Dumping and Loading Security Definitions (lsdump, lsload, lsinteg)
This section describes how to use Lawson-delivered command line utilities to dump security data (profiles, security classes, and roles) from the LDAP repository in Resource Management to standard output or to an XML file. If an output file is created, the data can be loaded to a new location.
You would use these procedures to, for example, move security information from a test to a production server.
There are separate commands for dumping and loading profiles, security classes, and roles. The following sections describe the commands and provide examples.
Creating a dump file of security profiles
You can dump specific profiles or all profiles. The command syntax is:
lsdump -f filename PROFILE profileID
where filename is the name of the XML output file
and where profileID is the name of the profile
If you want the dump to go to standard output, omit "-f" and the file name. If you want to dump all profiles, omit the profile ID.
Creating a dump file of security class data
You can dump specific security classes within a profile or all classes within a specific profile.
To dump a specific security class, the command syntax is:
lsdump -f filename SECCLASS profileID [security_class_names]
where filename is the name of the XML output file
and where profileID is the name of the profile
and where, optionally, security_class_names separated by commas, lists the names of classes you want to dump.
If you want to dump all classes, omit security class names.
If you want the dump to go to standard output, omit -f
and the file name.
Creating a dump file of a role
You can dump only one role file at a time, but you can specify the security classes that are assigned to the role that you want to dump.
The command syntax is:
lsdump [-f filename] ROLE rolename [-p profileid] [-s secclassname1,secclassname2,...]
where filename is the name of the XML output file
and where profileID is the name of the profile
and where, optionally, secclassname1, secclassname2,... separated by commas, lists the names of classes you want to dump.
If you want the dump to go to standard output, omit -f
and the file name. If you want to dump all security classes
assigned to a role, omit -s
and the security class
names.
Run lsinteg to validate the integrity of dump files
Any securable objects that do not have rules assigned to them will not be loaded into LDAP through the lsload command.
The lsinteg utility validates the dump files you create using lsdump. The lsinteg utility identifies securable objects that have not been assigned a rule.
The lsinteg command has the following syntax:
lsinteg -f DumpFilename
If lsinteg encounters an object that does not have a rule, it prompts you to:
-
Create a rule by selecting "All access" or "no access" to each object that has no rule.
-
Assign a name to the new dump file that will be created.
-
Skip and continue with the analysis.
You might choose the Skip option if, for example, you were planning to fix the problems manually using the Security Administrator or, if the error is not a problem at your site (because, for example, a securable object is not used and does not need to have rules).
Skipped objects will not be added to the new dump file created by lsinteg.
If this is what you want (because you do not use the object at your site), then you do not need to take additional action.
If you need to take additional action on a skipped object (for example, because you want to assign a rule other than NO ACCESS or ALL ACCESS), you can do so using the security administration tool.
Note: If you have expertise with XML and are knowledgeable about the structure of security data, you could edit the output file directly rather than use through the security administrator tool. -
If you received error messages that you intend to correct, it is good practice to run lsdump/ lsinteg again before running lsload.
When the lsinteg command completes, it creates a new dump file that contains any updates you made when you responded to error messages from the command. (If there were no error messages, your new dump file will be the same as the original.)
When you have run lsinteg with no errors, you are ready to import the dump file using lsload.
Loading security profile data from an XML file to the Resource Management repository in LDAP
Use the following command to load a file of security profile data. You might do this, for example, if you want a security profile that has been created on a test environment to be available on a production environment.
The command syntax is:
lsload PROFILE filename [-p newProfileId]
where filename is the name of the name of the dump file created with the lsdump command
and where newProfileId is the name of the profile that you are creating from the dump file. If you want to keep the existing profile name, you can omit newProfileId.
Loading security class data from an XML file to the Resource Management repository in LDAP
To load security class data from a dump file, the command syntax is:
lsload SECCLASS filename [-p newProfileID] [-s newSecClass]
where filename is the name of the name of the dump file created with the lsdump command
and where newProfileID is the name of the profile that you are creating from the dump file
and where newSecClass is the new name of the security class. If the dump file contains more than one security class, you will be prompted to provide new names for the other files.
Loading role data from a dump file to the Resource Management repository in LDAP
This section describes how to load role data from a dump file to a new location. The command syntax is:
lsload ROLE filename [-r NewRoleName] [-p NewProfileID]
where filename is the name of the name of the dump file created with the lsdump command
and where, optionally, NewRoleName is the new name for the role you are loading
and where, optionally, NewProfileID is the new name of the profile that you are loading.
Example commands
The following table uses examples to provide a summary of lsdump and lsload commands.
For lsdump commands, the table assumes you want to create an output file. If you prefer to dump to standard output, omit "-f" and the output file name.
Syntax Example command | |
---|---|
lsdump | |
Dump specified profile to an output file: |
lsdump -f profile.dmp PROFILE MyProfile
|
Dump all security classes Example command from specified profile: |
lsdump -f all_classes.dmp SECCLASS MyProfile
|
Dump the specified classes from the specified profile: |
lsdump -f some_classes.dmp SECCLASS MyProfile
class1,class2,class3
|
Dump the specified role from the specified profile (all classes assigned to the role be dumped): |
lsdump -f role.dmp ROLE MyRole MyProfile
|
Dump the specified security classes that are assigned to the role / profile: |
lsdump -f role.dmp ROLE MyRole MyProfile -s class1,class2,class3
|
lsload | |
Load a profile from the file profile.dmp, retaining its original name in the new location: |
lsload PROFILE profile.dmp
|
Load a profile from the specified dump file and assign it a new ID (MyNewProfile) in the new location: |
lsload PROFILE profile.dmp -p MyNewProfile
|
Load security class information from the specified dump file to a new location, retaining its original name in the new location: |
lsload SECCLASS secclass.dmp
|
Load security class information from the specified dump file and assign it a new name: The command assumes that the dump file contains only one security class. If it contains more than one, you will be prompted for new names for the additional security classes. |
lsload SECCLASS secclass.dmp -s MyNewClass
|
Load role information from "role.dmp" to a new location, retaining the original role and profile name in the new location: |
lsload ROLE role.dmp
|
Load role information from role.dmp to a new location, assigning new profile and role IDs: |
lsload ROLE role.dmp -r MyNewRole -p MyNewProfile
|