                                 ACLCheck
                                 ========
                          ACLCheck 403, 01Apr2016
                          -----------------------

              FreeWare from GreenHouse Software & Consulting



ACLCHECK is a FreeWare tool from GreenHouse Softare & Consulting.
It checks SAFEGUARD for questionable Access Control Lists (ACLs),
and optionally cleans up orphaned entries.


*** To execute the CLEANUP function, you must be logged on to SUPER.SUPER!



SAFEGUARD allows to add meaningless ACLs, e.g. an existing volume
can be added as a device, and/or as a process. In addition, a volume
can be the 'base' for a subdevice and/or subprocess.

Actually there is no way to prevent this.

The ACLCHECK program reads all ACLs, and checks them for consistency.
The following checks are performed:

  - DEVICE       does DEVICE exist
                 is DEVICE known as VOLUME
                 does DEVICE also have an entry as PROCESS

  - PROCESS      does PROCESS exist
                 is PROCESS known as VOLUME
                 does PROCESS have an entry as DEVICE

  - SUBDEVICE    does DEVICE of SUBDEVIUCE exist
                 is DEVICE of SUBDEVICE known as VOLUME
                 is SUBDEVICE allowed for this type of DEVICE
                 does the DEVICE of SUBDEVICE have an entry as PROCESS
                 does SUBDEVICE have an entry as SUBPROCESS

  - SUBPROCESS   does SUBPROCESS exist
                 is PROCESS of SUBPROCESS known as VOLUME
                 does the PROCESS of SUBPROCESS have an entry as DEVICE
                 does SUBPROCESS have an entry as SUBDEVICE

  - DISKFILE     does the DISKFILE exist

  - SUBVOL       does the SUBVOL exist (has at least one file)

  - OBJECTTYPE   are all OBJECTTYPEs configured


The command syntax is:

  [run] ACLCHECK [/OUT <file>/] [-H[ELP]] [CLEANUP] [<type> <template>]

where

  <file>     is the OUT file to which the test and action results are reported.
             In case <file> does not exist, it becomes created as an EDIT type
             file.
  -H[ELP]    causes ACLCHECK to display a help screen.

  CLEANUP    required key word, that switches ACLCHECK into the
             'cleanup' mode.
             You have to be SUPER.SUPER to run ACLCHECK in CLEANUP mode!

  <type>     is one of:
             - PROC[ESS]
             - SUBPROC[ESS]
             - DEV[ICE]
             - SUBDEV[ICE]
             - SUBVOL[UME]
             - [DISK]FILE

  <template> is a wild card string, defining the mask that is to be
             used to clean-up <type>

  In case no startup parameters are present, ACLCHECK runs in check mode.


To invoke ACLCHECK to get a list of all orphaned ACLs, run it with
the following command:

  [run] ACLCHECK

A typical output looks like this:

  $GHS1 ACLCHECK 261> aclcheck
  ACLCheck (402) - T7172G06 - (10Dec2012) System \GINKGO, running NSK H06.24
  Copyright (c) GreenHouse Software & Consulting 1999-2002,2012

  DEVICE:      $GHI  does not exist

  PROCESS:     $ABC  does not exist
               $ABCDE  does not exist
               $CMON  does not exist
               $GHS2  does not exist
               $GHS2  is also known as VOLUME
               $ZTC00  does not exist

  SUBDEVICE:   $GHI.#HALLO  does not exist

  SUBPROCESS:  $ABC.#DEF  does not exist
               $ICH.#ICH  does not exist

  OBJECTTYPE:  DISKFILE missing

  SUBVOL:      $GHS1.HALODUDA  does not exist
               $GHS1.SUBVOLA  does not exist
               $GHS1.TESTA  does not exist

  SUBVOL:      $DSMSCM.WASTE  does not exist





To display a specific set of ACLs, the <type> along with the
<template> can be specified:

  $GHS1 ACLCHECK 130> aclcheck subvol $*.*
  ACLCheck (310) - T7172G06 - (20Jul2000) System \BEECH, running NSK G06
  Copyright (c) GreenHouse Software & Consulting 1999,2000

  SUBVOL:      $GHS1.NULL  does not exist

  $GHS1 ACLCHECK 131>


Beside checking and displaying questionable ACLs, ACLCheck can
clean-up orphaned ACLs.

To cleanup all orphaned disk file ACLs on all volumes, the following
command has to be executed:

  [run] ACLCHECK CLEANUP DISKFILE $*.*.*

This would delete all orphaned disk file ACLs on the system.


The command:

  [run] ACLCHECK CLEANUP SUBVOLUME $ghs*.*

deletes all orphaned subvolume ACLs on all disks, matching the pattern $GHS*.*


In case you find this tool helpful:  Feel free to use it!
In case you find an error: Please let me know!


Carl Weber
GreenHouse Software & Consulting
Heinrichstrasse 12
D-45711 Datteln/Horneburg
Germany
Phone:    +49 2363 72566
FAX:      +49 2363 66106
Cellular: +49 172 23 18248
E-Mail:   Carl.Weber@GreenHouse.de
