pdadmin commands
The pdadmin command-line utility is installed as part of the IBM Security Access Manager runtime package.
Use this interface to manage access control lists, groups, servers, users, objects, and other resources in your secure domain. You can also automate certain management functions by writing scripts that use pdadmin commands.
Use the Web Portal Manager interface to complete remotely similar administrative tasks. When you use Web Portal Manager, no special network configuration is needed to connect and complete these management tasks.
- How to read syntax statements
Syntax diagrams pictorially display the order and parameters for the command utility. - Syntax for pdadmin commands
The following syntax is used with the pdadmin command: - Command modes
You can use the pdadmin utility in three different command modes: single, interactive, or multiple. - Non-English locales
For Security Access Manager software, you can specify localized behavior by setting the required locale. - Error handling
After a command finishes processing, a return code is displayed or logged to provide the success or failure of the command. - Local or other domain
Use the pdadmin command to authenticate your user ID and password. You must authenticate before you log in to the local domain or to a domain other than the local domain. - Command option processing
Some pdadmin command options use specific symbols or characters. - Commands by category
The pdadmin commands are listed here by major category. - acl attach
Attaches an ACL policy to a protected object. If the protected object already has an ACL attached, the ACL is replaced with a new one. - acl create
Creates an ACL policy in the ACL database. This command does not create ACL entries. - acl delete
Deletes an ACL policy from the ACL database. - acl detach
Detaches the current ACL policy from a protected object. This command does not delete the ACL policy from the ACL database. - acl find
Returns a list of protected objects, which have the specified ACL attached. - acl list
Lists the names of all defined access control lists. Alternatively, lists the extended attribute keys that are associated with a specific ACL. - acl modify
Modifies access control list (ACL) policies. - acl show
Lists the complete set of entries for a specific access control list (ACL) policy. Alternatively, lists the values of a specific extended attribute that is associated with an ACL policy. - action create
Creates and adds an action (permission) to an action group. - action delete
Deletes an action (permission) from an action group. - action group create
Creates an action group. - action group delete
Deletes an action group. - action group list
Lists all action groups. - action list
Lists all actions (permissions) in an action group. - admin show conf
Displays the current policy server configuration information, such as the type of registry or whether global sign-on is enabled. - authzrule attach
Attaches an authorization rule to the specified protected object. - authzrule create
Creates an authorization rule. - authzrule delete
Deletes an authorization rule. - authzrule detach
Detaches an authorization rule from the specified protected object. - authzrule find
Finds and lists all protected objects that have the specified authorization rule attached. - authzrule list
Lists all the authorization rules. - authzrule modify
- authzrule show
Shows all the attributes of an authorization rule, including description, rule text, and fail reason code. - context show
Displays the user ID and domain ID used to establish the current authentication context. Also, specifies whether the domain is the management domain or a domain other than the management domain. - domain create
Creates a domain, including an administrator ID and password to log in to the specified domain. You must log in to the management domain as an administrator to perform this command. - domain delete
Deletes a domain, excluding the management domain. Optionally deletes the user and group information of the domain, from the user registry. To perform this command, you must log in to the management domain as an administrator. - domain list
Lists all domains, excluding the management domain. You must log in to the management domain as an administrator to perform this command. - domain modify
Changes the description of a domain. You must log in to the management domain as an administrator to perform this command. - domain show
Displays the properties of a domain. You must log in to the management domain as an administrator to perform this command. - errtext
Displays the error message of a specific error number. - exit or quit
Exits from the pdadmin utility interactive command-line mode. - group create
Creates a Security Access Manager group. - group delete
Deletes the specified Security Access Manager group. Optionally deletes the information of the group, from the user registry. ACL entries that are associated with the group are also deleted. - group import
Creates a Security Access Manager group by importing group data that exists in the user registry. - group list
Generates a list of all groups, by group names, whose names match the specified pattern. - group modify
Changes an existing group by adding or changing a group description, adding members to the group, or removing members from the group. - group show
Shows the properties of the specified group. - help
Obtains system help for pdadmin commands and options. - login
Establishes authentication credentials that are used for communication with the Security Access Manager policy server. These credentials are used to determine access privileges for the user to policy server data. Most commands cannot be performed unless an explicit login is done. - logout
Discards any authentication credentials that are in effect. - object access
Confirms whether the specified access is permitted on the specified object. The access is determined based on the permissions of this user. - object create
Creates a protected object. - object delete
Deletes a protected object. - object exists
Indicates whether a protected object exists. - object list
Lists any objects that are grouped under the specified protected object. Alternatively, lists all the extended attributes that are associated with the specified protected object. - object listandshow
Lists any child objects that are grouped under the specified protected object and displays all values that are associated with each object. Shows all values that are associated with the protected object, including the attached ACLs, POPs, and authorization rules. Also shows any policies that are inherited from protected objects higher in the hierarchy. - object modify
Modifies an existing object. - object show
Shows values for the protected object. - objectspace create
Creates a protected object space under which protected objects can be placed. - objectspace delete
Deletes the specified protected object space. - objectspace list
Lists all the existing protected object spaces in the policy server. - policy get
Displays the policy for user passwords, account rules, and conditions. Requires authentication (administrator ID and password) to use this command. - policy set
Sets the policy for user passwords, account rules, and conditions. Requires authentication (administrator ID and password) to use this command. - pop attach
Attaches a protected object policy (POP) to the specified protected object. The POP must be created before it can be attached. - pop create
Creates a protected object policy (POP). - pop delete
Deletes the specified protected object policy (POP). - pop detach
Detaches a protected object policy (POP) from the specified protected object. - pop find
Finds and lists all protected objects that have a protected object policy (POP) attached. - pop list
Lists all protected object policies that are created. Alternatively, lists all extended attributes that are associated with a protected object policy. - pop modify
Modifies protected object policies. - pop show
Shows details about the protected object policy (POP). Alternatively, displays the values for the specified extended attribute from the specified protected object policy. - rsrc create
Creates and names a web server single sign-on resource. - rsrc delete
Deletes the specified single sign-on resource. - rsrc list
Returns a list of all the single sign-on resource names. - rsrc show
Displays the resource information for the named resource. - rsrccred create
Creates a single sign-on credential. - rsrccred delete
Deletes a single sign-on credential. - rsrccred list user
Returns the list of single sign-on credentials for the specified user. The user must exist, or an error is displayed. - rsrccred modify
Changes a single sign-on credential. - rsrccred show
Displays the attributes of a single sign-on credential. The credential identifier is composed of a resource name, a resource type, and a user name. - rsrcgroup create
Creates and names a resource group. - rsrcgroup delete
Deletes a single sign-on resource group. - rsrcgroup list
Displays the names of all resource groups that are defined in the user registry. - rsrcgroup modify
Adds or removes a single sign-on resource to or from a single sign-on resource group. - rsrcgroup show
Displays the resource group information for the specified resource group. - server list
Lists all registered Security Access Manager servers. - server listtasks
Retrieves the list of tasks (commands) available for the specified installed Security Access Manager server or server instance. - server replicate
Notifies the installed Security Access Manager authorization server or server instance to receive database updates. - server show
Displays the properties for the specified installed Security Access Manager server or server instance. The server must exist, or an error is displayed. - server task add
Adds an application server to an existing WebSEAL junction. - server task cache flush all
Flushes the HTML document cache. - server task create
Creates a WebSEAL junction point. - server task delete
Deletes a WebSEAL junction point. - server task dynurl update
Reloads the dynamic URL configuration file. - server task help
Lists detailed help information about a specific server task command. - server task jmt
Clears or loads the junction mapping table data. - server task list
Lists all junction points on a WebSEAL server or server instance. - server task offline
Places the server that is at this junction in an offline operational state. - server task online
Places the server that is at this junction in an online operational state. - server task refresh all_sessions
Refreshes the credential for all sessions for a specified user. - server task reload
Reloads the junction mapping table from the database. - server task remove
Removes the specified installed WebSEAL server or server instance from a WebSEAL junction point. - server task show
Displays detailed information about the specified WebSEAL junction. - server task sms key change
Forces the creation of a new session management key. - server task sms key show
Lists detailed information about the current session management key. - server task sms realm list
Lists all session management realms in the domain. - server task sms realm show
Lists all replica sets in the specified session management realm. - server task sms session refresh all_sessions
Refreshes the credential for sessions for a specific user. - server task sms session refresh session
Refreshes the credential for a session. - server task sms replica set list
Lists all session management replica sets in the domain. - server task sms replica set show
Lists all session management replicas in the specified replica set with the time and date that each joined the realm. - server task sms session list
Lists all session management sessions. - server task sms session terminate all_sessions
Terminates all user sessions for a specific user. - server task sms session terminate session
Terminates a user session by using a session ID. - server task sms trace get
Displays the trace level for the session management server. - server task sms trace set
Sets the trace level for the distributed session cache. - server task stats
Manages the gathering and reporting of statistics for Security Access Manager servers and server instances. - server task terminate all_sessions
Terminates all user sessions for a specific user. - server task terminate session
Terminates a user session by using a session ID. - server task throttle
Places the server that is at this junction in a throttled operational state. - server task trace
Enables the gathering of trace information for components of installed Security Access Manager servers or server instances. - server task virtualhost add
Adds an additional installed WebSEAL server or server instance to an existing virtual host junction. - server task virtualhost create
Creates a virtual host junction. - server task virtualhost delete
Deletes a virtual host junction. - server task virtualhost list
Lists all configured virtual host junctions by label name. - server task virtualhost offline
Places the server that is at this virtual host junction in an offline operational state. - server task virtualhost online
Places the server that is at this virtual host junction in an online operational state. - server task virtualhost remove
Removes the specified server from a virtual host junction. - server task virtualhost show
Displays information about the specified virtual host junction. The virtual host junction must exist, or an error is displayed. - server task virtualhost throttle
Places the server that is at this virtual host junction in a throttled operational state. - server task server restart
Restarts a WebSEAL server by using the Security Access Manager server task framework. - server task server sync
Synchronizes configuration data between two WebSEAL servers by using the Security Access Manager server task framework. - server task file cat
Returns the contents of a specified file to the administration console. This command requires authentication of administrator ID and password. - user create
Creates a Security Access Manager user. - user delete
Deletes the specified Security Access Manager user. Optionally deletes the information of the user in the user registry. - user import
Creates a Security Access Manager user by importing user data that exists in the user registry. - user list
Lists users by Security Access Manager user name or by registry identifier. - user modify
Changes various user account attributes. - user show
Displays the properties of the specified user.
Parent topic: Web command reference