Reference Information › Command Line Shell Reference Guide › Shell Commands › Group Management

Group Management

This section describes commands that display and manage types of groups.

This section contains the following topics:

group create

group destroy

group get

group get_newobj_acl

group info

group list

group modify

group modify_newobj_acl

group put

group put_newobj_acl

group create

Add a group to the grid controller's local directory service database. The new group is created without any members.

Syntax

group create <name> [ can_own=<val> ]

Parameters

<name>

Name of the local group to create.

can_own=<val>

Specifies whether the group can be specified as an owner of an object. Valid values are 0 and 1, the default is 0.

Examples

create group my-group

Create a new local group named 'my-group'.

Notes

• Group names may only contain alphanumeric characters, underscore and hyphen.
• Only local groups can be created. Groups managed through a global directory service cannot be created.

group destroy

Destroy an existing group from the grid controller's local directory service database.

Syntax

group destroy <name> [ --force ]

Parameters

<name>

Name of the local group to destroy.

--force

Do not ask for verification of the destroy operation.

Example

destroy group my-group    

Destroy the local group named 'my-group'.

Notes

• Only local groups may be destroyed. Groups managed through a global directory service cannot be destroyed.
• Any reference to the destroyed group is removed from the grid ACL.

group get

Show group information. The information displayed includes: group name, ID, scope, description, principal group members, and the new object ACL definition associated to the group (if any).

Syntax

group get <name> [ --batch ]

Parameters

<name>

Name of the group for which to display information. The name may be specified in one of the following ways:

<group>

Local group.

/<group>

Global group.

<scope>:<type>:<group>

A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group', and <group> is the group name.

--batch

Display output in UDL format

Examples

group get my-group

Show information for local group 'my-group'.

group get /my-group

Show information for global group 'my-group'.

group get local:group:my-group

Show information for local group 'my-group'.

group get global:group:my-group

Show information for global group 'my-group'.

Note

Only group members who have previously logged in to the grid are listed in the global group membership display.

Output Specification

The non-batch output of this command is as follows:

Group Name            : <val>
Group ID              : <val>
Scope                 : <val>
Description           : <val>

--- Member Information ---
ID                                    Scope  Type  Name
-------------------------------------------------------------------
<val>                                 <val>  <val> <val>
...
<val>                                 <val>  <val> <val>

--- New Object ACL Owner Information ---
ID                                    Scope  Type   Name
------------------------------------------------------------------------------
<val>                                 <val>  <val>  <val>

--- New Object ACL Entry Information ---
ID                                    Scope  Type   Name   Access
------------------------------------------------------------------------------
<val>                                 <val>  <val>  <val>  <val>
...
<val>                                 <val>  <val>  <val>  <val>

The batch output of this command is as follows:

group
   {
   name        = <val>
   id          = <val>
   scope       = <val>
   description = <val>
   members
      [
      id=<val>, scope=<val>, type=<val>, name=<val>
      ...
      id=<val>, scope=<val>, type=<val>, name=<val>
      ]
   newobj_acl
      {
      owner: id = <val>  # scope type name
      entries
         [
         id = <val>,  access_level1, ... access_levelN, permission1, ... permissionN   # scope type name
         ...
         id = <val>,  access_level1, ... access_levelN, permission1, ... permissionN   # scope type name
         ]
      }
   }

group get_newobj_acl

Display the new object ACL definition associated to a group, or display that portion of the new object ACL definition which relates to a particular principal.

Syntax:

group get_newobj_acl <name> [ <principal> ] [ --batch ]

Parameters:

<name>

Name of the group; prepend the group name with or to indicate a global group.

<principal>

Name of the principal. <principal> is in the following form:

<scope>:<type>:<name>

A fully qualified principal name where <scope> is 'global' or 'local', type is 'group' or 'user' and <name> is the group or user name.

--batch

Display output in UDL format

Example:

group get_newobj_acl admin

Get the new object ACL definition associated to the local group 'admin'.

Output Specification

The non-batch output of this command is as follows:

--- Owner Information ---
ID                                    Scope    Type    Name
-------------------------------------------------------------------------
<val>                                 <val>    <val>   <val>

--- Entry Information ---
ID                                    Scope    Type    Name            Access
------------------------------------------------------------------------------
<val>                                 <val>    <val>   <val>           <val>
...
<val>                                 <val>    <val>   <val>           <val>

The batch output of this command is as follows:

acl
   {
   owner       : id=<val>   # scope type name
   entries
      [
      id=<val>, access_level1, ... access_levelN, permission1, ... permissionN   # scope type name
      ...
      id=<val>, access_level1, ... access_levelN, permission1, ... permissionN   # scope type name
      ]
   }

group info

Show group information. The information displayed includes: group name, ID, scope, description, principal group members, and the new object ACL definition associated with the group (if any).

Syntax

group info <name> [ --batch ]

Parameters

<name>

Name of the group for which to display information. The name may be specified in one of the following ways:

<group>

Local group.

/<group>

Global group.

<scope>:<type>:<group>

A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group', and <group> is the group name.

--batch

Display output in UDL format

Examples

group info my-group

Show information for local group 'my-group'.

group info /my-group

Show information for global group 'my-group'.

group info local:group:my-group

Show information for local group 'my-group'.

group info global:group:my-group

Show information for global group 'my-group'.

Note

Only group members who have previously logged in to the grid are listed in the global group membership display.

Output Specification

The output of this command is as follows:

Non-batch output

Group Name     = val
Group ID       = val
Scope          = val
Can Own        = val
Description    = val

--- Member Information ---
ID                                    Scope    Type    Name
-------------------------------------------------------------------------
val                                   val      val     val
...

The value of Scope is local or global. The value of Type is user or group. If a
local user or local group member has been deleted, the value for Scope, Type and Name is *.

Batch output

group
   {
   name        = "val"
   id          = "val"
   scope       = "val"
   Can_Own     = "val"
   description = "val"
   members
      [
      id="val", scope=val, type=val, name="val"
      ...
      ]
   }

group list

List groups in the grid controller's local directory service database and groups in the global directory service database (if the grid is configured to use such a service).

Syntax

group list [ --local | --global ] [ --batch ]

Parameters

--local

List only local groups.

--global

List only global groups.

--batch

Display output in UDL format.

Examples

group list

List groups.

Notes

Only global groups are listed which have among their members a global user who has logged in on the grid sometime in the past.

Output Specification

The output of this command is as follows:

Non-batch output

Group Name           Group ID                               Scope    Can Own   Description
--------------------------------------------------------------------------------
val                  val                                    val      val      Val
...
The value of Scope is local or global.

Batch output

group:  name="val", id="val", scope="val", can_own=val, description="val"
...

group modify

Modify a local group's description, can_own attribute, or membership, or modify the can_own attribute of a global group.

Syntax

group modify <name> [ description=<val> ] [ can_own=<val> ][ +/-<principal1> ... +/-<principalN> ]

Parameters

<name>

Name of the local group.

description=<val>

Group description.

can_own=<val>

Specifies whether the group can be specified as an owner of an object. Valid values are 0 and 1. The default is 0.

+<principal>

Add the principal to the group if it is not already a member. <principal> is in the following form:

<name>

Local user or group.

/<name>

Global user or group.

<scope>:<type>:<name>

A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group' or 'user', and <name> is the group or user name.

-<principal>

Remove the principal from the group.

Examples

group modify my-group +local:user:admin

Add local user 'admin' to the local group 'my-group'.

group modify my-group +/admin

Add global user 'admin' to the local group 'my-group'.

Notes

• The local group must exist.
• Specified local user and group principals must exist.
• Specified global user principals must have logged in to the grid at some time in the past.
• Specified global group principals must be associated to a global user who has logged in to the grid at some time in the past.

group modify_newobj_acl

Replace that portion of a new object ACL definition associated to a group which relates to the owner or a principal entry.

Syntax:

group modify_newobj_acl <name> [ <principal>=owner ] [ <principal1>=<val> ... <principalN>=<val> ] [ template=<principal> ] [ --test_only ]

Parameters:

<name>

Name of the group; prepend the group name with / to indicate a global group.

<principal>=owner

Set the owner attribute of the new object ACL definition to the specified principal. The principal must be a group.

<principal>=<val>

Add the specified principal to the new object ACL definition with access level <val>. <principal> is in the following form:

<name>

Local user or group.

/<name>

Global user or group.

<scope>:<type>:<name>

A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group' or 'user', and <name> is the group or user name. Valid access levels are: read, control, configure and full.

template=<principal>

Replace the principal entries of the new object ACL definition with those of the new object ACL definition associated to the specified principal.

--test_only

Do not replace the new object ACL definition but rather test if the operation can succeed.

Example:

group modify_newobj_acl admin local:group:admin=full

Modify the new object ACL definition associated to the local group 'admin'.

Note:

The owner of a new object ACL definition associated to a group must itself be a group.

group put

Replace a local group description and entire membership.

Syntax

group put <name> description=<val> [ can_own=<val> ] [ <principal1> ... <principalN> ]

Parameters

<name>

Name of the local group.

description=<val>

Group description.

can_own=<val>

Specifies whether the group can be specified as an owner of an object. Valid values are 0 and 1. The default is 0.

<principal>

A group member specified in one of the following formats:

<name>

Local user or group.

/<name>

Global user or group.

<scope>:<type>:<name>

A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group' or 'user', and <name> is the group or user name.

Exampls

group put my-group description='us' local:user:admin

Replace the description of local group 'my-group' and replace the membership such that the only member is local user 'admin'.

group put my-group description='us' admin

Replace the description of local group 'my-group' and replace the membership such that the only member is local user 'admin'.

Notes

• The local group must exist.
• Specified local user and group principals must exist.
• Specified global user principals must have logged in to the grid at some time in the past.
• Specified global group principals must be associated to a global user who has logged in to the grid at some time in the past.

group put_newobj_acl

Replace the entire new object ACL definition associated to a group.

Syntax:

group put_newobj_acl <name> [ <principal>=owner ] [ <principal1>=<val> ... <principalN>=<val> ] [ --test_only | --force ]

Parameters:

<name>

Name of the group; prepend the group name with / to indicate a global group.

<principal>=owner

Set the owner attribute of the new object ACL definition to the specified principal. The principal must be a group.

<principal>=<val>

Add the specified principal to the new object ACL definition with access level <val>. <principal> is in the following form:

<scope>:<type>:<name>

A fully qualified principal name where <scope> is 'global' or 'local', type is 'group' or 'user' and <name> is the group or user name.

Valid access levels are: read, control, configure, and full.

--test_only

Do not replace the new object ACL definition but rather test if the operation can succeed.

--force

Skip prompting the user for verification.

Example:

group put_newobj_acl admin local:group:admin=owner local:group:admin=full

Put the new object ACL definition associated to the local group 'admin'.

Notes:

The owner of a new object ACL definition associated to a group must itself be a group.