How to check if a user has access to the JES Resources drop-down menu

PROBLEM

How can I determine whether a specific user has the required resource permissions to be able to access the 'JES Resources' drop-down option in ESMAC?

RESOLUTION

For a user to access the 'JES Resources' option, that user will have to be allowed access to the 'JCL*' resource which is in the MFESMAC class.

See the online documentation for a list of ESMAC entities that can be controlled in this way.

To determine which users (and groups) do have access to the 'JCL*' resource, the following commands/methods can be used:

Note that these commands use the 'esfadmin' utility. It is also possible to use a GUI LDAP interface (such as ADSIedit for Windows) to obtain similar information.

(See below for notes on the use of the ESFadmin command.)

1. Check which Users and Groups are allowed access to the resource

To see what users and groups are (or are not) allowed access to the JES resources drop-down menu (which will require "Update" access to the "JCL*" resource in the MFESMAC class), use the ESFadmin command with the following options:

LISTReferences RESOURCE=JCL* class="MFESMAC"

This will return all of the 'allowed' users and groups for this resource, and also any that are specifically denied.

eg:

List      1 contains      5 items.
NAME=JCL*
TYPE=RESOURCE
COMMENT=The resource itself (class MFESMAC)
NAME=MyNewGrp9
TYPE=GROUP
COMMENT=Class MFESMAC, ACE allow:MyNewGrp9 group:update
NAME=user1
TYPE=USER
COMMENT=Class MFESMAC, ACE allow:user1:update
NAME=ALLUSER
TYPE=GROUP
COMMENT=Class MFESMAC, ACE allow:ALLUSER group:read
NAME=SYSADM
TYPE=GROUP
COMMENT=Class MFESMAC, ACE allow:SYSADM group:alter

 At this point it will be possible to see if a specific user has explicit access to this resource. In this particular example the user 'user1' does have explicit 'update' access to the JCL* resource.

2. Check whether the user is a member of one of the groups that has access to the resource

If there is no explicit access to the resource for a user, it is necessary to check whether a user can access the resource via the group membership. This can be done using a command similar to the following:

listGROUP GROUP=SYSADM

LIST Command results:

List      1 contains      1 items.
GROUP=SYSADM
DESC=ES System administrators group
MEMBERS=GMCmfds1;SYSAD
CUSTOM=
UID=mfuid

From this example we can now see from the 'MEMBERS' list that SYSAD IS in the 'SYSADM' group and therefore SYSAD will have access to the JCL* resource (as would any other user(s) in this group, in this case GMCmfds1)

(Note that the actual access level is governed by the ACE in the Rescoure itself, and from (1.) above the 'SYSADM' group has 'alter' access to the JCL* resource).

 ESFadmin command notes:

example command:

esfadmin -uSYSAD -pSYSAD -U"CN=MFReader,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local" -P<MFReader_password> -Sldap://<machine_name>:<ldap_port> -cMF-HASH.cfg -a listreferences USER=SYSAD

 where:

<machine_name>:<ldap_port> is the machine name of the ldap server and the port number on which the ldap instance is running

Example:     myLDAPhost:389

The option "-cMF-HASH.cfg" means that the configuration file with this name will be used.

Sample contents of this file:

[LDAP]
BASE=CN=Micro Focus,CN=Program Data,DC=local
user class="microfocus-MFDS-User"
user container=CN=Enterprise Server Users
group container=CN=Enterprise Server User Groups
resource container=CN=Enterprise Server Resources

[Verify]
Mode=MF-hash

where 'BASE' must be the relevant BASE location for the ldap repository being used

Also note that since 'Mode=MF-hash' is used and user class="microfocus-MFDS-User", the user for the '-u' and '-p' options (i.e. in lowercase) in the ESFadmin command will come from the "Microfocus users" in the LDAP repository, which is why 'SYSAD' is a valid option (and this is also the default user here).

For the -U and -P commands (in uppercase), a 'normal' Active Directory user (i.e. in the user class: 'user') would have to be used. MFReader is setup as an Active Directory user on Windows (this user would appear under 'ADAM Users' in the active directory). However it is likely that its password will have to be reset to one that conforms to the domain policy (the default password 'mf_rdr' probably does not conform). This can be done using an LDAP GUI utility such as ADSIedit on Windows.

Note that the MFReader account by default has only 'read' access to the ldap respository.

See the product online documentation for more information on the ESFadmin command:

The online documentation also details what resource classes are used by Enterprise server