chuser command

Use the chuser command to change user specifications (such as roles) that apply to the user and user groups to which the user belongs. To change a user’s password, use the chuserpwd command.

Synopsis

Important: The smcli chuser command is not the same as the chuser command for AIX® and UNIX operating systems.
smcli [-c] [-prompt] [-user user_name] [-pw password] chuser {-u user_name} options

smcli chuser [-h | -? | --help]

smcli chuser [-v] -f file [-d description][-e extend_role_list | -r remove_role_list] [-g add_group_list | -R remove_group_list] [-p password] [-x timeout]

Operands

The chuser command takes a user as an operand.

Description

Users with an administrator role (SMAdministrator or IBM® FSM Supervisor) authority can use this command to change the roles applied to a user and the user groups to which the user belongs. It can also be used to set the secure shell (SSH) timeout value.

Options

Note:
  • The -x expire option is deprecated in this release. Use the -A MustChangePasswordAfter option instead.
  • The -x usertype option is deprecated in this release. Local accounts for LDAP users are now automatically created during the first login to the CLI console. For Kerberos users, create new users without the -p option.
-a | --add group_name[,group2_name,...]
Adds a user to the specified group or groups.
-d | --desc
Specifies the description of the user. If the description contains spaces, enclose it in quotation marks.
-e | --extendroles extend_role_list {roleType:roleName[:resource1[;resource2]...],...}
Add roles for the user by specifying a comma-separated list of roles. Each role entry is listed with a role type and role name, and optionally followed by a role resource or target depending on the role type. The following format is used to list each role entry:
roleType:roleName[:resource1[;resource2]...] where:
  • roleType can be CMM, FSM, or IMM.
  • roleName can be any existing role for the specified type.
  • resource1[;resource2 are the role resources or targets:
    • Resources specified for CMM roles must be centrally managed chassis. To specify all chassis or resources for a CMM role, use "all-chassis."
    • Resources specified for IMM roles must be compute node bays or I/O bays in a centrally managed chassis. To specify all compute node bays or I/O bays for an IMM role, use "all-bays." Always specify one or more chassis or, "all-chassis" when specifying an IMM role.
Tips:
  • Use the lschassisrole command to list existing custom chassis roles.
  • Use the lsrole command to list existing roles.
  • Use the lsCentrallyManagedChassis command for a list of all centrally managed chassis.
  • Use the lsgp command to list existing system groups.
  • A chassis can be specified using the IP address, host name, or the object identifier (OID) for the CMM in the chassis.
  • To add a CMM role to all centrally managed chassis specify the role type, role, and "all-chassis".
  • To add an IMM role to all bays on a centrally managed chassis, specify the role type, role, "all-bays," and one or more centrally managed chassis or "all-chassis."
-f | --file file
Specifies a standard input pipe or a file that contains a list of users to target. Specify either the fully qualified name of the input file or a dash (-) to indicate that the data is read from the standard input pipe. If specifying a file, ensure that each item in the file is separated by a line break and follows the following format:
user:operation:list
where:
  • user is the user name or user OID
  • operation is one of the following items:
    • attribute
    • extend
    • remove
  • list is a list of key value pairs or roles, depending on the specified operation:
    • When the operation is attribute, list is a comma separated list of key value pairs.
    • When the operation is extend or remove, list is a list of roles. You can optionally follow the role list with a group list and separate the two lists with a colon ( : ).

When the selected operation is extend or remove, list must be a list of roles. Optionally, follow the role list with a resource group list. Separate the two lists with a comma.

When the selected operation is attribute, list must a comma-separated list of key value pairs. Examples:
  • Assign SMAdministrator role with access to the Operating Systems resource group to the usergrouptest. 
    test:extend:SMAdministrator;Operating Systems
  • Assign SMMonitor role with access to the Operating Systems resource group and the SMUser role with access to thePower Systems resource group to the usergroup test. 
      test:extend:SMMonitor;Operating Systems,SMUser;Power Systems
-g | --addgroups add_group_list
Specifies the group to which the user will belong. Separate multiple groups (group names) with commas.
Tip: Use the lsusergp command to list all user groups.
-h | -?
Displays the syntax and a brief description of the command.
Tip: If you specify additional options other than -h | -? | --help, the options are ignored.
--help
Displays detailed information about the command, including the syntax, a description of the command, a description of the options and operands, error codes, and examples.
Tip: If you specify additional options other than -h | -? | --help, the options are ignored.
-p | --password
Specifies the password for the user. This is a required parameter. The user will be required to change the password after logging in.
-r | --removeroles remove_role_list {roleType:roleName[:resource1[;resource2]...],...}
Removes roles for the user by specifying a comma-separated list of roles to be removed. If no resources are listed, the user will be removed from all resources.
Tips:
  • Resource groups are not required for removing a role.
  • The user will be removed from all resource groups.
  • For more information, see details listed for -e | extendroles.
-R | --removegroups remove_group_list
Specifies one or more groups from which the user will be removed. Separate multiple groups (group names) with commas.
-u | --username user_name
Specifies the name of the user to be changed.
-v | --verbose
Writes verbose messages to standard output.

If this option is not specified, this command suppresses noncritical messages.

-x | --extra timeout
Specify the secure shell (SSH) timeout value in seconds as a key = value pair. For example: 
-x timeout=120

The value sets a timeout interval in seconds after which, if no data has been received from the client, the user's session will end.

The value must be a nonnegative integer less than 2147483648. A value of 0 (zero) means no timeout.

Exit status

The following codes are returned by this command.
  • 0: The operation completed.
  • 1: A usage error occurred.
  • 21: A specified resource group does not exist.
  • 25: A number-formatting error occurred.
  • 50: User does not exist.
  • 71: Indicates an internal user registry error.
  • 75: A specified chassis is not centrally managed by the IBM FSM or does not exist.
  • 76: A specified user group does not exist.
  • 77: A specified role does not exist.
  • 81: An internal error occurred. See the logs for details.
  • 110: Command could not complete because an internal error occurred.

Examples

  1. Add a user to a list of user groups.
    smcli chuser -u newUser -g newGroup1,newGroup2
  2. Add a user to a CMM role for chassis OID 6104.
    smcli chuser -u newUser -e CMM:cmmRole1:6104
  3. Remove a user from a role. The user will be removed from membership in the CMM role for all chassis.
    smcli chuser -u newUser -r CMM:cmmrole1:all-chassis
  4. Change the password for a user

    This example illustrates how to change the password of user user3 to Passw0rd.

    smcli chuser -u user3 -p Passw0rd
  5. Change the password expiration for a user

    This example illustrates how to change the password expiration of user user4 to 90 days.

    smcli chuser -u user4 -A MustChangePasswordAfter=90
  6. Change the SSH timeout value for a user

    This example illustrates how to change the SSH timeout value of user user5 to 120 seconds.

    smcli chuser -u user5 -x timeout=120