Using CA AppLogic® › Grid Administration Guide › Role-Based Access Control › Managing Users and Groups

Managing Users and Groups

Managing Local Users

Local users are managed using the CA AppLogic® command-line interface (CLI). The CLI can be used to perform the following tasks:

• Create or destroy local users.
• Set profile properties of local users (for example, email address, real name, or locale).
• Get information for a local user (for example, ID, group membership, or profile properties).
• List local users. By default when listing users, only those users with permission to log in are listed. The --extended option of the user list command can be used to include users that do not have permission to log in.

When a local user is created it is not automatically granted any particular access level rights on any object (unless the implicit local group all is granted such rights). Typically, after creating a user, a Grid Aministrator adds that user to one or more local groups, and these groups are managed to provide access level rights to their members.

For more information, see User Management in the Command Line Shell Reference Guide.

Managing Global Users

Global users are created, modified, and deleted outside of CA AppLogic®, using the tools specific to the global directory service. However, the CA AppLogic® CLI user management commands can be used with global users as follows:

user set

Sets global user profile properties such as locale or email address. These properties are stored in the local directory and are set only for the particular grid on which the command is executed. CA AppLogic® never writes any information to a global directory service. CA AppLogic® cannot change a global user password.

user info

Displays information for a global user, including any user profile properties.

user list

Lists all global users.

Additionaly, CA AppLogic® CLI commands are used to provide global users permission to access the grid and grid objects using one or more of the following methods:

• Modifying an ACL to provide access to a global group to which the user belongs
• Adding the global user to a local group which has access to an object
• Modifying an ACL to provide access specifically to the global user

Managing Local Groups

Local groups are managed using the CA AppLogic® command line interface (CLI). The CLI can be used to perform the following tasks:

• Create or destroy local groups
• Get information for a local group (for example, ID, list of members)
• Change the membership of a local group
• Change whether a local group can own objects
• List local groups

Local groups may have local users, local groups, global users, or global groups as members. When a local group is created its membership is empty.

For more information, see Group Management in the Command Line Shell Reference Guide.

Managing Global Groups

Global groups are maintained outside of CA AppLogic®. However, the CA AppLogic® CLI group management commands can be used with global groups as follows:

group info

Displays information for a global group, including the group ID and membership information.

group list

Lists all global groups.

group modify

Specifies whether or not a global group can own objects.

Global group membership information is cached when a global user authenticates. In this case the user's global group membership is recursively determined and this membership information is cached in the local directory service. As a result, the cached global group membership includes only global users (and only those global users who have previously authenticated on the grid).

If a user who is currently logged in is added to or removed from a global group, the changes take effect after the user logs off and logs back in.

When the CLI is used to list global groups or get information about a global group, the results are determined from cached data in the local directory service rather than read directly from the global directory service.