AuthorizationGroupCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the AuthorizationGroupCommands group can be used to create and manage authorization groups.
admin-authz.xml
, as shown in the following example.
AdminTask.mapUsersToAdminRole('[-accessids ["user:
testerRealm/cn=test,ou=String
with space,ou=IB,ou=Applications,dc=bank,dc=net"] -userids test -roleName
monitor]')
- addResourceToAuthorizationGroup
- createAuthorizationGroup
- deleteAuthorizationGroup
- listAuthorizationGroups
- listAuthorizationGroupsForGroupID
- listAuthorizationGroupsForUserID
- listAuthorizationGroupsOfResource
- listResourcesOfAuthorizationGroup
- listResourcesForGroupID
- listResourcesForUserID
- mapGroupsToAdminRole
- mapGroupsToAuditRole
- mapUsersToAdminRole
- removeGroupsFromAdminRole
- removeResourceFromAuthorizationGroup
- removeUsersFromAdminRole
addResourceToAuthorizationGroup
The addResourceToAuthorizationGroup command adds a resource instance to an existing authorization group. A resource instance cannot belong to more than one authorization group.
Target object
None
Parameters and return values
- -authorizationGroupName
- The name of the authorization group. (String, required)
- -resourceName
- The name of the resource instance that you want to add to an authorization group. (String,
required)The resourceName parameter should be in the following format:
where:ResourceType=ResourceName
ResourceType
is one of the following values: Application, Server, ServerCluster, Node, NodeGroupResourceName
is the name of the resource instance, for example,server1
.
The following are example uses of the resourceName parameter:
This example uniquely identifiesNode=node1:Server=server1
server1
.node1
is required if anotherserver1
exists on a different node.-
Application=app1
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask addResourceToAuthorizationGroup {-authorizationGroupName groupName -resourceName Application=app1}
- Using Jython string:
AdminTask.addResourceToAuthorizationGroup('[-authorizationGroupName groupName -resourceName Application=app1]')
- Using Jython list:
AdminTask.addResourceToAuthorizationGroup(['-authorizationGroupName', 'groupName', '-resourceName', 'Application=app1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask addResourceToAuthorizationGroup {-interactive}
- Using Jython string:
AdminTask.addResourceToAuthorizationGroup ('[-interactive]')
- Using Jython list:
AdminTask.addResourceToAuthorizationGroup (['-interactive'])
createAuthorizationGroup
The createAuthorizationGroup command creates a new authoirzation group. When you create a new authorization group, no members are associated with it. Also, no user to administrative role mapping for the authorization table is associated with the authorization group.
Target object
None
Parameters and return values
- -authorization GroupName
- The name of the authorization group that you want to create. (String, required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask createAuthorizationGroup {-authorizationGroupName groupName}
- Using Jython string:
AdminTask.createAuthorizationGroup('[-authorizationGroupName groupName]')
- Using Jython list:
AdminTask.createAuthorizationGroup(['-authorizationGroupName', 'groupName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask createAuthorizationGroup -interactive
- Using Jython string:
AdminTask.createAuthorizationGroup ('[-interactive]')
- Using Jython list:
AdminTask.createAuthorizationGroup (['-interactive'])
deleteAuthorizationGroup
The deleteAuthorizationGroup command deletes an existing authorization group. When you delete an authorization group, the authorization table that corresponds is also deleted.
Target object
None
Parameters and return values
- -authorizationGroup Name
- The name of the authorization group that you want to delete. (String, required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask deleteAuthorizationGroup {-authorizationGroupName groupName}
- Using Jython string:
AdminTask.deleteAuthorizationGroup('[-authorizationGroupName groupName]')
- Using Jython list:
AdminTask.deleteAuthorizationGroup(['-authorizationGroupName', 'groupName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask deleteAuthorizationGroup {-interactive}
- Using Jython string:
AdminTask.deleteAuthorizationGroup ('[-interactive]')
- Using Jython list:
AdminTask.deleteAuthorizationGroup (['-interactive'])
listAuthorizationGroups
The listAuthorizationGroupslistAuthoriz ationGroups command lists the existing authorization groups.
Target object
None
Parameters and return values
- Parameters: None
- Returns: A list of short names of all existing authorization groups. (String [])
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroups
- Using Jython:
AdminTask.listAuthorizationGroups()
Interactive mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroups {-interactive}
- Using Jython string:
AdminTask.listAuthorizationGroups ('[-interactive]')
- Using Jython list:
AdminTask.listAuthorizationGroups (['-interactive'])
listAuthorizationGroupsForGroupID
The listAuthorizationGroupsForGroupID command lists all of the authorization
groups to which a given user group has access. This command lists the authorization groups and the
granted roles for each authorization group. The group ID can be a short name or a fully qualified
domain name if the LDAP user registry is being used. This command lists cell
as a group if
the user has cell level access.
Target object
None
Parameters and return values
- -groupid
- The ID of the user group. (String, required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroupsForGroupID {-groupid userGroupName}
- Using Jython string:
AdminTask.listAuthorizationGroupsForGroupID('[-groupid userGroupName]')
- Using Jython list:
AdminTask.listAuthorizationGroupsForGroupID(['-groupid', 'userGroupName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroupsForGroupID {-interactive}
- Using Jython string:
AdminTask.listAuthorizationGroupsForGroupID ('[-interactive]')
- Using Jython list:
AdminTask.listAuthorizationGroupsForGroupID (['-interactive'])
listAuthorizationGroupsForUserID
The listAuthorizationGroupsForUserID command lists all of the authorization
groups to which a given user has access. This command lists the authorization groups and the granted
roles for each authorization group. The user ID and the group ID can be a short name or a fully
qualified domain name if the LDAP user registry is being used. This command lists cell
as a
group if the user has cell level access.
Target object
None
Parameters and return values
- -userid
- The ID of the user. (String, required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroupsForUserID{-userid userName}
- Using Jython string:
AdminTask.listAuthorizationGroupsForUserID('[-userid userName]')
- Using Jython list:
AdminTask.listAuthorizationGroupsForUserID(['-userid', 'userName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroupsForUserID {-interactive}
- Using Jython string:
AdminTask.listAuthorizationGroupsForUserID ('[-interactive]')
- Using Jython list:
AdminTask.listAuthorizationGroupsForUserID (['-interactive'])
listAuthorizationGroupsOfResource
The listAuthorizationGroupsOfResource command lists authorization groups for a given resource. If the value of the traverseContainedObjects parameter is false, only the authorization group of the resource is returned. If the value of the traverseContainedObjects parameter is true, it returns the authorization group of the resource and the authorization groups of all the parent resources in the containment tree.
Target object
None
Parameters and return values
- -resourceName
- The name of the resource. (String, required)The resourceName parameter must be in the following format:
where:ResourceType=ResourceName
ResourceType
can be any one of the following values: Application, Server, ServerCluster, Node, or NodeGroup.ResourceName
is the name of the resource instance, for example, server1.
The following are examples of the resourceName parameter:
This example uniquely identifies server1. The name of the node is required if a server on a different node uses the same server name.Node=node1:Server=server
Application=app1
- -traverseContained Resources
- Finds the authorization groups of all the parent resources by traversing the resource containment tree upwards. The default value is false. (Boolean, optional)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroupsOfResource {-resourceName Application=app1}
- Using Jython string:
AdminTask.listAuthorizationGroupsOfResource('[-resourceName Application=app1]')
- Using Jython list:
AdminTask.listAuthorizationGroupsOfResource(['-resourceName', 'Application=app1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask listAuthorizationGroupsOfResource {-interactive}
- Using Jython string:
AdminTask.listAuthorizationGroupsOfResource ('[-interactive]')
- Using Jython list:
AdminTask.listAuthorizationGroupsOfResource (['-interactive'])
listResourcesOfAuthorizationGroup
The listResourcesOfAuthorizationGroup command lists all of the resources within the given authorization group.
Target object
None
Parameters and return values
- -authorizationGroupName
- The name of the authorization group. (String, required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listResourcesOfAuthorizationGroup {-authorizationGroupName groupName}
- Using Jython string:
AdminTask.listResourcesOfAuthorizationGroup('[-authorizationGroupName groupName]')
- Using Jython list:
AdminTask.listResourcesOfAuthorizationGroup(['-authorizationGroupName', 'groupName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask listResourcesOfAuthorizationGroup {-interactive}
- Using Jython string:
AdminTask.listResourcesOfAuthorizationGroup ('[-interactive]')
- Using Jython list:
AdminTask.listResourcesOfAuthorizationGroup (['-interactive'])
listResourcesForGroupID
The listResourcesForGroupID command lists all the objects that a given group has access to. This command lists the resources and the granted roles for each resource. The resources that this command returns include the resources from the authorization groups to which the user group is granted roles and the resources that are descendants of the resources with in authorization groups to which the user group is granted access to any role. The group ID can be a short name or fully qualified domain name if a LDAP user registry is used.
Target object
None
Parameters and return values
- -groupid
- The ID of the user group. (String, required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listResourcesForGroupID {-groupid userGroupName}
- Using Jython string:
AdminTask.listResourcesForGroupID('[-groupid userGroupName]')
- Using Jython list:
AdminTask.listResourcesForGroupID(['-groupid', 'userGroupName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask listResourcesForGroupID {-interactive}
- Using Jython string:
AdminTask.listResourcesForGroupID ('[-interactive]')
- Using Jython list:
AdminTask.listResourcesForGroupID (['-interactive'])
listResourcesForUserID
The listResourcesForUserID command lists all the objects that a given user has access to. This command lists the resources and the granted roles for each resource. The resources that this command returns include the resources from the authorization groups to which the user is granted roles and the resources that are descendants of the resources with in authorization groups to which the user is granted access to any role. The user ID can be a short name or fully qualified domain name if a LDAP user registry is used.
Target object
None
Parameters and return values
- -userid
- The ID of the user. (String, required).
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask listResourcesForUserID {-userid userName }
- Using Jython string:
AdminTask.listResourcesForUserID('[-userid userName]')
- Using Jython list:
AdminTask.listResourcesForUserID(['-userid', 'userName'])
Interactive mode example usage:
- Using Jacl:
$AdminTask listResourcesForUserID {-interactive}
- Using Jython string:
AdminTask.listResourcesForUserID ('[-interactive]')
- Using Jython list:
AdminTask.listResourcesForUserID (['-interactive'])
{deployer=[], operator=[], administrator=[cells/IBM-LP1 6L31HVE8Cell07/clusters/C1| cluster.xml,
cells/IBM-LP16L 31HVE8Cell07/nodes/IBM-LP16L 31HVE8Node05/servers/cm1|ser ver.xml],
monitor=[], configurator=[]}
mapGroupsToAdminRole
The mapGroupsToAdminRole command maps group IDs to one or more administrative roles in an authorization group. The name of the authorization group that you provide determines which authorization table is used. If you do not specify an authorization group name, the mapping is done to the cell level authorization table. The group ID can be a short name or a fully qualified domain name if the LDAP user registry is used.
Target object
None
Parameters and return values
- -accessids
- The list of user or group access IDs on the remote registry. If provided, each user or group ID should have one. (String, optional)
- -authorizationGroup Name
- The name of the authorization group. If you do not specify this parameter, the cell level authorization group is assumed. (String, optional)
- -roleName
- The name of the administrative role. (String, required)
- -groupids
- The list of group IDs that is mapped to the administrative role. (String[], required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask mapGroupsToAdminRole {-authorizationGroupName groupName - roleName administrator -groupids group1}
- Using Jython string:
AdminTask.mapGroupsToAdminRole('[-authorizationGroupName groupName -roleName administrator -groupids group1]')
- Using Jython list:
AdminTask.mapGroupsToAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-groupids', 'group1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask mapGroupsToAdminRole {-interactive}
- Using Jython string:
AdminTask.mapGroupsToAdminRole ('[-interactive]')
- Using Jython list:
AdminTask.mapGroupsToAdminRole (['-interactive'])
mapGroupsToAuditRole
The mapGroupsToAuditRole command maps group IDs to one or more audit roles in an authorization group. The name of the authorization group that you provide determines which authorization table is used. If you do not specify an authorization group name, the mapping is done to the cell level authorization table. The group ID can be a short name or a fully qualified domain name if the LDAP user registry is used.
Target object
None
Parameters and return values
- -accessids
- The list of user or group access IDs on the remote registry. If provided, each user or group ID should have one. (String, optional)
- -authorizationGroup Name
- The name of the authorization group. If you do not specify this parameter, the cell level authorization group is assumed. (String, optional)
- -roleName
- The name of the administrative role. (String, required)
- -groupids
- The list of group IDs that are mapped to the administrative role. (String[]. required)
Examples
Batch mode example usage:
-
Using Jacl:
$AdminTask mapGroupsToAuditRole {-authorizationGroupName groupName - roleName auditor -groupids group1}
-
Using Jython string:
AdminTask.mapGroupsToAuditRole('[-authorizationGroupName groupName -roleName auditor -groupids group1]')
-
Using Jython list:
AdminTask.mapGroupsToAuditRole(['-authorizationGroupName', 'groupName', '-roleName', 'auditor', '-groupids', 'group1'])
Interactive mode example usage:
-
Using Jacl:
$AdminTask mapGroupsToAuditRole {-interactive}
-
Using Jython string:
AdminTask.mapGroupsToAuditRole ('[-interactive]')
-
Using Jython list:
AdminTask.mapGroupsToAuditRole (['-interactive'])
mapUsersToAdminRole
The mapUsersToAdminRole command maps user IDs to one or more administrative roles in the authorization group. The name of the authorization group that you provide determines the authorization table. If you do not specify the name of the authorization group, the mapping is done to the cell level authorization table. The user ID can be a short name or fully qualified domain name in case LDAP user registry is used.
Target object
None
Parameters and return values
- -accessids
- The list of user or group access IDs on the remote registry. If provided, each user or group ID should have one. (String, optional)
- -authorizationGroup Name
- The name of the authorization group. If you do not specify this parameter, the cell level authorization group is assumed. (String, optional)
- -roleName
- The name of the administrative role. (String, required)
- -userids
- The list of user IDs that are mapped to the administrative role. (String[], required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask mapUsersToAdminRole {-authorizationGroupName groupName - roleName administrator -userids user1}
- Using Jython string:
AdminTask.mapUsersToAdminRole('[-authorizationGroupName groupName -roleName administrator -userids user1]')
- Using Jython list:
AdminTask.mapUsersToAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-userids', 'user1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask mapUsersToAdminRole {-interactive}
- Using Jython string:
AdminTask.mapUsersToAdminRole ('[-interactive]')
- Using Jython list:
AdminTask.mapUsersToAdminRole (['-interactive'])
removeGroupsFromAdminRole
The removeGroupsFromAdminRole command removes previously mapped group IDs from administrative roles in the authorization group. The name of the authorization group that you provide determines which authorization table is involved. If you do not specify an authorization group name, the group IDs are removed from the cell level authorization table. The group ID can be a short name or fully qualified domain name if a LDAP user registry is used.
Target object
None
Parameters and return values
- -authorizationGroup Name
- The name of the authorization group. If you do not specify this parameter, the cell level authorization group is assumed. (String, optional)
- -roleName
- The name of the administrative role. (String, required)
- -userids
- A list of group IDs that you want to remove from the administrative role. (String[], required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask removeGroupsFromAdminRole {-authorizationGroupName groupName - roleName administrator -groupids group1}
- Using Jython string:
AdminTask.removeGroupsFromAdminRole('[-authorizationGroupName groupName -roleName administrator -groupids group1]')
- Using Jython list:
AdminTask.removeGroupsFromAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-groupids', 'group1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask removeGroupsFromAdminRole {-interactive}
- Using Jython string:
AdminTask.removeGroupsFromAdminRole ('[-interactive]')
- Using Jython list:
AdminTask.removeGroupsFromAdminRole (['-interactive'])
removeResourceFromAuthorizationGroup
The removeResourceFromAuthorizationGroup command removes resources from an existing authorization group. If you do not specify the authorization group, it is determined and the resource is removed from that authorization group.
Target object
None
Parameters and return values
- -authorizationGroup Name
- The name of the authorization group. (String, optional)
- -resourceName
- The name of the resource instance that you want to remove from the authorization group. (String,
required)The resourceName parameter must be in the following format:
where:ResourceType=ResourceName
ResourceType
can be any of the following: Application, Server, ServerCluster, Node, or NodeGroup.- The
ResourceName
is the name of the resource instance, for example, server1.
The following are examples of the resourceName parameter:
This example uniquely identifies server1. node1 is required if the name of the server exists on multiple nodes.Node=node1:Server=server1
Application=app1
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask removeResourceFromAuthorizationGroup {-authorizationGroupName groupName -resourceName Application=app1}
- Using Jython string:
AdminTask.removeResourceFromAuthorizationGroup('[-authorizationGroupName groupName -resourceName Application=app1]')
- Using Jython list:
AdminTask.removeResourceFromAuthorizationGroup(['-authorizationGroupName', 'groupName', '-resourceName', 'Application=app1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask removeResourceFromAuthorizationGroup {-interactive}
- Using Jython string:
AdminTask.removeResourceFromAuthorizationGroup ('[-interactive]')
- Using Jython list:
AdminTask.removeResourceFromAuthorizationGroup (['-interactive'])
removeUsersFromAdminRole
The removeUsersFromAdminRole command removes previously mapped user IDs from administrative roles in the authorization group. The name of the authorization group that you provide determines which authorization table is involved. If you do not specify an authorization group name, the user ID from the cell level authorization table is used. The user ID can be a short name or a fully qualified domain name if a LDAP user registry is used.
Target object
None
Parameters and return values
- -authorizationGroup Name
- The name of the authorization group. If you do not specify this parameter, the cell level authorization group is assumed. (String, optional)
- -roleName
- The name of the administrative role. (String, required)
- -userids
- A list of user IDs that you want to remove from the administrative role. (String[], required)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask removeUsersFromAdminRole {-authorizationGroupName groupName - roleName administrator -userids user1}
- Using Jython string:
AdminTask.removeUsersFromAdminRole('[-authorizationGroupName groupName -roleName administrator -userids user1]')
- Using Jython list:
AdminTask.removeUsersFromAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-userids', 'user1'])
Interactive mode example usage:
- Using Jacl:
$AdminTask removeUsersFromAdminRole {-interactive}
- Using Jython string:
AdminTask.removeUsersFromAdminRole ('[-interactive]')
- Using Jython list:
AdminTask.removeUsersFromAdminRole (['-interactive'])