AuthorizationGroupCommands

Use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands in the AuthorizationGroupCommands group can be used to manage authorization groups.

When using Jython string syntax, if any of the parameter values contain spaces, enclose the string containing spaces with double quotation marks and brackets to avoid truncating the spaces. For example, the value of the parameter accessids contains spaces. Enclose the string containing spaces with double quotation marks and brackets to avoid truncating spaces in admin-authz.xml.

AdminTask.mapUsersToAdminRole('[-accessids ["user: testerRealm/cn=test,ou=String with space,ou=IB,ou=Applications,dc=bank,dc=net"] -userids test -roleName monitor]')

The AuthorizationGroupCommands commands include:

• addResourceToAuthorizationGroup
• createAuthorizationGroup
• deleteAuthorizationGroup
• listAuthorizationGroups
• listAuthorizationGroupsForGroupID
• listAuthorizationGroupsForUserID
• listAuthorizationGroupsOfResource
• listResourcesOfAuthorizationGroup
• listResourcesForGroupID
• listResourcesForUserID
• mapGroupsToAdminRole
• mapGroupsToAuditRole
• mapUsersToAdminRole
• removeGroupsFromAdminRole
• removeResourceFromAuthorizationGroup
• removeUsersFromAdminRole

addResourceToAuthorizationGroup

Add a resource instance to an existing authorization group. A resource instance cannot belong to more than one authorization group.

Target object: None

Parameters and return values

-authorizationGroupName

The name of the authorization group. (String, required)

-resourceName

The name of the resource instance to add to an authorization group. (String, required)

The resourceName parameter should be in the following format:

ResourceType=ResourceName

where:

• ResourceType is one of the following values: Application, Server, ServerCluster, Node, NodeGroup
• ResourceName is the name of the resource instance, for example, server1.

The following are example uses of the resourceName parameter:

• Node=node1:Server=server1

  This example uniquely identifies server1. node1 is required if another server1 exists on a different node.

• Application=app1

Examples

Batch mode example usage:

• Jacl:
  $AdminTask addResourceToAuthorizationGroup {-authorizationGroupName groupName -resourceName Application=app1}

• Jython string:
  AdminTask.addResourceToAuthorizationGroup('[-authorizationGroupName groupName -resourceName Application=app1]')

• Jython list:
  AdminTask.addResourceToAuthorizationGroup(['-authorizationGroupName', 'groupName', '-resourceName', 'Application=app1'])

Interactive mode example usage:

• Jacl:
  $AdminTask addResourceToAuthorizationGroup {-interactive}

• Jython string:
  AdminTask.addResourceToAuthorizationGroup ('[-interactive]')

• Jython list:
  AdminTask.addResourceToAuthorizationGroup (['-interactive'])

createAuthorizationGroup

Create a new authorization group. When we create a new authorization group, no members are associated with it. Also, no user to administrative role mapping for the authorization table is associated with the authorization group.

Target object: None

Parameters and return values

-authorization GroupName

The name of the authorization group to create. (String, required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask createAuthorizationGroup {-authorizationGroupName groupName}

• Jython string:
  AdminTask.createAuthorizationGroup('[-authorizationGroupName groupName]')

• Jython list:
  AdminTask.createAuthorizationGroup(['-authorizationGroupName', 'groupName'])

Interactive mode example usage:

• Jacl:
  $AdminTask createAuthorizationGroup -interactive

• Jython string:
  AdminTask.createAuthorizationGroup ('[-interactive]')

• Jython list:
  AdminTask.createAuthorizationGroup (['-interactive'])

deleteAuthorizationGroup

Delete an existing authorization group. When we delete an authorization group, the authorization table that corresponds is also deleted.

Target object: None

Parameters and return values

-authorizationGroup Name

The name of the authorization group to delete. (String, required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask deleteAuthorizationGroup {-authorizationGroupName groupName}

• Jython string:
  AdminTask.deleteAuthorizationGroup('[-authorizationGroupName groupName]')

• Jython list:
  AdminTask.deleteAuthorizationGroup(['-authorizationGroupName', 'groupName'])

Interactive mode example usage:

• Jacl:
  $AdminTask deleteAuthorizationGroup {-interactive}

• Jython string:
  AdminTask.deleteAuthorizationGroup ('[-interactive]')

• Jython list:
  AdminTask.deleteAuthorizationGroup (['-interactive'])

listAuthorizationGroups

List existing authorization groups.

Target object: None

Parameters and return values

• Parameters: None
• Returns: A list of short names of all existing authorization groups. (String [])

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroups

• Jython:
  AdminTask.listAuthorizationGroups()

Interactive mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroups {-interactive}

• Jython string:
  AdminTask.listAuthorizationGroups ('[-interactive]')

• Jython list:
  AdminTask.listAuthorizationGroups (['-interactive'])

listAuthorizationGroupsForGroupID

List all of the authorization groups to which a given user group has access. This command lists the authorization groups and the granted roles for each authorization group. The group ID can be a short name or a fully qualified domain name if the LDAP user registry is being used. This command lists cell as a group if the user has cell level access.

Target object: None

Parameters and return values

-groupid

The ID of the user group. (String, required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroupsForGroupID {-groupid userGroupName}

• Jython string:
  AdminTask.listAuthorizationGroupsForGroupID('[-groupid userGroupName]')

• Jython list:
  AdminTask.listAuthorizationGroupsForGroupID(['-groupid', 'userGroupName'])

Interactive mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroupsForGroupID {-interactive}

• Jython string:
  AdminTask.listAuthorizationGroupsForGroupID ('[-interactive]')

• Jython list:
  AdminTask.listAuthorizationGroupsForGroupID (['-interactive'])

listAuthorizationGroupsForUserID

List all of the authorization groups to which a given user has access. This command lists the authorization groups and the granted roles for each authorization group. The user ID and the group ID can be a short name or a fully qualified domain name if the LDAP user registry is being used. This command lists cell as a group if the user has cell level access.

Target object: None

Parameters and return values

-userid

The ID of the user. (String, required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroupsForUserID{-userid userName}

• Jython string:
  AdminTask.listAuthorizationGroupsForUserID('[-userid userName]')

• Jython list:
  AdminTask.listAuthorizationGroupsForUserID(['-userid', 'userName'])

Interactive mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroupsForUserID {-interactive}

• Jython string:
  AdminTask.listAuthorizationGroupsForUserID ('[-interactive]')

• Jython list:
  AdminTask.listAuthorizationGroupsForUserID (['-interactive'])

listAuthorizationGroupsOfResource

List authorization groups for a given resource. If the value of the traverseContainedObjects parameter is false, only the authorization group of the resource is returned. If the value of the traverseContainedObjects parameter is true, it returns the authorization group of the resource and the authorization groups of all the parent resources in the containment tree.

Target object: None

Parameters and return values

-resourceName

The name of the resource. (String, required)

The resourceName parameter must be in the following format:

ResourceType=ResourceName

where:

• ResourceType can be any one of the following values: Application, Server, ServerCluster, Node, or NodeGroup.
• ResourceName is the name of the resource instance, for example, server1.

The following are examples of the resourceName parameter:

Node=node1:Server=server

This example uniquely identifies server1. The name of the node is required if a server on a different node uses the same server name.

Application=app1

-traverseContained Resources

Finds the authorization groups of all the parent resources by traversing the resource containment tree upwards. The default is false. (Boolean, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroupsOfResource {-resourceName Application=app1}

• Jython string:
  AdminTask.listAuthorizationGroupsOfResource('[-resourceName Application=app1]')

• Jython list:
  AdminTask.listAuthorizationGroupsOfResource(['-resourceName', 'Application=app1'])

Interactive mode example usage:

• Jacl:
  $AdminTask listAuthorizationGroupsOfResource {-interactive}

• Jython string:
  AdminTask.listAuthorizationGroupsOfResource ('[-interactive]')

• Jython list:
  AdminTask.listAuthorizationGroupsOfResource (['-interactive'])

listResourcesOfAuthorizationGroup

List all of the resources within the given authorization group.

Target object: None

Parameters and return values

-authorizationGroupName

The name of the authorization group. (String, required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listResourcesOfAuthorizationGroup {-authorizationGroupName groupName}

• Jython string:
  AdminTask.listResourcesOfAuthorizationGroup('[-authorizationGroupName groupName]')

• Jython list:
  AdminTask.listResourcesOfAuthorizationGroup(['-authorizationGroupName', 'groupName'])

Interactive mode example usage:

• Jacl:
  $AdminTask listResourcesOfAuthorizationGroup {-interactive}

• Jython string:
  AdminTask.listResourcesOfAuthorizationGroup ('[-interactive]')

• Jython list:
  AdminTask.listResourcesOfAuthorizationGroup (['-interactive'])

listResourcesForGroupID

List all the objects that a given group has access to. This command lists the resources and the granted roles for each resource. The resources that this command returns include the resources from the authorization groups to which the user group is granted roles and the resources that are descendants of the resources with in authorization groups to which the user group is granted access to any role. The group ID can be a short name or fully qualified domain name if a LDAP user registry is used.

Target object: None

Parameters and return values

-groupid

The ID of the user group. (String, required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listResourcesForGroupID {-groupid userGroupName}

• Jython string:
  AdminTask.listResourcesForGroupID('[-groupid userGroupName]')

• Jython list:
  AdminTask.listResourcesForGroupID(['-groupid', 'userGroupName'])

Interactive mode example usage:

• Jacl:
  $AdminTask listResourcesForGroupID {-interactive}

• Jython string:
  AdminTask.listResourcesForGroupID ('[-interactive]')

• Jython list:
  AdminTask.listResourcesForGroupID (['-interactive'])

listResourcesForUserID

List all the objects that a given user has access to. This command lists the resources and the granted roles for each resource. The resources that this command returns include the resources from the authorization groups to which the user is granted roles and the resources that are descendants of the resources with in authorization groups to which the user is granted access to any role. The user ID can be a short name or fully qualified domain name if a LDAP user registry is used.

Target object: None

Parameters and return values

-userid

The ID of the user. (String, required).

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listResourcesForUserID {-userid userName }

• Jython string:
  AdminTask.listResourcesForUserID('[-userid userName]')

• Jython list:
  AdminTask.listResourcesForUserID(['-userid', 'userName'])

Interactive mode example usage:

• Jacl:
  $AdminTask listResourcesForUserID {-interactive}

• Jython string:
  AdminTask.listResourcesForUserID ('[-interactive]')

• Jython list:
  AdminTask.listResourcesForUserID (['-interactive'])

Example output:

{deployer=[], operator=[], administrator=[cells/IBM-LP1 6L31HVE8Cell07/clusters/C1| cluster.xml, cells/IBM-LP16L 31HVE8Cell07/nodes/IBM-LP16L 31HVE8Node05/servers/cm1|ser ver.xml], monitor=[], configurator=[]}

mapGroupsToAdminRole

Map group IDs to one or more administrative roles in an authorization group. The name of the authorization group that we provide determines which authorization table is used. If we do not specify an authorization group name, the mapping is done to the cell level authorization table. The group ID can be a short name or a fully qualified domain name if the LDAP user registry is used.

Target object: None

Parameters and return values

-accessids

The list of user or group access IDs on the remote registry. If provided, each user or group ID should have one. (String, optional)

-authorizationGroup Name

The name of the authorization group. If not specified, the cell level authorization group is assumed. (String, optional)

-roleName

The name of the administrative role. (String, required)

-groupids

The list of group IDs that is mapped to the administrative role. (String[], required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask mapGroupsToAdminRole {-authorizationGroupName groupName - roleName administrator -groupids group1}

• Jython string:
  AdminTask.mapGroupsToAdminRole('[-authorizationGroupName groupName -roleName administrator -groupids group1]')

• Jython list:
  AdminTask.mapGroupsToAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-groupids', 'group1'])

Interactive mode example usage:

• Jacl:
  $AdminTask mapGroupsToAdminRole {-interactive}

• Jython string:
  AdminTask.mapGroupsToAdminRole ('[-interactive]')

• Jython list:
  AdminTask.mapGroupsToAdminRole (['-interactive'])

mapGroupsToAuditRole

Map group IDs to one or more audit roles in an authorization group. The name of the authorization group that we provide determines which authorization table is used. If we do not specify an authorization group name, the mapping is done to the cell level authorization table. The group ID can be a short name or a fully qualified domain name if the LDAP user registry is used.

Target object: None

Parameters and return values

-accessids

The list of user or group access IDs on the remote registry. If provided, each user or group ID should have one. (String, optional)

-authorizationGroup Name

The name of the authorization group. If not specified, the cell level authorization group is assumed. (String, optional)

-roleName

The name of the administrative role. (String, required)

-groupids

The list of group IDs that are mapped to the administrative role. (String[]. required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask mapGroupsToAuditRole {-authorizationGroupName groupName - roleName auditor -groupids group1}

• Jython string:
  AdminTask.mapGroupsToAuditRole('[-authorizationGroupName groupName -roleName auditor -groupids group1]')

• Jython list:
  AdminTask.mapGroupsToAuditRole(['-authorizationGroupName', 'groupName', '-roleName', 'auditor', '-groupids', 'group1'])

Interactive mode example usage:

• Jacl:
  $AdminTask mapGroupsToAuditRole {-interactive}

• Jython string:
  AdminTask.mapGroupsToAuditRole ('[-interactive]')

• Jython list:
  AdminTask.mapGroupsToAuditRole (['-interactive'])

mapUsersToAdminRole

Map user IDs to one or more administrative roles in the authorization group. The name of the authorization group that we provide determines the authorization table. If we do not specify the name of the authorization group, the mapping is done to the cell level authorization table. The user ID can be a short name or fully qualified domain name in case LDAP user registry is used.

Target object: None

Parameters and return values

-accessids

The list of user or group access IDs on the remote registry. If provided, each user or group ID should have one. (String, optional)

-authorizationGroup Name

The name of the authorization group. If not specified, the cell level authorization group is assumed. (String, optional)

-roleName

The name of the administrative role. (String, required)

-userids

The list of user IDs that are mapped to the administrative role. (String[], required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask mapUsersToAdminRole {-authorizationGroupName groupName - roleName administrator -userids user1}

• Jython string:
  AdminTask.mapUsersToAdminRole('[-authorizationGroupName groupName -roleName administrator -userids user1]')

• Jython list:
  AdminTask.mapUsersToAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-userids', 'user1'])

Interactive mode example usage:

• Jacl:
  $AdminTask mapUsersToAdminRole {-interactive}

• Jython string:
  AdminTask.mapUsersToAdminRole ('[-interactive]')

• Jython list:
  AdminTask.mapUsersToAdminRole (['-interactive'])

removeGroupsFromAdminRole

Remove previously mapped group IDs from administrative roles in the authorization group. The name of the authorization group that we provide determines which authorization table is involved. If we do not specify an authorization group name, the group IDs are removed from the cell level authorization table. The group ID can be a short name or fully qualified domain name if a LDAP user registry is used.

Target object: None

Parameters and return values

-authorizationGroup Name

The name of the authorization group. If not specified, the cell level authorization group is assumed. (String, optional)

-roleName

The name of the administrative role. (String, required)

-userids

A list of group IDs to remove from the administrative role. (String[], required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask removeGroupsFromAdminRole {-authorizationGroupName groupName - roleName administrator -groupids group1}

• Jython string:
  AdminTask.removeGroupsFromAdminRole('[-authorizationGroupName groupName -roleName administrator -groupids group1]')

• Jython list:
  AdminTask.removeGroupsFromAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-groupids', 'group1'])

Interactive mode example usage:

• Jacl:
  $AdminTask removeGroupsFromAdminRole {-interactive}

• Jython string:
  AdminTask.removeGroupsFromAdminRole ('[-interactive]')

• Jython list:
  AdminTask.removeGroupsFromAdminRole (['-interactive'])

removeResourceFromAuthorizationGroup

Remove resources from an existing authorization group. If we do not specify the authorization group, it is determined and the resource is removed from that authorization group.

Target object: None

Parameters and return values

-authorizationGroup Name

The name of the authorization group. (String, optional)

-resourceName

The name of the resource instance to remove from the authorization group. (String, required)

The resourceName parameter must be in the following format:

ResourceType=ResourceName

where:

• ResourceType can be any of the following: Application, Server, ServerCluster, Node, or NodeGroup.

• The ResourceName is the name of the resource instance, for example, server1.

The following are examples of the resourceName parameter:

Node=node1:Server=server1

This example uniquely identifies server1. node1 is required if the name of the server exists on multiple nodes.

Application=app1

Examples

Batch mode example usage:

• Jacl:
  $AdminTask removeResourceFromAuthorizationGroup {-authorizationGroupName groupName -resourceName Application=app1}

• Jython string:
  AdminTask.removeResourceFromAuthorizationGroup('[-authorizationGroupName groupName -resourceName Application=app1]')

• Jython list:
  AdminTask.removeResourceFromAuthorizationGroup(['-authorizationGroupName', 'groupName', '-resourceName', 'Application=app1'])

Interactive mode example usage:

• Jacl:
  $AdminTask removeResourceFromAuthorizationGroup {-interactive}

• Jython string:
  AdminTask.removeResourceFromAuthorizationGroup ('[-interactive]')

• Jython list:
  AdminTask.removeResourceFromAuthorizationGroup (['-interactive'])

removeUsersFromAdminRole

Remove previously mapped user IDs from administrative roles in the authorization group. The name of the authorization group that we provide determines which authorization table is involved. If we do not specify an authorization group name, the user ID from the cell level authorization table is used. The user ID can be a short name or a fully qualified domain name if a LDAP user registry is used.

Target object: None

Parameters and return values

-authorizationGroup Name

The name of the authorization group. If not specified, the cell level authorization group is assumed. (String, optional)

-roleName

The name of the administrative role. (String, required)

-userids

A list of user IDs to remove from the administrative role. (String[], required)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask removeUsersFromAdminRole {-authorizationGroupName groupName - roleName administrator -userids user1}

• Jython string:
  AdminTask.removeUsersFromAdminRole('[-authorizationGroupName groupName -roleName administrator -userids user1]')

• Jython list:
  AdminTask.removeUsersFromAdminRole(['-authorizationGroupName', 'groupName', '-roleName', 'administrator', '-userids', 'user1'])

Interactive mode example usage:

• Jacl:
  $AdminTask removeUsersFromAdminRole {-interactive}

• Jython string:
  AdminTask.removeUsersFromAdminRole ('[-interactive]')

• Jython list:
  AdminTask.removeUsersFromAdminRole (['-interactive'])

wsadmin AdminTask

Commands for the AdminTask object