the program remains trusted. See the
    Endpoint Administration Guide for UNIX
    for more information. Use this parameter only with the chres or editres command.
  • trust-
    Specifies that the resource is untrusted. The trust- parameter applies only to resources of the PROGRAM and SECFILE classes. Users cannot execute an untrusted program. See the
    Endpoint Administration Guide for UNIX
    for more information. Use this parameter only with the chres or editres command.
  • undocmd+(
    selang_command_string
    )
    Specifies a list of selang commands that define policy undeployment. The commands in this list are used to remove the deployed policy (undeploy). For example:
    editres RULESET IIS5#02 undocmd+("rr FILE /inetpub/*")
  • undocmd-
    Removes policy removal command list from the RULESET object.
  • value+(
    value
    )
    Adds the specified value to the specified variable (ACVAR object).
  • value-(
    value
    )
    Removes the specified value from the specified variable (ACVAR object).
  • warning
    Specifies that
    Privileged Access Manager
    allows access to the resource even if the authority of the accessor is insufficient to access the resource. However,
    Privileged Access Manager
    writes a warning message in the audit log.
    In Warning Mode,
    Privileged Access Manager
    does not create warning messages for the resource groups.
  • warning-
    Specifies that
    Privileged Access Manager
    is to deny the user access to the resource. Does not write a warning message if the authority of an accessor is insufficient to access the resource. Use this parameter only with the chres or editres command.
Examples
  • The user (admin1) wants to change the owner and default access for the terminal (tty30) and restrict the use of the terminal to weekdays during regular business hours (8:00 am to 6:00 pm).
    • The user admin1 has the ADMIN attribute.
    chres TERMINAL tty30 owner(admin1) defaccess(read) restrictions \(days(weekdays)time(0800:1800))
  • The admin user Sally wants to remove the group and owner property stored in a FILE class record for file account.txt.
    • The user Sally is the owner of the user record of Jared.
    chres FILE /account.txt group() owner()
    To remove any record property, if a string defines the property, type the property with either the - sign or empty parenthesis ().
  • The user Bob wants to delete the comment field of the terminal tty190 and be notified whenever access to the terminal is granted.
    • The user Bob is a
      Privileged Access Manager
      user and is the owner of the terminal tty190.
    chres TERMINAL tty190 comment- notify(Bob@athena)
  • The user Admin1 wants to add the OPERATOR category to the list of security categories of the resource USER.root, which is in the SURROGATE class.
    • The user Admin1 has the ADMIN attribute.
    • The OPERATOR category is defined in the database.
    chres SURROGATE USER.root category(OPERATOR)
  • The user admin1 wants to define /bin/su as a trusted program with a global access of EXECUTE.
    • The user admin1 has the ADMIN attribute.
    • The following defaults apply:
      • restrictions(days(anyday) time(anytime))
      • owner(admin1)
      • audit(failure)
    newres PROGRAM /bin/su defaccess(x) trust
  • The user admin1 wants to define the substitution of group ID to the group system as a protected resource to which no user, including admin1, has access.
    • The user admin1 has the ADMIN attribute. The user nobody is defined to
      Privileged Access Manager
      .
    • The following defaults apply:
      • restrictions(days(anyday) time(anytime))
      • audit(failure)
    newres SURROGATE GROUP.system defaccess(n) owner(nobody)
  • The user SecAdmin wants to define ProjATerms, a group of terminals containing the terminals T1, T8, and T11. The terminal group is to be used only by the group PROJECTA and only on weekdays during regular business hours (8:00 am to 6:00 pm).
    • The user SecAdmin has the ADMIN attribute.
    • The terminals T1, T8, and T11 are defined to
      Privileged Access Manager
      .
    • The group PROJECTA is defined to
      Privileged Access Manager
      .
    • audit(failure)
    newres GTERMINAL ProjATerms mem(T1,T8,T11) owner(PROJECTA) \restrictions(days(weekdays) time(0800:1800)) defaccess(n