mkuser

Use the mkuser command to create either a local or a remote user to access a system.

Syntax

Read syntax diagramSkip visual syntax diagram mkuser -name user_name -remote-usergrpgroup_idgroup_name-keyfilesshkey_filename-password'cleartext_password'-forcepasswordchange-completeviews-certuidunique_identifier

Parameters

-name user_name
(Required) Specifies the unique user name. The user name cannot start or end with a blank. The user name must consist of a string of 1 - 256 ASCII characters, with the exception of the following characters: % : " , * '.
-remote | -usergrp
(Required) Specifies whether the user authenticates to the system using a remote authentication service or system authentication methods. Either the remote parameter or the usergrp parameter must be set. If usergrp is specified, it must be followed by group_name or group_id (see next parameter).
group_name | group_id
(Required if usergrp is specified) The ID or name of the user group with which the local user is to be associated.
-password 'cleartext_password'
(Optional) Specifies the password to be associated with the user. The password cannot start or end with a blank. It must consist of a string of 6 - 64 printable ASCII characters. You can optionally specify the password with the password parameter. You must enclose the password in single quotation marks. If you do not specify the password, the system prompts you for it before running the command and does not display the password that you type. You cannot specify a password if remote is set. Do not enclose the password in single quotation marks if you use the prompt.
-keyfile sshkey_filename
(Optional) Specifies the name of the file that contains the Secure Shell (SSH) public key.
-forcepasswordchange
(Optional) Specifies the account is required to change the password on next login.
-completeviews
(Optional) Specifies use of the full view for all commands, even if particular fields are not applicable.
-certuid certuid
(Optional) Specifies a Ceph Node / VASA Provider or other services certificate unique identifier for authentication. It must consist of a string up to 255 printable ASCII characters.
Note: The -certuid parameter is mutually exclusive with -keyfile.

Description

The mkuser command creates a new local or remote user to access a system. The command returns the ID of the created user.

You must have the security administrator role to create, delete, or change a user. You can issue all commands except for sainfo and satask commands. These commands can only be issued by user superuser.

If you create a local user, you must specify the existing user group that the user belongs to. All local users must have a group. The user group defines roles that provide the user with access to specific operations on the system. You must also specify either the keyfile or password parameter, or both.

If you create a remote user, you may specify the keyfile parameter. Remote users have their groups defined by the remote authentication service.

Up to 150 users can be defined on the system. You can also create new users and assign keys to them.

If you use the keyfile parameter, the SSH key file should be placed in the /tmp directory before running this command. When you run the command, the SSH key is copied into system state and activated for the user, and the input file is deleted.

When two person integrity (TPI) is enabled, you can still use the mkuser command as a restricted security administrator with the exception that you cannot create a new user in a security administrator user group.

In order to create a new user in a security administrator user group, you will need an approved role elevation. Also when TPI is enabled, the new user name cannot already exist in active role elevations. This can happen if remote LDAP users have active role elevations.

An invocation example

mkuser -name jane -usergrp Service -password 'secret'

The resulting output:

User, id [1], successfully created