upgradesecconfig - Upgrade Security Configurations
upgradesecconfig [-a] [-y] [-r roleMapFile] [-s secclassMapFile] [-h]
You can use upgradesecconfig
to clean up old security configurations when upgrading to Landmark 10 and corresponding versions of Landmark applications. You can also use this tool when implementing new, custom security configurations.
Use upgradesecconfig
to update security configuration in the following ways:
-
Reassign roles to actors when there is a clear mapping from old role to new role.
Note:This works if there is a one-to-one mapping from old to new. It also works if two old roles map to the same new role. It will also work if one old role maps to two new roles. For example, when an actor that was assigned the old role will now be assigned both of the new roles.
If functionality of an old role is split such that some actors assigned the old role should get one new role but others should get a second new role, the tool will not work.
-
Reassign proxies to new roles and clean up the old roles that are no longer needed.
-
Reassign new security classes to existing roles.
-
Delete old ActorRole, ProxyRole, RoleSecurityClass, Role, and SecurityClass records.
Program Option | Description |
---|---|
-a
|
Assigns actors to new roles, including actorrole, proxyrole and rolesecurityclass records. You will be prompted to continue unless you also use Note:
Using this switch alters data. |
-y
|
Proceed without prompting. This switch automatically runs generated commands. |
-r roleMapFile
|
Provides a file listing mappings of old roles to new roles. If you do not provide a map, the utility will look for delivered files called roleMap.txt in gen and each product line, merge them, and run using those mappings. |
-s secclassMapFile
|
Provides a file listing mappings of old security classes to new security classes. If you do not provide a map, the utility will look for delivered files called scMap.txt in gen and each product line, merge them, and run using those mappings. |
-h
|
Displays the help text. |
Mapping File Format
If you create a text file for mapping role or security classes, use the following format:
For a one-to-one mapping for a role or security class:
oldRole => newRole
oldSecClass => newSecClass
For example:
Security Administrator => SecurityAdministrator_ST
Delete old role or security class:
oldRole => delete
oldSecClass => delete
Ignore role or security class:
Leave the role or security class out of the mapping file, or use:
oldRole => ignore
oldSecClass => ignore
Data
The upgradesecconfig
tool extracts the following from the database:
-
Gen role
-
Gen actorrole
-
Gen proxyrole
-
Gen rolesecurityclass
-
<dataarea> securityclass (for every dataarea)
Role map
When a role map text file is provided, the upgradesecconfig
tool does the following:
-
Read role map file
-
Check if an old role exists that the new role also exists in the database
-
Any role that exists in the database but is not listed as an old role in the map file is set to ignore
-
-
Create commands to assign new roles to actors
-
Create commands to remove old actor role records (unless –a)
-
Create commands to assign new roles to proxies
-
Create commands to remove old actor role records (unless –a)
-
Create commands to delete rolesecurityclass records for old roles (unless –a)
-
Create commands to delete old roles (unless –a)
-
Prompt user whether to continue or not (unless –y)
-
Write commands to a file
-
If ‘y’ or –y
-
Run above commands
-
Security class map
When a security class map text file is provided, the upgradesecconfig
tool does the following:
-
Read security class map file
-
Check if an old security class exists for a dataarea, that the new security class also exists for that dataarea
-
Any security class that exists in the database but is not listed as an old security class in the map file is set to ignore
-
-
Create commands to assign new security classes to roles
-
Create commands to delete old rolesecurityclass records (unless –a)
-
Create commands to delete old securityclass records (unless –a)
-
Create a list of old secclass files to delete from the file system (unless –a)
-
Prompt user whether to continue or not (unless –y)
-
Write secadm commands to a file
-
If ‘y’ or -y
-
Run secadm commands
-
Run dbdeletedata commands
-
Delete secclass files from file system
-
-
If 'n'
-
Create file with dbdeletedata commands
-
Create file listing files to be deleted from the file system
-
-