nnmsecurity.sh

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Network Node Manager i Software10.30

Name

nnmsecurity.sh — NNMi Security Management

SYNOPSIS

nnmsecurity.sh -help

nnmsecurity.sh -assignNodeToSecurityGroup ((-node <name or hostname or management address or uuid> -securityGroup <name or uuid>) | -file <name>) | -assignNodeToTenant ((-node <name or hostname or management address or uuid> -tenant <name or uuid>) | -file <name>) | -assignSecurityGroupToTenant (-tenant <name or uuid> -securityGroup <name or uuid>) | -assignUserGroupToSecurityGroup ((-userGroup <name> -securityGroup <name or uuid> -role <role>) | -file <name>) | -assignUserToGroup ((-user <name> -userGroup <name>) | -file <name>) [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

nnmsecurity.sh -createSecurityGroup ((<name> [-securityGroupUuid <uuid>] [-description <description>]) | -file <name>) | -createTenant (<name> [-tenantUuid <uuid>] [-securityGroupUuid <uuid>] [-description <description>]) | -createUserAccount ((<username> -role <role> [-password <password>] [-directoryServiceAccount <true|false>]) | -file <name>) | -createUserGroup ((<name> [-displayName <user friendly group name>] [-description <description>] [-directoryServiceName <dn>]) | -file <name>) [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

nnmsecurity.sh -deleteSecurityGroup (<groupName or uuid> | -file <name>) | -deleteUserAccount (<name> | -file <name>) | -deleteUserGroup <name> [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

nnmsecurity.sh -displayConfigReport [<report>[, <report>]] [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

nnmsecurity.sh -listNode <nodeName> | -listNodesInSecurityGroup <groupName or uuid> | -listSecurityGroupForTenant <uuid> | -listSecurityGroups | -listTenants | -listUserGroupMembers <groupName> | -listUserGroups <user> | -listUserGroupsForSecurityGroup <groupName or uuid> [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

nnmsecurity.sh -removeUserFromGroup ((-user <name> -userGroup <name>) | -file <name>) | -deleteUserGroup (<name> | -file <name>) | -removeUserGroupFromSecurityGroup ((-userGroup <groupName> -securityGroup <groupName or uuid> [-role <role>]) | -file <file>) | -updateUserGroup ((<name> [-displayName <user friendly group name>] [-description <description>] [-directoryServiceName <dn>]) | -file <name>) [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

nnmsecurity.sh -reloadAuthConfig [-u <username> -p <password>] [-jndiHost <hostname> Default: localhost] [-jndiPort <port> Default: 1099]

DESCRIPTION

nnmsecurity.sh is used to manage NNMi security configuration. It provides commands to create, update, and remove security objects such as user accounts, user groups, and security groups as well as to configure the relationships among these objects. This command replaces the deprecated nnmprincipalconfig.sh command.

Parameters

nnmsecurity.sh supports the following commands:

-assignNodeToSecurityGroup (-node <name or hostname or management address or uuid> -securityGroup <name or uuid>) | -file <name>

Assigns nodes to security groups using either command line arguments or an input file.

-node: Identifies a node by name, hostname, management address, or UUID.
-securityGroup: Identifies a security group by name or UUID.
-file: Path to a CSV-formatted file containing lists of node to security group assignment with the format: securitygroup, node
-help: Prints the usage statement.

-assignNodeToTenant (-node <name or hostname or management address or uuid> -tenant <name or uuid>) | -file <name>

Assigns a node to a tenant using either command line arguments or an input file. The node-to-tenant assignment must be done on an NNMi management server that directly manages both objects. Global node-to-tenant assignments are unsupported.

-node: Identifies a node by name, hostname, management address, or UUID.
-tenant: Identifies a tenant by name or UUID.
-file: Path to a CSV-formatted file containing lists of node to tenant assignments with the format: node,tenant

-assignSecurityGroupToTenant -tenant <name or uuid> -securityGroup <name or uuid>

Changes the default security group for a tenant. The default security group for a tenant is used to specify which security group to use when new nodes are seeded for the tenant. Changing this value does not affect existing nodes.

-tenant: The name or UUID of the tenant to modify.
-securityGroup: The name or UUID of the security group to set as the default for the tenant.

-assignUserGroupToSecurityGroup (-userGroup <name> -securityGroup <name or uuid> -role <role>) | -file <name>

Assigns user groups to security groups. User groups are assigned to security groups to give the users in the group access to the nodes in the security group. Each assignment includes a role as part of the assignment which controls which actions are available to the users on the nodes.

-userGroup: Identifies the user group to assign by name.
-securityGroup: Identifies by name or UUID the security group to receive the user group.
-role: Identifies the role to use in the assignment by key. Available roles are: admin, level2, level1, guest
-file: Path to a CSV-formatted file containing lists of assignments with the format: userGroup, securityGroup, role

-assignUserToGroup (-user <name> -userGroup <name>) | -file <name>

Assigns users to user groups. Users are assigned to groups which are then given access to objects. A user can be assigned to multiple groups and has access to all objects from all of their groups. The default groups of admin, client, level2, level1 and guest also give the users assigned to them the matching role of the same name on NNMi itself.

-user: Identifies the user to assign by name.
-userGroup: Identifies the user group to assign by name.
-file: Path to a CSV-formatted file containing lists of assignments with the format: user, userGroup

-createSecurityGroup (<name> [-securityGroupUuid <uuid>] [-description <description>]) | -file <name>

Creates a new security group. Security groups group similar topology objects to simplify the security configuration. Each security group consists of a name, UUID, and description.

-securityGroupUuid: Optional UUID for the new security group. If this parameter is not supplied, NNMi generates the value.
-description: Optional description for the new security group.
-file: Path to a CSV-formatted file containing lists of security groups with the format: name, uuid, description

-createTenant <name> [-tenantUuid <uuid>] [-securityGroupUuid <uuid>] [-description <description>]

Creates a new tenant along with a matching security group of the same name.

-tenantUuid: Optional UUID for the new tenant. If this parameter is not supplied, NNMi generates the value.
-securityGroupUuid: Optional UUID for the new security group. If this parameter is not supplied, NNMi generates the value.
-description: Optional description for the new tenant.

-createUserAccount (<username> -role <role> [-password <password>] [-directoryServiceAccount <true|false>]) | -file <name>

Creates a new user account.

-role: Internal accounts require that a role be specified. NNMi automatically assigns the new user to the matching user group. External accounts do not require a role because the directory service might supply the roles.
-password: The password for the new user. Only used for internal accounts.
-directoryServiceAccount: Specifies whether an external directory service manages this user account. Use false for an account that is stored internally in the NNMi database. Use true for an external account that is stored in a directory service. The default value is false.
-file: Path to a CSV-formatted file containing lists of user accounts with the format: username, password, role, directoryServiceAccount

-createUserGroup (<name> [-displayName <user friendly group name>] [-description <description>] [-directoryServiceName <dn>]) | -file <name>

Creates a new user group.

-displayName: Optional friendly name for the user group.
-description: Optional description of the new group.
-directoryServiceName: Optional for directory service users. Use this option to pair a directory service distinguished name with this user group.
-file: Path to a CSV-formatted file containing lists of user groups with the format: name, displayName, description, directoryServiceName

-deleteSecurityGroup <groupName or uuid> | -file <name>

Removes a security group by name or UUID. The security group must not have any nodes or tenants assigned to it.

-file: Path to a CSV-formatted file containing lists of security groups with the format: name, uuid, description. This format is the same as for createSecurityGroup however only the name (or UUID if present) is used.

-deleteUserAccount <name> | -file <name>

Removes a user account by name.

-file: Path to a CSV-formatted file containing lists of user accounts with the format: username, role, password, directoryServiceAccount. This format is the same as for createUserAccount however only the username is used to match the accounts to remove.

-deleteUserGroup <name>

Removes a user group by name.

-displayConfigReport [<report>[, <report>]]

Displays security configuration reports. Available reports are: unusualRoleCombinations, emptySecurityGroups, emptyUserGroups, securityGroupsWithSameName, usersWithoutGroups, tenantsWithSameName, usersWithoutRoles

If no reports are specified, all available reports are run.

-listNode <node name>

Displays the UUIDs of the security group and tenant associated with the specified node. The node can be specified as name, hostname, or UUID. The output lists node UUID and name; security group UUID and name; and tenant UUID and name on separate lines.

-listNodesInSecurityGroup <groupName or uuid>

Lists nodes in a security group by security group name or UUID.

-listSecurityGroupForTenant <uuid>

Displays the configured default security group for the specified tenant.

-listSecurityGroups

Lists the names of all configured security groups.

-listTenants

Lists the names of all configured tenants.

-listUserGroupMembers <groupName>

Lists users in the specified user group.

-listUserGroups <user>

List all configured user groups.

-listUserGroupsForSecurityGroup <groupName or uuid>

Lists user groups associated with the specified security group.

-removeUserFromGroup (-user <name> -userGroup <name>) | -file <filename>

Removes mappings between user accounts and user groups.

-user: The username of the user account to modify.
-userGroup: The name of the user group to unmap from the specified user account.
-file: Path to a CSV-formatted file containing lists of user to user group mappings with the format: user, userGroup

-deleteUserGroup <name> | -file <name>

Removes user groups by name. Mappings between the user group and user accounts and security groups are also removed.

-file: Path to a CSV-formatted file containing lists of user to user group mappings with the format: usergroup, description. This format is the same as createUserGroup; however, only the name is used to match the groups to be removed.

-removeUserGroupFromSecurityGroup (-userGroup <groupName> -securityGroup <groupName or uuid> [-role <role>]) | -file <name>

Removes mappings between user groups and security groups.

-userGroup: The name of the user group.
-securityGroup: The name or UUID of the security group.
-role: An optional role. If no role is specified, mappings for all roles are removed.
-file: Path to a CSV-formatted file containing lists of user to user group mappings with the format: userGroup, securityGroup, role

-updateUserGroup <name> ([-displayName <user friendly group name>] [-description <description>] [-directoryServiceName <dn>]) | -file <name>

Updates a user group. All user group attributes except name can be updated.

-displayName: Optional friendly name for the user group.
-description: Optional description of the group.
-directoryServiceName: Optional for directory service users. Use this option to pair a directory service distinguished name with this user group.
-file: Path to a CSV-formatted file containing lists of user groups with the format: name, displayName, description, directoryServiceName

-reloadAuthConfig

Reloads the contents of the nms-auth-config.xml file.

-u <username>

Supply the NNMi administrator username to run the script.

-p <password>

Supply the NNMi administrator password to run the script.

-jndiHost<hostname>

The server jndi host; default is localhost.

-jndiPort<port>

The server jndi port; default is 1099.

EXAMPLES

nnmsecurity.sh -createTenant myTenant: Creates a tenant named myTenant.
nnmsecurity.sh -listTenants: Lists all configured tenants.
nnmsecurity.sh -createTenant "Tenant with a space" , nnmsecurity.sh -createTenant \!Tenant: Depending on the shell you use, you can use quotation marks around the tenant name to create a tenant with spaces in the name, or you can use the escape character to create a tenant with a special character in its name.
nnmsecurity.sh -createSecurityGroup mySecurityGroup: Creates the security group mySecurityGroup.
nnmsecurity.sh -createSecurityGroup "Group with a space" , nnmsecurity.sh -createSecurityGroup \!MyGroup: Depending on the shell you use, you can use quotation marks around the security group name to create a security group with spaces in the name, or you can use the escape character to create a security group with a special character in its name.
nnmsecurity.sh -listSecurityGroups: Lists all configured security groups.
nnmsecurity.sh -listNode myNode: Lists the associated security group and tenant for the supplied node.

DIAGNOSTICS

nnmsecurity.sh returns the following exit codes:

0: Operation was successful.
1: An error occurred; see error message for details.

AUTHOR

nnmsecurity.sh was developed by Hewlett Packard Enterprise.

FILES

$NMS_BIN/nnmsecurity.sh