showauthpol

Edit online

The showauthpol command displays detailed properties of a specified authentication policy.

Read syntax diagramSkip visual syntax diagram showauthpol  -map  -revmap  pol_name   "-" 

Parameters

-map
(Optional) Displays tables with mappings of Basic authorization group roles and user resource scopes to external groups and users in the specified policy. No table is displayed if there are no mapping relationships in the specified policy.
Note: The -map and -revmap parameters cannot be used together.
-revmap
(Optional) Displays tables with mappings of external groups and users to Basic authorization group roles and user resource scopes in the specified policy. No table is displayed if there are no mapping relationships in the specified policy.
Note: The -map and -revmap parameters cannot be used together.
pol_name | -
(Required) The name of the authentication policy that you would like to view. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.

Example 1: Displaying the detailed properties of a specified authentication policy.

dscli> showauthpol my_policy2
Output for an SAS policy:
name my_policy2
type SAS
state inactive
location 9.11.xxx.xxx
truststore my_policy2_trustStore.jks
sasuser -
localAdmin admin
localAdminEnabled Enabled
Output for an LDAP policy:
name my_policy2
type LDAP
state active
location ldaps://ldapServer.com:636
truststore bluep.jks
binduser -
bindpass -
userdnph -
groupdnph -
userbasedn o=ibm.com
groupbasedn -
usernameattr mail
groupnameattr cn
grouppmemberattr uniquemember
usernamefilter -
groupnamefilter (&(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames))(cn={0}))
localAdmin admin
localAdminEnabled Enabled

Example 2: Displaying the detailed properties of a specified authentication policy by using the -map parameter.

dscli> showauthpol -map my_policy2
Output:
name my_policy2
type SAS
state inactive
location 9.11.xxx.xxx
truststore my_policy2_trustStore.jks
sasuser -
localAdmin admin
localAdminEnabled Enabled 
============================Role Group Maps ===========================
DS_group Ext_group
op_volume grpa,grpb
op_copy_services grpa,grpb 
============================Role User Maps===========================
DS_group Ext_user
admin joe,bob
no_access bob 
============================Scope Group Maps===========================
Scope Ext_group
Accounting grpa
Purchasing grpb 
============================Scope User Maps===========================
Scope Ext_user
* bob
Accounting joe

Example 3: Displaying the detailed properties of a specified authentication policy by using the -revmap parameter.

dscli> showauthpol -revmap my_policy2
Output:
name my_policy2
type SAS
state inactive
location 9.11.xxx.xxx
truststore my_policy2_trustStore.jks
sasuser -
localAdmin admin
localAdminEnabled Enabled 
============================Role Group Maps===========================
Ext_group DS_group
grpb op_volume,op_copy_services
grpa op_volume,op_copy_services 
============================Role User Maps===========================
Ext_user DS_group
bob admin,no_access
joe admin 
============================Scope Group Maps===========================
Ext_group Scope
grpb Purchasing
grpa Accounting 
============================Scope User Maps===========================
Ext_user Scope
bob *
joe Accounting

Example 4: Displaying the detailed properties of a specified RSA authentication policy

dscli> showauthpol GUIRSAPolicy
Output:
name GUIRSAPolicy
type RSA
state inactive
location https://rsa.server.ibm.com:5555
truststore /home/hscroot/jks/rsa_trustore.jks
localAdmin admin
localAdminEnabled Enabled
accessID *****
accessKey *****

Example 5: Displaying the detailed properties of a specified RSA+LDAP authentication policy by using the -map parameter.

dscli> showauthpol -map bothpol
Output:
name bothpol
type RSA+LDAP
state inactive
location https://rsa.server.ibm.com:5555, ldaps://ldapServer.com:636
truststore /home/hscroot/jks/rsa_trustore.ks, bp.jks
binduser -
bindpass -
userbasedn o=ibm.com
groupbasedn -
usernameattr mail
groupnameattr cn
grouppmemberattr uniquemember
usernamefilter (mail={0})
groupnamefilter (&(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames))(cn={0}))
userdnph -
groupdnph -
localAdmin -
localAdminEnabled Disabled
ldapPolicyID ldappol_PROCESSED
rsaEnabled Disabled
accessID *****
accessKey ***** 
============================Role User Maps===========================
Ext_user DS_group RSA_SecurID
bob admin,no_access Enable
joe admin Disable

Output definitions

For a basic policy type, the following properties are displayed:
name
The name of the authentication policy.

Example : SAS | LDAP | Basic | RSA | RSA+LDAP

type
The authentication policy type.
state
The state of the authentication policy (active or inactive).
location
The names or IP addresses of the Hardware Management Consoles that were used when users logged in. If users logged in from more than one location, a list of locations is displayed, separated by commas.
expire
The number of days a user account password is valid before it expires.
age
The minimum days a user must wait before changing a password.
fail
The number of login attempts allowed on any given user account.
length
The minimum length of a password.
history
The number of unique passwords that a user must go through before reusing a password.
localAdmin
The user name that is used as the local administrator.
Note: A dash (-) means that the local administrator was not available.
localAdminEnabled
Indicates whether the local administrator is enabled.
For an LDAP type policy, the following properties are displayed:
name
The name of the authentication policy.
type

The authentication policy type.

Example : SAS | LDAP | Basic | RSA | RSA+LDAP

state
The state of the authentication policy (active or inactive).
location
The names or IP addresses of the Hardware Management Consoles that were used when users logged in. If users logged in from more than one location, a list of locations is displayed, separated by commas.
truststore
The truststore file name.
binduser
The BIND user name. If a value was not set or a null value was entered, a dash (-) is displayed.
bindpass
The password for the BIND user. If a value was not set or a null value was entered, a dash (-) is displayed.
userdnph
The placeholder for the bind user DN. If a value was not set or a null value was entered, a dash (-) is displayed.
groupdnph
The placeholder for the bind group DN. If a value was not set or a null value was entered, a dash (-) is displayed.
userbasedn
The base distinguished name (DN) for user lookup.
groupbasedn
The base distinguished name (DN) for group lookup.
usernameattr
The name attribute for user lookup. If a value was not set or a null value was entered, a dash (-) is displayed.
groupnameattr
The name attribute for group lookup. If a value was not set or a null value was entered, a dash (-) is displayed.
groupmemberattr
The member attribute for group lookup. If a value was not set or a null value was entered, a dash (-) is displayed.
usernamefilter
The attributes for a user name filter. If a value was not set or a null value was entered, a dash (-) is displayed.
groupnamefilter
The attributes for a group name filter. If a value was not set or a null value was entered, a dash (-) is displayed.
localAdmin
The user name that is used as the local administrator.
Note: A dash (-) means that the local administrator was not available.
localAdminEnabled
Indicates whether the local administrator is enabled.
For a SAS type policy, the following properties are displayed:
name
The name of the authentication policy.
type

The authentication policy type.

Example : SAS | LDAP | Basic | RSA | RSA+LDAP

state
The state of the authentication policy (active or inactive).
location
The URL for the authentication server. Multiple locations are separated by commas.
truststore
The truststore file name.
sasuser
The user name used internally by SAS (Storage Authentication Service).
localAdmin
The user name that is used as the local administrator.
Note: A dash (-) means that the local administrator was not available.
localAdminEnabled
Indicates whether the local administrator is enabled.
For RSA type policy, the following properties are displayed:
name
The name of the authentication policy.
type

The authentication policy type.

Example : SAS | LDAP | Basic | RSA | RSA+LDAP

state
The state of the authentication policy (active or inactive).
location
The URL for the authentication server. Multiple locations are separated by commas.
truststore
The truststore file name.
localAdmin
The user name that is used as the local administrator.
Note: A dash (-) means that the local administrator was not available.
localAdminEnabled
Indicates whether the local administrator is enabled.
accessID
An identifier of the API Access Key used to send authentication requests to an RSA SecurID server. It is unique to the API Access Key and it is generated by the SecurID Super Admin when enabling API authentication.
accessKey
The unique passcode that is used in combination with access identifier when sending authentication requests to an RSA SecurID server. It is generated by the SecurID Super Admin when enabling API authentication.
For a RSA+LDAP type policy, the following properties are displayed:
name
The name of the authentication policy.
type

The authentication policy type.

Example : SAS | LDAP | Basic | RSA | RSA+LDAP

state
The state of the authentication policy (active or inactive).
location
The names or IP addresses of the Hardware Management Consoles that were used when users logged in. If users logged in from more than one location, a list of locations is displayed, separated by commas.
truststore
The truststore file name.
binduser
The BIND user name. If a value was not set or a null value was entered, a dash (-) is displayed.
bindpass
The password for the BIND user. If a value was not set or a null value was entered, a dash (-) is displayed.
userbasedn
The base distinguished name (DN) for user lookup.
groupbasedn
The base distinguished name (DN) for group lookup.
usernameattr
The name attribute for user lookup. If a value was not set or a null value was entered, a dash (-) is displayed.
groupnameattr
The name attribute for group lookup. If a value was not set or a null value was entered, a dash (-) is displayed.
groupmemberattr
The member attribute for group lookup. If a value was not set or a null value was entered, a dash (-) is displayed.
usernamefilter
The attributes for a user name filter. If a value was not set or a null value was entered, a dash (-) is displayed.
groupnamefilter
The attributes for a group name filter. If a value was not set or a null value was entered, a dash (-) is displayed.
userdnph
The placeholder for the bind user DN. If a value was not set or a null value was entered, a dash (-) is displayed.
groupdnph
The placeholder for the bind group DN. If a value was not set or a null value was entered, a dash (-) is displayed.
localAdmin
The user name that is used as the local administrator.
Note: A dash (-) means that the local administrator was not available.
localAdminEnabled
Indicates whether the local administrator is enabled.
ldapPolicyID
The name of the direct LDAP remote authentication policy.
rsaEnabled
Indicates the status of RSA SecurID activation for the LDAP policy as enabled or disabled.
accessID
An identifier of the API Access Key used to send authentication requests to an RSA SecurID server. It is unique to the API Access Key and it is generated by the SecurID Super Admin when enabling API authentication.
accessKey
The unique passcode that is used in combination with access identifier when sending authentication requests to an RSA SecurID server. It is generated by the SecurID Super Admin when enabling API authentication.

The -map and -revmap are mutually exclusive, but both display the mapping from external users and groups to storage system user role groups and user resource scopes. The -map parameter displays this information from the storage system point of view and is useful for answering questions like, “Which external users and groups map to the storage system role group administrator?” The -revmap parameter displays the same information, but from the external point of view and is useful answering questions like, “Which storage system user role groups and user resource scope map to the external group Human_Resources?”
  • Multi-Factor Authentication policies RSA and RSA+LDAP do NOT support scopes maps. So, it doesn’t display the tables “Scope User Maps” and “Scope Group Maps”.
  • The RSA policy only supports users for mapping. If there are users mapped; the “Role User Maps” will be the only table to show.
  • The column RSA_SecurID is only available for policy type RSA+LDAP.

The following additional properties are displayed when the -map parameter is specified:

Role Group Maps

DS_group
Displays the name of the storage system authority group. The user authority group can consist of one or more of one of the following roles: admin, secadmin, op_storage, op_volume, op_copy_services, service, monitor, or no_access.
Ext_group
Displays the external groups that are mapped to each selected storage system authority group. Multiple external group names are separated by commas.
RSA_SecurID
Displays the external groups who are enabled or disabled to authenticate from the RSA SecurID authentication manager. Only applies to RSA+LDAP authentication policy type.

Role User Maps

DS_group
Displays the name of the storage system authority group. The user authority group can consist of one or more of the following roles: admin, op_storage, op_volume, op_copy_services, service, monitor, or no_access.
Ext_user
Displays the external users that are mapped to each selected storage system authority group. Multiple external user names are separated by commas.
RSA_SecurID
Displays the external users who are enabled or disabled to authenticate from the RSA SecurID authentication manager. Only applies to RSA+LDAP authentication policy type.

Scope Group Maps

Scope
Displays the user resource scope.
Ext_group
Displays the external group names that are mapped to each user resource scope. Multiple external group names are separated by commas.

Scope User Maps

Scope
Displays the user resource scope.
Ext_user
Displays the external users that are mapped to each user resource scope. Multiple external user names are separated by commas.

The following additional properties are displayed when the -revmap parameter is specified:

Role Group Maps

Ext_group
Displays one or more external group names.
DS_group
Displays the storage system authority group names that are mapped to each external group name. Multiple external group names are separated by commas.
RSA_SecurID
Displays the external groups who are enabled or disabled to authenticate from the RSA SecurID authentication manager. Only applies to RSA+LDAP authentication policy type.

Role User Maps

Ext_user
Displays one or more external users.
DS_group
Displays the storage system authority group names that are mapped to each external group name. Multiple external group names are separated by commas.
RSA_SecurID
Displays the external users who are enabled or disabled to authenticate from the RSA SecurID authentication manager. Only applies to RSA+LDAP authentication policy type.

Scope Group Maps

Ext_group
Displays the name of the storage system authority group. The user authority group can consist of one or more of the following roles: admin, op_storage, op_volume, op_copy_services, service, monitor, or no_access.
Scope
Displays the user resource scope that is mapped to each external group name.

Scope User Maps

Ext_group
Displays the name of the storage system authority group. The user authority group can consist of one or more of the following roles: admin, op_storage, op_volume, op_copy_services, service, monitor, or no_access.
Scope
Displays the user resource scope that is mapped to each external group name.