Page History
...
Anchor | ||||
---|---|---|---|---|
|
Manage roles command
Managing roles using CLI is done using the following command:
...
<root>
Role definition
</root>
Required permissions
To activate the roles management command the user must have ADMINISTRATE.EXECUTE permissions for Precise technology.
Roles definitions limitations
A user activating this command can add/edit/delete roles only if the permissions the role contains are in the scope of the user's permissions.
For example, if a user has ADMINISTRATE.VIEW permission on an Oracle instance he can create a new role with ADMINISTRATE.VIEW permission on the Oracle instance he has the same permission on, however, he will not be able to assign ADMINISTRATE.VIEW on another instance or define ADMINISTRATE.EXECUTE on the same instance.
Handling errors
The CLI mechanism always skips to the next role and does not halt the whole operation in case of error. In case the CLI fails for a specific role a message is issued to the screen and the problem is logged in the CLI log file.
Adding a new role
The definition for adding a new role is as follows:
...
<root>
<role>
<parameter name="action" value="add"/>
<parameter name="role-name" value=" test-role1"/>
<parameter name="role-scope" value="technology"/>
<complex name="permissions">
<parameter permission-type="monitor" permission-operation="full_control"/>
<parameter permission-type="administrate" permission-operation="execute"/>
</complex>
<complex name="resources">
<parameter technology-code="OR"/>
<parameter technology-code="OA"/>
</complex>
<complex name="nodes">
<parameter node-name="node1"/>
<parameter node-name="node2"/>
</complex>
</role>
<role>
<parameter name="action" value="add"/>
<parameter name="role-name" value=" test-role2"/>
<parameter name="role-scope" value="application"/>
<complex name="permissions">
<parameter permission-type="monitor" permission-operation="view"/>
<complex name="resources" value="all=true"/>
</role>
</root>
Deleting a role
The definition for deleting a role is as follows:
...
Info |
---|
The role ‘I3 Manager’ cannot be deleted. |
Verifying user’s roles assignment before deletion
Deleting a role can cause a situation where one or more users will be left with no roles assigned to them (i.e. this role is the only role assigned to one of the users).
...
Info |
---|
This parameter default value is ‘true’. |
Parameters specification
Table 4 Parameter values for Deleting a role
...
<root>
<parameter name="action" value="delete"/>
<parameter name="role-name" value=" test-role1"/>
</root>
Editing a role
The definition for editing a new role is as follows:
...
Info |
---|
The role ‘I3 Manager’ cannot be edited. |
Parameters specification
Table 5 Parameter values for Editing a role
Parameter | Description | ||||
---|---|---|---|---|---|
Action | The action we wish to perform on the defined role. Value: Edit Mandatory: Yes | ||||
Role-name | The name of the role we wish to edit. Mandatory: Yes | ||||
Role-scope | The scope of the rode the user wants to define the permissions on. Values: technology, application, Tier, or instance. Mandatory: Yes | ||||
Role-new-name | The new role name. Mandatory: No | ||||
Permissions | The permissions we wish to assign to this role. Mandatory: No
| ||||
Resources | The resources the role permissions apply on.
Mandatory: Yes, if permissions are changed. | ||||
Nodes | This parameter is relevant only to ‘technology’ role scope. Use this parameter to define technologies permissions on specific nodes. If this parameter is not defined the technology permissions will apply on all nodes. Node-name: the name of the node Nodes that are already assigned to the role and are not specified in edit will be removed from the role definition. If no proxies are specified in edit mode then the role’s proxies will remain unchanged. Mandatory: No |
Example
In this example we will be editing the following role:
...
<root>
<parameter name="action" value="edit"/>
<parameter name="role-name" value=" test-role1"/>
<parameter name="role-new-name" value=" test-role1-updated"/>
<complex name="permissions">
<parameter permission-type="monitor" permission-operation="execute"/>
<parameter permission-type="administrate" permission-operation="execute"/>
</complex>
<complex name="resources">
<parameter instance-name="ORCL" technology-code="OR" server-name="srv1"/>
<parameter instance-name="OA1" technology-code="OA" server-name="srv2"/>
</complex>
<parameter name="nodes" value="*"/>
<parameter name="role-scope" value="INSTANCE"/>
</root>
Anchor | ||||
---|---|---|---|---|
|
Manage users command
Managing users using CLI is done using the following command:
...
<root>
User definition
</root>
Required permissions
Activating the user’s management command requires ADMINISTRATE.EXECUTE permissions on Precise technology.
User roles definitions limitations
A user activating this command can add/remove roles to the managed user, only if the permissions of the roles granted/removed from the managed user, are in the scope of the managing user’s roles permissions.
For example, if a user has ADMINISTRATE.VIEW permission on an Oracle instance he can create a new user and assign a role with ADMINISTRATE.VIEW permission on the Oracle instance he has the same permission on, however, he will not be able to assign a role with ADMINISTRATE.VIEW on another instance or ADMINISTRATE.EXECUTE on the same instance.
Handling errors
CLI mechanism always skips to the next user and does not halt the whole operation in case of error. In case the CLI fails for a specific user, a message is issued to the screen and the problem is logged in the CLI log file.
Adding a new user
The definition for adding a new user is as follows:
...
Parameter | Description | ||
---|---|---|---|
action | The action we wish to perform on the defined user. Values: Add Mandatory: Yes | ||
User-name | The name of the user we wish to add. Mandatory: Yes | ||
user-clear-password or user-encrypted-password | The user’s password as clear or encrypted text. Mandatory: Yes | ||
User-roles | The roles we wish to assign to this user
Mandatory: Yes |
Example
In this example we will be adding two users.
<root>
<user>
<parameter name="action" value="add"/>
<parameter name="user-name" value="koby"/>
<parameter name="user-clear-password" value="1234"/>
<complex name="user-roles">
<parameter role-name="Tuxedo Manager"/>
<parameter role-name="SQL Server Administrator"/>
</complex>
</user>
<user>
<parameter name="action" value="add"/>
<parameter name="user-name" value="yossi"/>
<parameter name="user-clear-password" value="5678"/>
<complex name="user-roles">
<parameter role-name="Web Manager"/>
</complex>
</user>
</root>
Deleting a user
The definition for deleting a user is as follows:
...
Parameter | Description |
---|---|
Action | The action we wish to perform on the defined user. Values: Delete Mandatory: Yes |
User-name | The name of the user we wish to delete. Mandatory: Yes |
Example
In this example we will be deleting one user ‘koby’:
<root>
<parameter name="action" value="delete"/>
<parameter name="user-name" value="koby"/>
</root>
Editing a user
The definition for editing or adding a user is as follows:
...
Parameter | Description | ||||
---|---|---|---|---|---|
-action | The action we wish to perform on the defined user. Values: Edit Mandatory: Yes | ||||
User-name | The name of the user we wish to edit. Mandatory: Yes | ||||
user-clear-password or user-encrypted-password | The user’s password as clear or encrypted text. Mandatory: Yes | ||||
User-roles | The roles we wish to assign to this user. | ||||
Role-name | The name of the role we wish to assign to this user.
Mandatory: Yes |
Example
In this example we will be editing the user ‘user1’. This user has the following roles assigned to him:
...
<root>
<user>
<parameter name="action" value="edit"/>
<parameter name="user-name" value="user1"/>
<complex name="user-roles">
<parameter role-name="Oracle Administrator"/>
<parameter role-name="Tuxedo Manager"/>
</complex>
</user>
</root>
Exporting users/roles
The roles-export command prints the current users/roles defined in Precise. The export result can later be used to define/update roles/users.
...
Elements | Description |
---|---|
Mode | The required export mode. Values: export users, export roles, or export users and roles. Mandatory: Yes |
output-file | The file path to which the export will be written. Value: If not specified: <precise_root>\infra\cli2\output\cli_expo rt_<mode>.xml. Mandatory: No |
Command output
The roles export output is written to an output file as described in the previous table.
Output format
The output format can be users, roles or all.
Export users output
<users>
<user>
<parameter name="action" value="add" />
<parameter name="user-encrypted-password" value="IAJDFKJBI@" />
<parameter name="user-name" value="usr1" />
<complex name="user-roles">
<parameter role-name="Oracle view only" />
</complex>
</user>
<user>
<parameter name="action" value="add" />
<parameter name="user-encrypted-password" value="ICDDFK@FFA" />
<parameter name="user-name" value="usr2" />
<complex name="user-roles">
<parameter role-name="Precise Manager" />
</complex>
</user>
...additional users
</users>
Export roles output
<roles>
<role>
<parameter name="action" value="add" />
<parameter name="nodes" value="*" />
<complex name="permissions">
<parameter permission-operation="FULL_CONTROL" permission-type="ADMINISTRATE" />
<parameter permission-operation="FULL_CONTROL" permission-type="TUNE" />
<parameter permission-operation="FULL_CONTROL" permission-type="MONITOR" />
</complex>
<parameter name="resources" value="*" />
<parameter name="role-name" value="Precise Manager" />
<parameter name="role-scope" value="TECHNOLOGY" />
</role>
<role>
<parameter name="action" value="add" />
<parameter name="nodes" value="*" />
<complex name="permissions">
<parameter permission-operation="VIEW" permission-type="MONITOR" />
<parameter permission-operation="VIEW" permission-type="ADMINISTRATE" />
<parameter permission-operation="VIEW" permission-type="TUNE" />
</complex>
<complex name="resources">
<parameter technology-code="OR" />
</complex>
<parameter name="role-name" value="Oracle view only" />
<parameter name="role-scope" value="TECHNOLOGY" />
</role>
...additional roles
</roles>
Export all output
<all>
<user>
<parameter name="action" value="add" />
<parameter name="user-encrypted-password" value="IAJDFKJBI@" />
<parameter name="user-name" value="usr1" />
<complex name="user-roles">
<parameter role-name="Oracle view only" />
</complex>
</user>
<user>
<parameter name="action" value="add" />
<parameter name="user-encrypted-password" value="ICDDFK@FFA" />
<parameter name="user-name" value="usr2" />
<complex name="user-roles">
<parameter role-name="Precise Manager" />
</complex>
</user>
...additional users
<role>
<parameter name="action" value="add" />
<parameter name="nodes" value="*" />
<complex name="permissions">
<parameter permission-operation="FULL_CONTROL" permission-type="ADMINISTRATE" />
<parameter permission-operation="FULL_CONTROL" permission-type="TUNE" />
<parameter permission-operation="FULL_CONTROL" permission-type="MONITOR" />
</complex>
<parameter name="resources" value="*" />
<parameter name="role-name" value="Precise Manager" />
<parameter name="role-scope" value="TECHNOLOGY" />
</role>
<role>
<parameter name="action" value="add" />
<parameter name="nodes" value="*" />
<complex name="permissions">
<parameter permission-operation="VIEW" permission-type="MONITOR" />
<parameter permission-operation="VIEW" permission-type="ADMINISTRATE" />
<parameter permission-operation="VIEW" permission-type="TUNE" />
</complex>
<complex name="resources">
<parameter technology-code="OR" />
</complex>
<parameter name="role-name" value="Oracle view only" />
<parameter name="role-scope" value="TECHNOLOGY" />
</role>
...additional roles
</all>
User permissions summary
User permissions summary prints a summary of the permissions a user has. Managing users using CLI is done using the following command:
...
Element | Description |
---|---|
user-name | The user we wish to generate the permissions summary for. If this parameter is not specified, the permissions summary will be generated for the user activating this command according to the i3-user parameter. Mandatory: Yes |
output-file | The file the command output will be written to. If this parameter is not specified the output will be written as follows:
Mandatory: No |
Command output
The user permissions summary is printed to an output file as described above in the Parameters specification section.
Output format
The output xml structure will be as follows:
<user-permissions-summary user-name="user-name">
<roles-permissions-summary>
<role role-name="role-name">
<permission>
<description>permission description</description>
<permission-type>permission type</permission-type>
<permission-operation>permission operation</permission-operation>
<resource resource-type="resource type" [resource-information] />
<affected-instances>
<instance>
<instance-name>instance name</instance-name>
<server-name>instance server name</server-name>
<technology-code>instance technology</technology-code>
</instance>
…additional instances
</affected-instances>
</permission>
…additional permissions
</role>
…additional roles
</roles-permissions-summary>
</user-permissions-summary>
Output specification
- User-name. The name of the user this summary was generated for
- Role-name. The name of a role assigned to this user
- Permission. Role’s permission specification
- Description. The description of this permission
- Permission-type. The permission type
- Permission-operation. The permission operation
- Resource. The resource this permission was granted on
- Resource-type. The type of the Resource-type can have one of the following values: technology, application, Tier or instance
- Resource-information. See resource information definitions in Table 9-3 on page 111.
- Affected-instances. The list of instances derived from the resource the permission was granted on (i.e. if the resource is the ‘Default’ application all the instances connected to the ‘Default’ application will be listed here)
- Instance-name. The name of the instance
- Server-name. The name of the server the instance is installed on
- Technology-code. The technology code of the instance
Example
This is an example of a permissions summary file for user ‘usr1’ with roles that contains the following permissions:
...