upgradesecconfig - Upgrade Security Configurations

upgradesecconfig [-a] [-y] [-r roleMapFile] [-s secclassMapFile] [-h]

You can use upgradesecconfig to clean up old security configurations when upgrading to Landmark 10 and corresponding versions of Landmark applications. You can also use this tool when implementing new, custom security configurations.

Use upgradesecconfig to update security configuration in the following ways:

  • Reassign roles to actors when there is a clear mapping from old role to new role.

    Note: 

    This works if there is a one-to-one mapping from old to new. It also works if two old roles map to the same new role. It will also work if one old role maps to two new roles. For example, when an actor that was assigned the old role will now be assigned both of the new roles.

    If functionality of an old role is split such that some actors assigned the old role should get one new role but others should get a second new role, the tool will not work.

  • Reassign proxies to new roles and clean up the old roles that are no longer needed.

  • Reassign new security classes to existing roles.

  • Delete old ActorRole, ProxyRole, RoleSecurityClass, Role, and SecurityClass records.

Program Option Description
-a

Assigns actors to new roles, including actorrole, proxyrole and rolesecurityclass records. You will be prompted to continue unless you also use -y.

Note: 

Using this switch alters data.

-y Proceed without prompting. This switch automatically runs generated commands.
-r roleMapFile Provides a file listing mappings of old roles to new roles. If you do not provide a map, the utility will look for delivered files called roleMap.txt in gen and each product line, merge them, and run using those mappings.
-s secclassMapFile Provides a file listing mappings of old security classes to new security classes. If you do not provide a map, the utility will look for delivered files called scMap.txt in gen and each product line, merge them, and run using those mappings.
-h Displays the help text.

Mapping File Format

If you create a text file for mapping role or security classes, use the following format:

For a one-to-one mapping for a role or security class:

oldRole => newRole

oldSecClass => newSecClass

For example:

Security Administrator => SecurityAdministrator_ST

Delete old role or security class:

oldRole => delete

oldSecClass => delete

Ignore role or security class:

Leave the role or security class out of the mapping file, or use:

oldRole => ignore

oldSecClass => ignore

Data

The upgradesecconfig tool extracts the following from the database:

  • Gen role

  • Gen actorrole

  • Gen proxyrole

  • Gen rolesecurityclass

  • <dataarea> securityclass (for every dataarea)

Role map

When a role map text file is provided, the upgradesecconfig tool does the following:

  • Read role map file

    • Check if an old role exists that the new role also exists in the database

    • Any role that exists in the database but is not listed as an old role in the map file is set to ignore

  • Create commands to assign new roles to actors

  • Create commands to remove old actor role records (unless –a)

  • Create commands to assign new roles to proxies

  • Create commands to remove old actor role records (unless –a)

  • Create commands to delete rolesecurityclass records for old roles (unless –a)

  • Create commands to delete old roles (unless –a)

  • Prompt user whether to continue or not (unless –y)

    • Write commands to a file

    • If ‘y’ or –y

    • Run above commands

Security class map

When a security class map text file is provided, the upgradesecconfig tool does the following:

  • Read security class map file

    • Check if an old security class exists for a dataarea, that the new security class also exists for that dataarea

    • Any security class that exists in the database but is not listed as an old security class in the map file is set to ignore

  • Create commands to assign new security classes to roles

  • Create commands to delete old rolesecurityclass records (unless –a)

  • Create commands to delete old securityclass records (unless –a)

  • Create a list of old secclass files to delete from the file system (unless –a)

  • Prompt user whether to continue or not (unless –y)

    • Write secadm commands to a file

    • If ‘y’ or -y

      • Run secadm commands

      • Run dbdeletedata commands

      • Delete secclass files from file system

    • If 'n'

      • Create file with dbdeletedata commands

      • Create file listing files to be deleted from the file system