rbacenforce
The rbacenforce program lists role-based access control (RBAC) violations and issues workflow requests in order to correct variances. The program is run by default by the psupdate program during auto discovery. This can be turned off by disabling the Resources > Options > RBAC ENFORCEMENT NIGHTLY LIST and RBAC ENFORCEMENT NIGHTLY SUBMIT options.
Usage
rbacenforce.exe [ option ]
Argument | Description |
|---|---|
-group <group> | Specify the group ID to check violations on. |
-inputfile <fileName> | Input this KVGroup file with all requests to submit. The default is violation.kvg. |
-limitcheck <numUsers> | Override the system configured value to limit the number of users to check for violations. |
-limitlist <numViolations> | Override the system configured value to limit the number of violations to list. |
-listfile <fileName> | Output the list of violations to this file. The default is violation.kvg. |
-nolist | Do not run the listing of surplus and/or deficit violations. This option can only be used with -submit. |
-norecordcheck | Record that the user was checked. Users checked least recently are checked first. |
-outfile <fileName> | Print all violations that did not get submitted, along with the error message returned, to this file. |
-requester <requester> | Submits requests using the specified user ID. The default is the user specified by the system variable RBAC AUTO PROPAGATE REQUESTER. |
-resourceenforce <0-2> | ∙0 – check all resources 1 – only check resources that are under enforcement (default) 2 – only check resources not under enforcement |
-returnbatch | Returns batch IDs of successfully submitted requests. |
-roleonly | Only deficits will be checked. |
-skipenforce | Bypasses RBAC ENFORCEMENT ENABLED, so rbacenforce can check for violations and submit requests, even if RBAC ENFORCEMENT ENABLED is disabled. |
-submit | Submit requests for users with surplus and/or deficit violations. |
-threads <number of threads> | Use this for the number of threads to use when submitting requests to resolve violations (default is 4). |
-userenforce <0-2> | 0 – check all users 1 – only check users that are under enforcement (default) 2 – only check users not under enforcement |
-userid <userID> | Specify a user on which to check violations. This defaults -userenforce to 0. |
-users <fileName> | Specify a file containing a list of profile IDs on which to check violations. In the file, each user should be in its own line. This defaults userenforce to 0. |
Examples
To check for any violation:
rbacenforce.exe
To check and request to resolve violations:
rbacenforce.exe -submit
To check a single user:
rbacenforce.exe -userid <userID>
To check all resources and users, regardless of whether they are under enforcement or not, and if RBAC ENFORCEMENT ENABLED is disabled:
rbacenforce.exe -skipenforce -userenforce 0 -resourceenforce 0