Article Content
Article Number | 000021358 |
Applies To | RSA ACE/Server 5.2 Administration API All platforms |
Issue | How to determine a SecurID user's group membership programmatically |
Cause | The RSA ACE/Server ATK does not provide a specific API to determine if a user belongs to specified group |
Resolution | There are several approaches to determine a user's group information via the ATK. Two of these approaches are shown below with pseudo-code to approximate 'C/C++': ============================================================= 1. ACE ATK function Sd_ListGroupMembership (ref ace_admin_toolkit.pdf Page 131) ============================================================= //determines if user (defLogin) is in group boolean UserInGroup(char *defLogin, char *group); { boolean userInGroup = false; do { SD_ListGroupMembership(deflogin, "",buffer,MAX_RESULT_MSG_SIZE); if ( strcmp(buffer, group) == 0 ) { //user in group, close search SD_ListGroupMembership(deflogin, "-c",buffer,MAX_RESULT_MSG_SIZE); userInGroup = true; } } while (strcmp(buffer,"Done")!=0 || !userInGroup ) return userInGroup; } NOTE: The Sd_List functions return a single result and must be called multiple times to search through a given data set. Sd_List functions return a list terminator (default string "Done") when there are no more elements. If list element retrieval is terminated prior to the end of the list, the db search must be closed by calling the Sd_List function with the close option set ("-c"). Failure to close the search can cause other database accesses to fail until the API is restarted via Sd_ApiInit(). ============================================================= 2. ACE ATK function Sd_DynamicSelect (ref ace_admin_toolkit.pdf Page 79) ======================================================== Sd_DynamicSelect can invoke custom ACE/Server database queries via SQL. The database schema is documented in ace_admin_toolkit.pdf starting on Page 231: Sd_ApiInit() ... SD_DynamicSelect( Sd_DynamicSelect(tempfile,0,1,0,1,"","","SELECT chName FROM SDGroup JOIN SDGroupMember ON (SDGroup.iGroupNum = SDGroupMember.iGroupNum) JOIN SDUser ON (SDGroupMember.iUserNum = SDUser.iUserNum)WHERE ( SDUser.chDefaultLogin = \"joesoap\" )","","",""); ... SD_ApiEnd() NOTE: The result is a list of groups written to tempfile. Additional code would be required to process the group(s) in the file. |
Legacy Article ID | a22627 |