Managing Users and Groups

Managing Users and Groups

Managing Local Users

Local users are managed using the CA 3Tera AppLogic command line interface (CLI). The CLI can be used to:

• Create or destroy local users
• Set profile properties of local users (for example, email address, real name, locale, etc.)
• Get information for a local user (for example, ID, group membership, profile properties)
• List local users. Note that by default when listing users, only those users with permission to log in are listed. The --extended option of the user list command can be used to include in the output users which do not have permission to log in.

When a local user is created it is not automatically granted any particular access level rights on any object (unless the implicit local group all is granted such rights). Typically, after creating a user, a grid administrator adds that user to one or more local groups, and these groups are managed to provide access level rights to their members.

Please see the online CLI reference for user management commands:

Managing Global Users

Global users are maintained – created, modified, deleted – outside of CA 3Tera AppLogic, using the tools specific to the global directory service.

However, the CA 3Tera AppLogic CLI user management commands can be used to work with global users as follows:

• user set – this command can be used to set global user profile properties such as locale or email address. These properties are stored in the local directory and are set only for the particular grid on which the command is executed. CA 3Tera AppLogic never writes any information to a global directory service. CA 3Tera AppLogic cannot change a global user password.
• user info – this command can be used to get information for a global user, including any user profile properties.
• user list – this command can be used to list global users.

In addition, CA 3Tera AppLogic CLI commands are used to provide global users permission to access the grid and grid objects. This is done by through one or more of the following methods:

• modifying an ACL to provide access to a global group to which the user belongs
• adding the global user to a local group which has access to an object
• modifying an ACL to provide access specifically to the global user

Managing Local Groups

Local groups are managed using the CA 3Tera AppLogic command line interface (CLI). The CLI can be used to:

• Create or destroy local groups
• Get information for a local group (for example, ID, list of members)
• Change the membership of a local group
• List local groups

Local groups may have local users, local groups, global users or global groups as members. When a local group is created its membership is empty.

Please see the Command Line Reference Guide for group management commands.

Managing Global Groups

Global groups are maintained outside of CA 3Tera AppLogic. However, the CA 3Tera AppLogic CLI group management commands can be used to work with global groups as follows:

• group info – this command can be used to get information for a global group, including the group ID and membership information.
• group list – this command can be used to list global groups.

Global group membership information is cached when a global user authenticates. In this case the user's global group membership is recursively determined and this membership information is cached in the local directory service. As a result, the cached global group membership includes only global users (and only those global users who have previously authenticated on the grid).

If a user who is currently logged in is added to or removed from a global group, the changes take effect after the user logs off and logs back in.

When the CLI is used to list global groups or get information about a global group, the results are determined from cached data in the local directory service rather than read directly from the global directory service.