Zymonic Toolkit Security

From Zymonic

This page contains all of the options for:

sudo zymonic_toolkit.pl Security

Check Menu Accessibility[edit]

The check_menu_accessibility command provides a detailed list of both the zymonic system's menu items which would be visible to and the permissions given to the user specified within the command arguments.

sudo zymonic_toolkit.pl Security check_menu_accessibility
  • System[edit]

    The name of the sub-directory in which the system's definition is stored. This is required for the command to work.

    sudo zymonic_toolkit.pl Security check_menu_accessibility --system SYSTEM
    
  • Configuration Directory[edit]

    The name of the directory in which Zymonic definitions are stored; defaults to "/etc/zymonic".

    sudo zymonic_toolkit.pl Security check_menu_accessibility --configdir FOLDERPATH
    
  • Username[edit]

    The username of the person that the command is being run for.

    sudo zymonic_toolkit.pl Security check_menu_accessibility --username USERNAME
    
  • Password[edit]

    The password of the person that the command is being run for. Entering !, instead of the password will cause a password prompt to appear once the command has been started.

    sudo zymonic_toolkit.pl Security check_menu_accessibility --password PASSWORD
    
  • IP Address[edit]

    The IP address of the person that the command is being run for. This is only needed in the few cases when the permissions being checked rely on IP address. The majority of permissions do not use IP address, as such this field can generally be ignored.

    sudo zymonic_toolkit.pl Security check_menu_accessibility --ip_address IP
    
  • Parent Filter/Process ZName[edit]

    ZName of the Filter/Process to treat as the parent when getting permissions.This is only needed in the cases when the permissions being checked rely on the parent Filter/Process. For example, if checking permissions of an order, you would set this to the zname of a filter which shows the order.

    sudo zymonic_toolkit.pl Security check_menu_accessibility --parent_fap ZNAME
    
  • Filter ZName[edit]

    The ZName of the filter menu to check.

    sudo zymonic_toolkit.pl Security check_menu_accessibility --filter ZNAME
    

Interpretting Results[edit]

The output of this command will show a break down of the items which would appear in the menu, for the named user, together with a break down of permissions for those items which would not show.

18-03-2016 13:40:08 - Menu can contain the following items:
Pick List (rand_list)
Orders List (rand_list)
Safe Status List (rand_list)
18-03-2016 13:40:08 - For this user menu will show the following items:
Orders List (rand_list)
Safe Status List (rand_list)
18-03-2016 13:40:08 - The following items are not present in the menu for this user:
18-03-2016 13:40:08 - Pick List (rand_list)
18-03-2016 13:40:08 - PERMISSION RECORD CHECKS (number represents count of permissions records which allow that permission):
deleteable =>  NO (0)
secureable =>  NO (0)
readable =>  NO (0)
changeable =>  NO (0)
appendable =>  NO (0)
undeleteable =>  NO (0)

18-03-2016 13:40:08 - Details needed to pass the various permissions:
deleteable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role

secureable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role, rand_role, rand_role

readable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role, rand_role, rand_role

changeable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role, rand_role, rand_role

appendable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role

undeleteable:
PERMISSION HOLDER: GROUPNAME:admins

Method check_menu_accessibility completed.

Check Page Accessibility[edit]

The check_page_accessibility command provides a detailed list of both the zymonic system's menu items which would be visible to and the permissions given to the user specified within the command arguments.

sudo zymonic_toolkit.pl Security check_page_accessibility
  • System[edit]

    The name of the sub-directory in which the system's definition is stored. This is required for the command to work.

    sudo zymonic_toolkit.pl Security check_page_accessibility --system SYSTEM
    
  • Configuration Directory[edit]

    The name of the directory in which Zymonic definitions are stored; defaults to "/etc/zymonic".

    sudo zymonic_toolkit.pl Security check_page_accessibility --configdir FOLDERPATH
    
  • Username[edit]

    The username of the person that the command is being run for.

    sudo zymonic_toolkit.pl Security check_page_accessibility --username USERNAME
    
  • Password[edit]

    The password of the person that the command is being run for. Entering !, instead of the password will cause a password prompt to appear once the command has been started.

    sudo zymonic_toolkit.pl Security check_page_accessibility --password PASSWORD
    
  • IP Address[edit]

    The IP address of the person that the command is being run for. This is only needed in the few cases when the permissions being checked rely on IP address. The majority of permissions do not use IP address, as such this field can generally be ignored.

    sudo zymonic_toolkit.pl Security check_page_accessibility --ip_address IP
    
  • Parent Filter/Process ZName[edit]

    ZName of the Filter/Process to treat as the parent when getting permissions.This is only needed in the cases when the permissions being checked rely on the parent Filter/Process. For example, if checking permissions of an order, you would set this to the zname of a filter which shows the order.

    sudo zymonic_toolkit.pl Security check_page_accessibility --parent_fap ZNAME
    
  • Page ZName[edit]

    The ZName of the page to check.

    sudo zymonic_toolkit.pl Security check_page_accessibility --page ZNAME
    

Interpretting Results[edit]

Page is accessible

When the page is accessible via the incoming credentials the output will simply state the fact.

17-03-2016 15:00:15 - Page rand_page is accessible.
Method check_page_accessibility completed.

Page is not accessible

When the page is not accessible via the incoming credentials the output will state the fact, along with a reason for the inacessibility.

17-03-2016 15:07:14 - Page rand_page is not accessible. There are no blocks present on this page for this user.
Method check_page_accessibility completed.

The reasons which can show are:

  • Page PAGE_ZNAME not found in the system. This means the page zname used cannot be found within the system.
  • Page PAGE_ZNAME cannot be loaded. This indicates some fundamental system error in loading the page.
  • There are no blocks defined on this page for any user. The page has no blocks on it at all within the system, and as such will not show for any user.
  • There are no blocks present on this page for this user. The incoming credentials do not give access to any blocks on this page, therefore the page will not show for these credentials.
  • Page PAGE_ZNAME is not accessible due to user permissions. See permission results below: The permissions on the page itself do not allow access for these credentials. Beneath this message will be output as per the check_permissions command.
  • Page PAGE_ZNAME itself is accessible. Checking accessibility its blocks below: The page itself is accessible by the incoming credentials, but the blocks within it are not accessible. Following this will be a break down of each block on the page along with its own accessibility.

Check Permissions[edit]

The check_permissions command provides a detailed list of both the zymonic system's menu items which would be visible to and the permissions given to the user specified within the command arguments.

sudo zymonic_toolkit.pl Security check_permissions
  • System[edit]

    The name of the sub-directory in which the system's definition is stored. This is required for the command to work.

    sudo zymonic_toolkit.pl Security check_permissions --system SYSTEM
    
  • Configuration Directory[edit]

    The name of the directory in which Zymonic definitions are stored; defaults to "/etc/zymonic".

    sudo zymonic_toolkit.pl Security check_permissions --configdir FOLDERPATH
    
  • Username[edit]

    The username of the person that the command is being run for.

    sudo zymonic_toolkit.pl Security check_permissions --username USERNAME
    
  • Password[edit]

    The password of the person that the command is being run for. Entering !, instead of the password will cause a password prompt to appear once the command has been started.

    sudo zymonic_toolkit.pl Security check_permissions --password PASSWORD
    
  • IP Address[edit]

    The IP address of the person that the command is being run for. This is only needed in the few cases when the permissions being checked rely on IP address. The majority of permissions do not use IP address, as such this field can generally be ignored.

    sudo zymonic_toolkit.pl Security check_permissions --ip_address IP
    
  • Parent Filter/Process ZName[edit]

    ZName of the Filter/Process to treat as the parent when getting permissions.This is only needed in the cases when the permissions being checked rely on the parent Filter/Process. For example, if checking permissions of an order, you would set this to the zname of a filter which shows the order.

    sudo zymonic_toolkit.pl Security check_permissions --parent_fap ZNAME
    
  • Security ID[edit]

    sudo zymonic_toolkit.pl Security check_permissions –target SECURITYID
    
  • Verbose[edit]

    Output much more information on the permission results.

    sudo zymonic_toolkit.pl Security check_permissions –verbose yes
    

Interpretting Results[edit]

Example Output Breakdown

This section provides explanations for each line of the output you would get from running this command.

26-02-2016 10:47:42 - PERMISSION RECORD CHECKS (number represents count of permissions records which allow that permission):
undeleteable =>  NO (0)
secureable => YES (1)
readable => YES (2)
deleteable =>  NO (0)
appendable =>  NO (0)
changeable => YES (2)

These are the results of the final permission check, as used by the system. It indicates which of the permissions the given user matches. The number in brackets represents the number of different permissions records which matched for that permissions. Any value greater than 0 indicates that the given user has that permission.

18-03-2016 08:43:55 - Details needed to pass the various permissions:
appendable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role

deleteable:
PERMISSION HOLDER: GROUPNAME:admins
ROLE PERMISSION: rand_role

undeleteable:

secureable: ALREADY PASSED
changeable: ALREADY PASSED
readable: ALREADY PASSED
Method check_permissions completed.

The final section shows what should be added to the credentials in order to gain a PASS for each of the individual permissions. A break down of what each item means can be found in the verbose section, below.

Example Verbose Output Breakdown

When running the permission check with the verbose option set, the same output will be seen as outlined above together with the, following, additional sections

26-02-2016 10:25:25 - USER: user
26-02-2016 10:25:25 - ROLE: rand_role
26-02-2016 10:25:25 - IP ADDRESS: 127.0.0.1
26-02-2016 10:25:25 - PARENT FAP: Name (rand_zname)

The above displays the inputs provided by the user.

26-02-2016 10:47:42 - GROUPS:
40
47

26-02-2016 10:47:42 - GROUP NAMES:
GROUP1
GROUP2

The above is lookup of all permission groups the user is in. The reason that both IDs and names are displayed for clarity and to help determine whether new or old permissions are being checked.

26-02-2016 10:47:42 - IP LISTS (% is wildcard):
any:
%

26-02-2016 10:47:42 - FAP LISTS (% is wildcard):
any:
%

rand_request:
Name (rand_zname)
Name (rand_zname)

rand_process:
Name (rand_process)

These are internal lists representing groups of IP addresses and filters/processes within the system. The character '%' is a wildcard meaning it will match any IP address or filter/process. The name before the colon is the name of the specific list and the lines below it represent entries in that list, either IP addresses, or names and znames of filters/processes in the list.

26-02-2016 10:47:42 - ALL PERMISSIONS FOR SEC ID : Transfer_Header-495356_
ID: 6484282
ZZLU: 2015-08-19 10:38:11
PERMISSION HOLDER: AUTHENTICATED - PASS
ROLE PERM: Request (rand_request) - PASS
IP LIST: any - PASS (%)
FAP LIST: rand_request - PASS (Name (rand_zname))
OVERALL MATCH: FAIL
PERMISSION readable : Y
PERMISSION changeable : Y
PERMISSION deleteable : N
PERMISSION secureable : Y
PERMISSION appendable : N
PERMISSION undeleteable : N

The above is essentially a dump of a DB permission record for the incoming sec_id. There can (and likely will) be multiple occurrences of this. It shows which rules must be matched in order for the permissions at the end to become valid. Each line shows either PASS or FAIL to show whether that rule matches for the given user, and the Overall Match shows whether the permissions at the end would be used for the given user. Permission holder will be one of the following:

  • AUTHENTICATED - there is a valid session for any user
  • UNAUTHENTICATED - there is a session without a user assigned to it, i.e. without credentials
  • USER:... - a name of a specific user that this permission applies to
  • GROUP:... - the id of a specific group that this permission applies to (now deprecated)
  • GROUPNAME:... - the name of a specific group that this permission applies to

The values in brackets at the end of the list lines show only for a PASS and indicate the entry in the relevant list which matched. Following this would be the output from the non-verbose, standard output section above.

Check Transition Conditions[edit]

The check_transition_permissions command provides a detailed list of both the zymonic system's menu items which would be visible to and the permissions given to the user specified within the command arguments.

sudo zymonic_toolkit.pl Security check_transition_permissions
  • System[edit]

    The name of the sub-directory in which the system's definition is stored. This is required for the command to work.

    sudo zymonic_toolkit.pl Security check_transition_permissions --system SYSTEM
    
  • Configuration Directory[edit]

    The name of the directory in which Zymonic definitions are stored; defaults to "/etc/zymonic".

    sudo zymonic_toolkit.pl Security check_transition_permissions --configdir FOLDERPATH
    
  • Username[edit]

    The username of the person that the command is being run for.

    sudo zymonic_toolkit.pl Security check_transition_permissions --username USERNAME
    
  • Password[edit]

    The password of the person that the command is being run for. Entering !, instead of the password will cause a password prompt to appear once the command has been started.

    sudo zymonic_toolkit.pl Security check_transition_permissions --password PASSWORD
    
  • IP Address[edit]

    The IP address of the person that the command is being run for. This is only needed in the few cases when the permissions being checked rely on IP address. The majority of permissions do not use IP address, as such this field can generally be ignored.

    sudo zymonic_toolkit.pl Security check_transition_permissions --ip_address IP
    
  • Parent Filter/Process ZName[edit]

    ZName of the Filter/Process to treat as the parent when getting permissions.This is only needed in the cases when the permissions being checked rely on the parent Filter/Process. For example, if checking permissions of an order, you would set this to the zname of a filter which shows the order.

    sudo zymonic_toolkit.pl Security check_transition_permissions --parent_fap ZNAME
    
  • Transition Zname[edit]

    The ZName of the transition to check. This is required for the command to work. This is required for the command to work.

    sudo zymonic_toolkit.pl Security check_transition_permissions –transition ZNAME
    
  • State ZName[edit]

    The ZName of the state to load for this transition to move from.

    sudo zymonic_toolkit.pl Security check_transition_permissions –state ZNAME
    
  • Process ID[edit]

    Process ID to use for the command being run. This is required for the command to work. This is required for the command to work.

    sudo zymonic_toolkit.pl Security check_transition_permissions –process_id ID
    

Interpretting Results[edit]

Success If the transition details provided are runnable by the incoming credentials then the output will show:

29-02-2016 11:10:14 - Transition ZNAME (DISPLAY_NAME) is runnable.

Error If the transition details provided are not runnable by the incoming credentials then the first line of the output will show:

29-02-2016 13:52:29 - Transition rand_transition (Name) is not runnable:

Form Record(s) used in checks, check these via check_permission command for further details:
        Table: Name (rand_table)
        Records:
                autocreated: 
                deleted: 
                order_no: 1381
                sec_id: orders-49515649_

Details of the table and records used for this permissions check can be seen in the above. These details can then be used within the check_permissions command to get a better breakdown of allowed access. This is done by setting the target parameter to the sec_id seen in the record above. Following on from the above will be a section about the possible combination of conditions which need to be satisfied in order for the transition to be runnable.

Possible Combinations of Conditions which need to be satisfied to make this Transition runnable:
        Possible Combination 1:
          * User must have permission to review orders

        Possible Combination 2:
          * Order is above Profit Threshold
          * User must have permission to review orders

Next will be a breakdown of the results of each of the failing conditions, containing a description of how the check was done. Such details will differ depending on what the reason for the failure was, some examples can be seen below.

Detailed Condition Results:
        User must have permission to review orders
          ZName: rand_zname
          Result: FAIL
          Details:
Permission checks were done with the following details:
Security IDS: orders-49515649_
Permissions Checked: changeable
Role Permissions Checked: rand_role
Table: orders
Parent FAP: rand_zname

        Order is above Profit Threshold
          ZName: rand_zname
          Result: FAIL
          Details:
Checked whether '-66519.0270850312' is numerically GreaterThanOrEqualTo 0' - FAIL

Delete Configuration Store[edit]

Deletes all config options in the shared memory used by zymonic systems. See the load_config_store command for more details on shared memory store.

sudo zymonic_toolkit.pl Security delete_config_store
  • Effective Group ID[edit]

    The effective group id for creating and accessing the shared memory. Suggest using apache/www group.

    sudo zymonic_toolkit.pl Security delete_config_store --egid GROUPID