Configuring NullEsm

The NullEsm ESM module has no actual External Security Manager. It makes security decisions internally, based on its configuration. By default it does nothing. It is intended primarily for testing, though it may be useful to configure a handful of exceptions for special purposes.

The NullEsm ESM module supports some optional settings in its configuration text area:

  • [Operation]
    • Regex=setting

      If setting is "y" or "yes" (case-insensitive), settings in the [Auth] section are treated as regular expressions rather than literal names.

  • [Trace]
    • Trace=setting

      If setting is "y" or "yes" (case-insensitive), write various messages to the console log about security decisions.

  • [Verify]
    • user =action

      For a Verify (user sign-on) request, if the userid matches user, then set the result based on action.

      The action can be:

      • allow Allow this signon attempt.
      • deny Deny this signon attempt.
      • disable Return a result code indicating the user's account is disabled.
      • expire Same result as disable.
      • fail Return an error indicating the ESM failed to process the request.
      • unknown Indicate the ESM does not have any information about this user.

      If the userid is not found in the [Verify] section, or the action is not recognized, the behavior is the same as for unknown.

    • [Auth]
    • class /resource=action

      When an Auth (resource access check) request is received, NullEsm concatenates the resource class and entity names with a slash separator and looks for a matching entry in the [Auth] section. If the Regex setting (see above) is enabled, it treats the entries as regular expressions rather than looking for a literal match. If it finds a matching entry, it sets the result based on action:

      • allow

        Allow this access attempt.

      • deny

        Deny this access attempt.

      • trace

        Log a message to the console about this access attempt. (The Regex mode is particularly useful if trace is used, as it makes it possible to have both an allow/deny entry and a trace entry for a given resource.)