000021358 - How to determine a SecurID user's group membership programmatically

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021358
Applies ToRSA ACE/Server 5.2 Administration API
All platforms
IssueHow to determine a SecurID user's group membership programmatically
CauseThe RSA ACE/Server ATK does not provide a specific API to determine if a user belongs to specified group
ResolutionThere are several approaches to determine a user's group information via the ATK. Two of these approaches are shown below with pseudo-code to approximate 'C/C++':

=============================================================
1. ACE ATK function Sd_ListGroupMembership (ref ace_admin_toolkit.pdf Page 131)
=============================================================

   //determines if user (defLogin) is in group
   boolean UserInGroup(char *defLogin, char *group);
   {
      boolean userInGroup = false;
      do {
          SD_ListGroupMembership(deflogin, "",buffer,MAX_RESULT_MSG_SIZE);
          if ( strcmp(buffer, group) == 0 )
          {
                 //user in group, close search
             SD_ListGroupMembership(deflogin, "-c",buffer,MAX_RESULT_MSG_SIZE);
             userInGroup = true;
             }
       } while (strcmp(buffer,"Done")!=0 || !userInGroup )

       return userInGroup;
   }

NOTE: The Sd_List functions return a single result and must be called multiple times to search through a given data set.  Sd_List functions return a list terminator (default string "Done") when there are no more elements.  If list element retrieval is terminated prior to the end of the list, the db search must be closed by calling the Sd_List function with the close option set ("-c").  Failure to close the search can cause other database accesses to fail until the API is restarted via Sd_ApiInit().

=============================================================
2. ACE ATK function Sd_DynamicSelect (ref ace_admin_toolkit.pdf Page 79)
========================================================

Sd_DynamicSelect can invoke custom ACE/Server database queries via SQL.  The database schema is documented in ace_admin_toolkit.pdf starting on Page 231:

    Sd_ApiInit()
    ...
    SD_DynamicSelect(
    Sd_DynamicSelect(tempfile,0,1,0,1,"","","SELECT chName FROM SDGroup JOIN SDGroupMember ON (SDGroup.iGroupNum = SDGroupMember.iGroupNum) JOIN SDUser ON (SDGroupMember.iUserNum = SDUser.iUserNum)WHERE ( SDUser.chDefaultLogin = \"joesoap\" )","","","");
    ...
    SD_ApiEnd()


NOTE: The result is a list of groups written to tempfile. Additional code would be required to process the group(s) in the file.
Legacy Article IDa22627

Attachments

    Outcomes