HMC Manual Reference Pages - CHHMCUSR (1)

NAME

chhmcusr - change Hardware Management Console user attributes

Synopsis
Description
Options
Examples
Environment
Bugs
Author
See Also

SYNOPSIS

To change the attributes of a Hardware Management Console (HMC) user:
chhmcusr -u user-name
-t {assign | desc | name | passwd | pwage | taskrole |
auth | remoteuser}
[-o {a | r}] [-r {resource | resourcerole}]
[-v new-attribute-value]
[--remoteuser remote-user-name] [--localpasswd password]
[--help]
or
chhmcusr {-f input-data-file | -i "input-data"} [--help]
To change the default settings of HMC user attributes:
chhmcusr -t default {-f input-data-file | -i "input-data"}
[--help]

DESCRIPTION

chhmcusr changes the attributes of an HMC user.
chhmcusr also changes the default settings of HMC user attributes. The new default settings will be applied to newly created HMC users only.

OPTIONS

-u The user name of the HMC user to change.
You can either use this option, or use the name attribute with the -f or -i option, to specify the user name. The -u, -f, and -i options are mutually exclusive.

-t When changing the attribute of an HMC user, specify which user attribute to change. Valid values are assign for the user’s access control managed resource object assignment or managed resource role assignment, desc for the user’s description, name for the user’s user name, passwd for the user’s password, pwage for the number of days until the user’s password expires, taskrole for the user’s access control task role, auth for the user’s authentication type, and remoteuser for the user’s remote user ID used for remote Kerberos authentication.
Only users that have the hmcsuperadmin task role, or that have the ManageAllUserPasswords task in their task role, are authorized to change other locally authenticated user’s passwords. The password for a remotely authenticated Kerberos user can be changed only by that user. Passwords for remotely authenticated LDAP users cannot be changed.
Password expirations can be changed for locally authenticated users only.
You can either use this option, or use the -f or -i option, to specify the user attribute(s) to change. The -t, -f, and -i options are mutually exclusive.
When changing the default settings of HMC user attributes, specify default with this option.

-o The managed resource object or role assignment operation to perform. Valid values are a to add a managed resource object or role to the user and r to remove a managed resource object or role from the user.
This option is required when changing the user’s managed resource object assignment.
You can either use this option, or use the resourcerole attribute with the -f or -i option, to change the user’s managed resource role assignment. The -o, -f, and -i options are mutually exclusive.

-r The type of access control assignment to change. Valid values are resource for managed resource object assignment and resourcerole for managed resource role assignment.
This option is required when the -o option is used to change the user’s managed resource object assignment or managed resource role assignment. This option is not valid otherwise.

-v The new value for the attribute being changed.
When changing the user’s managed resource object assignment, specify the managed resource object to be added or removed.
When changing the user’s managed resource role assignment, specify the managed resource role to be added or removed.
When changing the user’s description, specify the new description with this option. The new description can be any string.
When changing the user’s user name, specify the new user name with this option. The new user name must not be longer than 32 characters, and it must begin with a letter.
When changing the user’s password, you can either specify the new password with this option, or you can omit this option and you will be prompted to enter the password. The new password must be at least 7 characters in length.
When changing the number of days until the user’s password expires, specify the new number of days with this option.
When changing the user’s access control task role, specify the new task role with this option. Valid values are hmcsuperadmin, hmcoperator, hmcviewer, hmcpe, hmcservicerep, hmcclientliveupdate, or a user-defined task role.
When changing the user’s authentication type, specify the new authentication type with this option. Valid values are local, kerberos, or ldap.
When changing the user’s remote user ID used for remote Kerberos authentication, specify the new remote user ID with this option.
This option is required when the -t option is specified to change any user attribute other than the user’s password.
You can either use this option, or use the -f or -i option, to specify the new user attribute value(s). The -v, -f, and -i options are mutually exclusive.

--remoteuser The remote user ID used for remote Kerberos authentication for this user. This is the user’s Kerberos principal. The format of a typical Kerberos principal is primary/instance@REALM.
The remote user ID must be specified when changing the user’s authentication type to remote Kerberos authentication.
This option is only valid when the -t option is specified to change the user’s authentication type to remote Kerberos authentication.
You can either use this option, or use the remote_user_name attribute with the -f or -i option, to change the remote user ID. The --remoteuser, -f, and -i options are mutually exclusive.

--localpasswd The password for this user. The password must be at least 7 characters in length.
This option is only valid when the -t option is specified to change the user’s authentication type to local authentication.
You can either use this option, or use the passwd attribute with the -f or -i option, to specify the password for this user when changing the user’s authentication type to local authentication. If this option is omitted or the -f or -i option is specified and the passwd attribute is omitted, you will be prompted to enter the password. The --localpasswd, -f, and -i options are mutually exclusive.

-f The name of the file containing the input data for this command. The input data consists of attribute name/value pairs, which are in comma separated value (CSV) format.
The format of the input data is as follows:
attribute-name=value,attribute-name=value,...
Valid attribute names for changing the attributes of an HMC user:
name
[new_name]
[taskrole]
Valid values are hmcsuperadmin, hmcoperator,
hmcviewer, hmcpe, hmcservicerep, hmcclientliveupdate,
or a user-defined task role
[resourcerole]
[description]
[passwd]
Local and Kerberos users only
[current_passwd]
When changing the password for a Kerberos user, use
this attribute to specify the user’s current password.
If this attribute is omitted, you will be prompted to
enter the current password.
[pwage]
Local users only
number of days
[min_pwage]
Local users only
number of days
[authentication_type]
Valid values are:
local - local authentication
kerberos - remote Kerberos authentication
ldap - remote LDAP authentication
[session_timeout]
number of minutes
[verify_timeout]
number of minutes
[idle_timeout]
number of minutes
[inactivity_expiration]
number of days
[remote_webui_access]
Valid values are:
0 - do not allow this user to log in remotely to the
HMC Web user interface
1 - allow this user to log in remotely to the
HMC Web user interface
[remote_ssh_access]
Valid values are:
0 - do not allow this user to log in remotely to the
HMC using SSH
1 - allow this user to log in remotely to the
HMC using SSH
[remote_user_name]
Kerberos users only
[passwd_authentication]
Local users only
Valid values are:
0 - do not allow this user to log in to the HMC using
a password
1 - allow this user to log in to the HMC using a
password
Valid attribute names for changing the default settings of HMC user attributes:
[session_timeout]
number of minutes
[idle_timeout]
number of minutes
[max_webui_login_attempts]
Input data for this command can be specified with this option, the -i option, or any of the other command options. The -f and the -i options are mutually exclusive. When changing the attributes of an HMC user, the -f and -i options cannot be specified if any of the other command options are specified.

-i This option allows you to enter input data on the command line, instead of using a file. Data entered on the command line must follow the same format as data in a file, and must be enclosed in double quotes.
Input data for this command can be specified with this option, the -f option, or any of the other command options. The -i and the -f options are mutually exclusive. When changing the attributes of an HMC user, the -i and -f options cannot be specified if any of the other command options are specified.

--help Display the help text for this command and exit.

EXAMPLES

Change the password for the user tester (the new password must be entered when prompted):
chhmcusr -u tester -t passwd
Change the password for the user tester without prompting:
chhmcusr -u tester -t passwd -v secretpassword
or
chhmcusr -i "name=tester,passwd=secretpassword"
Change the number of days until the password expires for the user hmcuser1 to be 180:
chhmcusr -u hmcuser1 -t pwage -v 180
or
chhmcusr -i "name=hmcuser1,pwage=180"
Change the task role for the user tester to hmcoperator:
chhmcusr -u tester -t taskrole -v hmcoperator
or
chhmcusr -i "name=tester,taskrole=hmcoperator"
Change the remote user ID for the user krbuser to krbuser@EXAMPLE.ORG:
chhmcusr -u krbuser -t remoteuser -v krbuser@EXAMPLE.ORG
or
chhmcusr -i "name=krbuser,remote_user_name=krbuser@EXAMPLE.ORG"
Change the remotely authenticated Kerberos user user1 to a locally authenticated user (the password must be entered when prompted):
chhmcusr -u user1 -t auth -v local
or
chhmcusr -i "name=user1,authentication_type=local"
Change the locally authenticated user user2 to a remotely authenticated Kerberos user and set the remote user ID to user2@EXAMPLE.ORG:
chhmcusr -u user2 -t auth -v kerberos --remoteuser
user2@EXAMPLE.ORG
or
chhmcusr -i "name=user2,authentication_type=kerberos,
remote_user_name=user2@EXAMPLE.ORG"
Change the locally authenticated user user3 to a remotely authenticated LDAP user:
chhmcusr -u user3 -t auth -v ldap
or
chhmcusr -i "name=user3,authentication_type=ldap"
Change the remotely authenticated LDAP user user4 to a locally authenticated user:
chhmcusr -u user4 -t auth -v local --localpasswd jk3ds00b
or
chhmcusr -i "name=user4,authentication_type=local,passwd=jk3ds00b"
Change the default settings for the session and idle timeout user attributes:
chhmcusr -t default -i "session_timeout=1440,idle_timeout=20"

ENVIRONMENT

None

BUGS

None

AUTHOR

IBM Austin

HMC Manual Reference Pages - CHHMCUSR (1)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

ENVIRONMENT

BUGS

AUTHOR

SEE ALSO

-u	The user name of the HMC user to change. You can either use this option, or use the name attribute with the -f or -i option, to specify the user name. The -u, -f, and -i options are mutually exclusive.
-t	When changing the attribute of an HMC user, specify which user attribute to change. Valid values are assign for the user’s access control managed resource object assignment or managed resource role assignment, desc for the user’s description, name for the user’s user name, passwd for the user’s password, pwage for the number of days until the user’s password expires, taskrole for the user’s access control task role, auth for the user’s authentication type, and remoteuser for the user’s remote user ID used for remote Kerberos authentication. Only users that have the hmcsuperadmin task role, or that have the ManageAllUserPasswords task in their task role, are authorized to change other locally authenticated user’s passwords. The password for a remotely authenticated Kerberos user can be changed only by that user. Passwords for remotely authenticated LDAP users cannot be changed. Password expirations can be changed for locally authenticated users only. You can either use this option, or use the -f or -i option, to specify the user attribute(s) to change. The -t, -f, and -i options are mutually exclusive. When changing the default settings of HMC user attributes, specify default with this option.
-o	The managed resource object or role assignment operation to perform. Valid values are a to add a managed resource object or role to the user and r to remove a managed resource object or role from the user. This option is required when changing the user’s managed resource object assignment. You can either use this option, or use the resourcerole attribute with the -f or -i option, to change the user’s managed resource role assignment. The -o, -f, and -i options are mutually exclusive.
-r	The type of access control assignment to change. Valid values are resource for managed resource object assignment and resourcerole for managed resource role assignment. This option is required when the -o option is used to change the user’s managed resource object assignment or managed resource role assignment. This option is not valid otherwise.
-v	The new value for the attribute being changed. When changing the user’s managed resource object assignment, specify the managed resource object to be added or removed. When changing the user’s managed resource role assignment, specify the managed resource role to be added or removed. When changing the user’s description, specify the new description with this option. The new description can be any string. When changing the user’s user name, specify the new user name with this option. The new user name must not be longer than 32 characters, and it must begin with a letter. When changing the user’s password, you can either specify the new password with this option, or you can omit this option and you will be prompted to enter the password. The new password must be at least 7 characters in length. When changing the number of days until the user’s password expires, specify the new number of days with this option. When changing the user’s access control task role, specify the new task role with this option. Valid values are hmcsuperadmin, hmcoperator, hmcviewer, hmcpe, hmcservicerep, hmcclientliveupdate, or a user-defined task role. When changing the user’s authentication type, specify the new authentication type with this option. Valid values are local, kerberos, or ldap. When changing the user’s remote user ID used for remote Kerberos authentication, specify the new remote user ID with this option. This option is required when the -t option is specified to change any user attribute other than the user’s password. You can either use this option, or use the -f or -i option, to specify the new user attribute value(s). The -v, -f, and -i options are mutually exclusive.
--remoteuser	The remote user ID used for remote Kerberos authentication for this user. This is the user’s Kerberos principal. The format of a typical Kerberos principal is primary/instance@REALM. The remote user ID must be specified when changing the user’s authentication type to remote Kerberos authentication. This option is only valid when the -t option is specified to change the user’s authentication type to remote Kerberos authentication. You can either use this option, or use the remote_user_name attribute with the -f or -i option, to change the remote user ID. The --remoteuser, -f, and -i options are mutually exclusive.
--localpasswd	The password for this user. The password must be at least 7 characters in length. This option is only valid when the -t option is specified to change the user’s authentication type to local authentication. You can either use this option, or use the passwd attribute with the -f or -i option, to specify the password for this user when changing the user’s authentication type to local authentication. If this option is omitted or the -f or -i option is specified and the passwd attribute is omitted, you will be prompted to enter the password. The --localpasswd, -f, and -i options are mutually exclusive.
-f	The name of the file containing the input data for this command. The input data consists of attribute name/value pairs, which are in comma separated value (CSV) format. The format of the input data is as follows: attribute-name=value,attribute-name=value,... Valid attribute names for changing the attributes of an HMC user: name [new_name] [taskrole] Valid values are hmcsuperadmin, hmcoperator, hmcviewer, hmcpe, hmcservicerep, hmcclientliveupdate, or a user-defined task role [resourcerole] [description] [passwd] Local and Kerberos users only [current_passwd] When changing the password for a Kerberos user, use this attribute to specify the user’s current password. If this attribute is omitted, you will be prompted to enter the current password. [pwage] Local users only number of days [min_pwage] Local users only number of days [authentication_type] Valid values are: local - local authentication kerberos - remote Kerberos authentication ldap - remote LDAP authentication [session_timeout] number of minutes [verify_timeout] number of minutes [idle_timeout] number of minutes [inactivity_expiration] number of days [remote_webui_access] Valid values are: 0 - do not allow this user to log in remotely to the HMC Web user interface 1 - allow this user to log in remotely to the HMC Web user interface [remote_ssh_access] Valid values are: 0 - do not allow this user to log in remotely to the HMC using SSH 1 - allow this user to log in remotely to the HMC using SSH [remote_user_name] Kerberos users only [passwd_authentication] Local users only Valid values are: 0 - do not allow this user to log in to the HMC using a password 1 - allow this user to log in to the HMC using a password Valid attribute names for changing the default settings of HMC user attributes: [session_timeout] number of minutes [idle_timeout] number of minutes [max_webui_login_attempts] Input data for this command can be specified with this option, the -i option, or any of the other command options. The -f and the -i options are mutually exclusive. When changing the attributes of an HMC user, the -f and -i options cannot be specified if any of the other command options are specified.
-i	This option allows you to enter input data on the command line, instead of using a file. Data entered on the command line must follow the same format as data in a file, and must be enclosed in double quotes. Input data for this command can be specified with this option, the -f option, or any of the other command options. The -i and the -f options are mutually exclusive. When changing the attributes of an HMC user, the -i and -f options cannot be specified if any of the other command options are specified.
--help	Display the help text for this command and exit.