eimRemoveAccess()--Remove EIM Access

Syntax

 #include <eim.h>

 int eimRemoveAccess(EimHandle          * eim,
                     EimAccessUser      * accessUser,
                     enum EimAccessType   accessType,
                     char               * registryName,
		     EimRC              * eimrc)

  Service Program Name: QSYS/QSYEIM

  Default Public Authority: *USE

  Threadsafe: Yes

The eimRemoveAccess() function removes the user from the EIM access group identified by the access type.

Authorities and Locks

EIM Data

Access to EIM data is controlled by EIM access groups. LDAP administrators also have access to EIM data. The access groups whose members have authority to the EIM data for this API follow:

EIM Administrator

Parameters

eim (Input)

The EIM handle returned by a previous call to eimCreateHandle(). A valid connection is required for this function.

accessUser (Input)

A structure that contains the user information to remove access from.

EIM_ACCESS_LOCAL_USER

Indicates a local user name on the system that the API is run. The local user name will be converted to the appropriate access id for this system.

EIM_ACCESS_KERBEROS

Indicates a kerberos principal. The kerberos principal will be converted to the appropriate access id. For example, petejones@therealm will be converted to ibm-kn=petejones@threalm.

The EimAccessUser structure layout follows:

   enum EimAccessUserType {
       EIM_ACCESS_DN,
       EIM_ACCESS_KERBEROS,
       EIM_ACCESS_LOCAL_USER
   };

   typedef struct EimAccessUser
   {
       union {
           char * dn;
           char * kerberosPrincipal;
           char * localUser;
       } user;
       enum EimAccessUserType userType;
   } EimAccessUser;

accessType (Input)

The type of access to remove. This parameter is passed by value. Valid values are:

EIM_ACCESS_ADMIN (0)

Administrative authority to the entire EIM domain.

EIM_ACCESS_REG_ADMIN (1)

Administrative authority to all registries in the EIM domain.

EIM_ACCESS_REGISTRY (2)

Administrative authority to the registry specified in the registryName parameter.

EIM_ACCESS_IDENTIFIER_ADMIN (3)

Administrative authority to all of the identifiers in the EIM domain.

EIM_ACCESS_MAPPING_LOOKUP (4)

Authority to perform mapping lookup operations.

EIM_ACCESS_CREDENTIAL_DATA (5)

Authority to retrieve credential data.

registryName (Input)

The name of the registry to remove access from. This parameter is only used if EimAccessType is EIM_ACCESS_REGISTRY. If EimAccessType is anything other than EIM_ACCESS_REGISTRY, this parameter must be NULL.

eimrc (Input/Output)

The structure in which to return error code information. If the return value is not 0, eimrc is set with additional information. This parameter may be NULL. For the format of the structure, see EimRC--EIM Return Code Parameter.

Return Value

The return value from the API. Following each return value is the list of possible values for the messageCatalogMessageID field in the eimrc parameter for that value.

0

Request was successful.

EACCES

Access denied. Not enough permissions to access data.

EIMERR_ACCESS (1)

Insufficient access to EIM data.

EBADDATA

eimrc is not valid.

EBUSY

Unable to allocate internal system object.

EIMERR_NOLOCK (26)

Unable to allocate internal system object.

ECONVERT

Data conversion error.

EIMERR_DATA_CONVERSION (13)

Error occurred when converting data between code pages.

EINVAL

Input parameter was not valid.

EIMERR_ACCESS_TYPE_INVAL (2)

Access type is not valid.

EIMERR_ACCESS_USERTYPE_INVAL (3)

Access user type is not valid.

EIMERR_HANDLE_INVAL (17)

EimHandle is not valid.

EIMERR_PARM_REQ (34)

Missing required parameter. Please check API documentation.

EIMERR_PTR_INVAL (35)

Pointer parameter is not valid.

EIMERR_REG_MUST_BE_NULL (55)

Registry name must be NULL when access type is not EIM_ACCESS_REGISTRY.

ENOMEM

Unable to allocate required space.

EIMERR_NOMEM (27)

No memory available. Unable to allocate required space.

ENOTCONN

LDAP connection has not been made.

EIMERR_NOT_CONN (31)

Not connected to LDAP. Use eimConnect() API and try the request again.

EROFS

LDAP connection is for read only. Need to connect to master.

EIMERR_READ_ONLY (36)

LDAP connection is for read only. Use eimConnectToMaster() to get a write connection.

EUNKNOWN

Unexpected exception.

EIMERR_LDAP_ERR (23)

Unexpected LDAP error. %s

EIMERR_UNKNOWN (44)

Unknown error or unknown system state.

Related Information

eimAddAccess() --Add EIM Access
eimListAccess() --List EIM Access
eimListUserAccess() --List EIM User Access
eimQueryAccess() --Query EIM Access

Example

The following example removes the user from the access group.

Note: By using the code examples, you agree to the terms of the Code license and disclaimer information.

#include <eim.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
    int           rc;
    char          eimerr[100];
    EimRC       * err;
    EimHandle   * handle;
    
    EimAccessUser user;

    /* Get eim handle from input arg.           */
    /* This handle is already connected to EIM. */
    handle = (EimHandle *)argv[1];

    /* Set up error structure.                  */
    memset(eimerr,0x00,100);
    err = (EimRC *)eimerr;
    err->memoryProvidedByCaller = 100;

    /* Set user information                     */
    user.userType = EIM_ACCESS_DN;
    user.user.dn="cn=pete,o=ibm,c=us";
    
    /* Remove access for this user.             */
    if (0 != (rc = eimRemoveAccess(handle,
                                &user,
                                EIM_ACCESS_ADMIN,
                                NULL,
                                err)))
    {
        printf("Remove access error = %d", rc);
        return -1;
    }
              
    return 0;
}

API introduced: V5R2

[ Back to top | Security APIs | APIs by category ]