Configuration options for the Referential Integrity User Exit

[user exit]
allow dangling ACE removal=boolean
allow multiple ACEs=boolean
allow redundant membership=boolean
deny if dangling references=boolean

The section name (user exit) and option names are case-insensitive. Options may appear in any order. Whitespace is ignored. Comments are prefixed with #.

A boolean value may be 0, no (or n), or false (or f) for false; or 1, y, yes, t, or true for true. The value is case-insensitive.

The trace-setting value syntax is described below.

See The Referential Integrity Sample User Exit for more information about the Referential Integrity User Exit module.

All of the configuration items are optional. The default value for Boolean options is false, and tracing is disabled by default.

allow dangling ACE removal

If this option is enabled, then if an administrator attempts to remove an Access Control Entry (ACE) from a resource access rule, and the ACE refers to a user or group that does not exist, the ACE is removed anyway. Under the default set of constraints this is not permitted.

allow multiple ACEs

If this option is enabled, an administrator will be allowed to add an ACE to a resource access rule even if that rule already contains an ACE for the same actor (user or group). This is technically unnecessary because all of the permissions for an actor can be expressed in a single ACE, but is sometimes convenient. Under the default set of constraints this is not permitted (only one ACE for an actor can be defined for a given rule).

allow redundant membership

If this option is enabled, an administrator will be allowed to add a user to a group even if that group is the user's default group. This has no effect on the user's group membership, unless the user's default group is later changed. Some administrators prefer to make users explicit members of their default group so that a listing of the group shows all its members. This redundant membership is not permitted under the default set of constraints.

deny if dangling references

Under normal processing, a user can be added even if some groups already list that user as a member, or if some resource rules contain ACEs that refer to that user. Similarly, a group can be added even if some users list that group as their default group. Normally the Referential Integrity exit would prevent such dangling references from being created in the first place, but they may occur due to administering the security repository data by other means, such as LDAP import operations. If enabled, this option activates additional constraints that prevent adding a user or group if there are references to it.


The trace-setting value can be a non-negative integer. 0 disables tracing and positive values enable it. In principle higher values enable more tracing messages but in the current version of the exit all messages are emitted at level 1. The keyword yes (or y) will also enable tracing, at the highest level. Any other value disables it.

Tracing takes the form of informational ESF messages, which will be written to the region console log (for ES regions), the journal (for MFDS), or standard error (esfadmin), just as other ESF messages are.

An example configuration:
# Configure the Referential Integrity user exit module
[user exit]
allow dangling ACE removal=true
allow multiple ACEs=false
allow redundant membership=y
deny if dangling references=yes