5 1 0:Administering ACLs from the Command Line
Overview
An access control list (ACL) is a list of permissions attached to an object (e.g., client, location, backup, etc.). The ACLs configuration in SEP sesam is version specific.
- SEP sesam 5.0.0 Jaglion introduced enhanced authentication and authorization by only allowing users with superuser rights to configure ACLs. A superuser can configure permissions for any user or group with fine-grained access rights for locations, clients, backup tasks (or groups), media pools and schedules. For details, see Using Access Control Lists.
- For SEP sesam versions ≤ 4.4.3 Beefalo V2, a user with the admin rights can configure ASLs for locations and clients. For more details, see Using ACLs in v. ≤ Beefalo V2.
ACLs can be administered in the command line by using sm_cmd command with the appropriate superuser (previously admin) rights.
sm_cmd reset user
To reset a user password, log in to SEP sesam Server console and enter the following command:
sm_cmd reset user <ID or name>
The output of the above command is shown in the example.
Example:
In this example, the user name is mustermann.
sm_cmd reset user mustermann C:\Program Files\SEPsesam\bin\sesam>sm_cmd reset user mustermann bouryper39
Note | |
After resetting a user password in the command line, you have to change a password under the Permission Management in the GUI. For details, see Changing password in the GUI. |
sm_cmd list acl
You can check all objects which have ACLs defined by using sm_cmd list acl command.
Example:
If you want to check the user ID, use list acl command (ID: 10, Name: mustermann). The output of the command is shown in the example.
G:\Jenkins\master-w86\su\src\msi>sm_cmd list acl id object label origin value 1 2 HIGHSECURITY Locations [{ID: 3, Type: GROUP, Name: RESTORE, Permissions: [Access : Deny]}, {ID: 10, Type: USER, Name: mustermann, Permissions: [Access : Allow]}] 2 7 SEP/Hyper-V Locations [{ID: 3, Type: GROUP, Name: RESTORE, Permissions: [Access : Deny]}, {ID: 7, Type: USER, Name: restricted_user, Permissions: [Access : Deny]}, {ID: 5, Type: USER, Name: restore, Permissions: [Access : Allow]}]
sm_cmd check acl
You can check the access to a specific object for a specific user by using sm_cmd check acl command together with an object ID, the object origin and a username.
Examples:
- Check access to the locations object with ID 2 for administrators:
C:\Program Files\SEPsesam\bin\gui>sm_cmd check acl -o Locations 2
- Check access to the locations object with ID 2 for user restore:
C:\Program Files\SEPsesam\bin\gui>sm_cmd check acl -o Locations 2 -u restore
- Check access to the clients object with ID 0 for administrators:
C:\Program Files\SEPsesam\bin\gui>sm_cmd check acl -o Clients 0
- Check access to the clients object with ID 0 for user restricted_user:
C:\Program Files\SEPsesam\bin\gui>sm_cmd check acl -o Clients 0 -u restricted_user
sm_cmd remove acl
You can also delete all configured ACLs by using sm_cmd remove acl all command. In this case the users get default user access rights that are based on predefined user type:
- user type in v. ≥ 5.0.0 Jaglion: Admin, Operator, Restore, and Backup
- In previous SEP sesam versions (≤ 4.4.3 Beefalo V2): Admin, Operator, Restore.
See also
Using Access Control Lists – Using ACLs in v. ≤ Beefalo V2 – About Authentication and Authorization – SEP sesam CLI