opr-user Command-Line Interface
You can use the opr-user command-line interface (CLI) to manually manage users, groups, and roles. For more information on users, groups, and roles, see Users, Groups, and Roles.
Location
<OMi_HOME>/bin/opr-user[.bat|.sh]
Synopsis
opr-user -help | -version | -example |<CONNECTION_INFO> <userRelatedOptions>
Syntax for <CONNECTION_INFO>
-rc_file <file> &| -username <login name> [ -password <password> | -smartcard | -winCrypto | -jks <keystore path> -jksPassword <keystore password> ] [[-port <port>] [-server <gatewayserver>] [-ssl] | [-u <URL>]]
Note If <CONNECTION_INFO> is omitted, the command is executed on the server to which you are logged on.
| Option | Description |
|---|---|
{-rc_file | -rcf }<file>
|
Location of your credential store. Values for your username, password, java keystore location, and java keystore password can be defined here, enabling you to run commands without having to specify the values individually each time. Use the options -list_rc, -set_rc, and -delete_rc to work with the file. The default file is <OMi_HOME>/.opr-cli-rc. If this option is not specified, then commands automatically check the default file location for credentials. You must specify this option if your credential store file is in a non-default location. If this file does not exist or does not contain the correct settings, you must manually specify the credentials using the other command options. |
{-list_rc| -lrc} [-rc_file <file>]
|
Display the content of the file from which credentials are read. The file contains fields for java keystore, keystore password, username and password, and is encrypted by a hardcoded key. |
{-set_rc | -src} <key>=<value> [-rc_file <file>]
|
Configure one setting in the file from which credentials are read. Specify the setting and the new value by using a key=value pair. For example, -set_rc password=<password string>. |
{-delete_rc | -drc} <setting> [-rc_file <file> }
|
Delete setting from file from which credentials are read. Possible settings are username, password, jks, and jksPassword. |
{-username|-user} <login name>
|
Sets the login name of the user required to execute CLI operations on the target gateway server. |
{-password|-pw} <password>
|
Sets the password for the specified user. If using SSH on Cygwin, either enter the password in free text or use other communication methods, for example Java keystore, Windows keystore, or smart card authentication. Default value: empty string |
{-smartcard|-sc}
|
Use certificate stored on smart card or security token for authentication. When OMi is configured to use CAC authentication, the CLI tools under <OMi_HOME>/opr/bin/ do no directly prompt users to enter the password for the smartcard connected to the system. Instead, users must specify that a smartcard authentication is to be run, using the option -sc or -smartcard. Users attempting to run a tool without the -smartcard option automatically receive an error message. |
{-winCrypto|-wc}
|
If OMi is configured for TLS mutual authentication, this option specifies to use the Windows certificate store for authentication. The certificate store must hold exactly one client certificate, which OMi will use to authenticate the user. This option is only available on Windows systems. For details, see Configure Client Certificate or Smart Card Authentication. |
{-jks|-j} <keystore path>
|
If OMi is configured for TLS mutual authentication, this option can be used to specify the Java keystore to be used for authentication. The keystore must hold exactly one client certificate, which OMi will use to authenticate the user. Note It is not necessary that the client certificate contains the flag "Smart Card Logon (1.3.6.1.4.1.311.20.2.2)" in the "Enhanced Key Usage" field. For details, see Configure Client Certificate or Smart Card Authentication. |
{-jksPassword|-jp} <keystore password>
|
Password for accessing the Java keystore. |
{-port|-p} <port>
|
Uses port Default value of |
-server <GatewayServer>
|
Sets the target gateway server, using Default value of |
-ssl |
When this option is specified, the HTTPS protocol is used to connect to the target gateway server. If omitted, the HTTP protocol is used. Cannot be used in conjunction with the |
{-url|-u} <url> |
Sets the target gateway server, using Default value of |
Syntax for <userRelatedOptions>
-list_users | -add_user | -del_user | -modify_user | -list_time_zones | -list_user_groups | -add_user_group | -del_user_group | -modify_user_group | -list_user_roles | -add_user_role | -del_user_role | -modify_user_role | -list_auth_resources
| Option | Description |
|---|---|
|
|
Lists all users in the database. If If no <id> or <login> is specified, you can use the |
|
|
Adds a user to the database. If a user with the same login already exists, the command will fail. A default user group must be specified if other user groups will also be linked to the user. The The The The |
{-del_user|-dur}
{-id <id> | -by_login <login>}
|
Deletes a user from the database. |
|
[ [ [ [ [ [ [ [ [ [ [ [ [ [ |
Modifies a user in the database. If the user is not in the database, the command will fail. Login details cannot be changed. |
{-list_timezones|-ltz}
|
Lists the possible time zone values. Used when creating or modifying a user. |
|
|
Lists user groups in the database. If If no <id> or <name> is specified, you can use the |
|
|
Adds a user group to the database. If a user group with the same name already exists, the command will fail. LDAP groups can only be specified in conjunction with user groups. To specify LDAP groups, use - |
{-del_user_group|-dug} {-id<id> | -by_name <name>} |
Deletes a user group from the database. |
{-modify_user_group|-mug} {-id <id> | -by_name <name>}
[ [ [ [ [
[ [ [ [ [ [ [ [ [ [ [ |
Modifies a user group in the database. If the specified user group does not exist, the command will fail. |
|
|
Lists user roles. If If no <id> or <name> is specified, you can use the |
|
|
Adds a role to the database. If a role with the same name already exists, the command will fail. |
{-del_user_role|-dug} {-id<id> | -by_name <name>} |
Deletes a user role. |
{-modify_user_role|-mur}
[ -
|
Modifies a role in the database. If the role is not in the database, the command will fail. |
{-list_auth_resources|-lar}
|
Lists the available authorization resource keys with their appropriate set of operations. A resourceKey plus an operation makes up the permission section needed to create a user role. A resource key can have child resource keys. Some resources, like views or event categories, are dynamic and are only available if the authorized objects are also available. |
Alphabetical List of Commands and Short Forms
| Option | Description |
|---|---|
|
|
Add child user groups |
|
|
Add LDAP group |
{-add_permission | -ap}
|
Add permission |
|
|
Add parent user groups |
{-auth_resource <resourceKey> | -ar}
|
Authorizable resource |
|
|
Add user |
|
|
Add user group |
{-add_user_groups |-augs} |
Add multiple user groups |
{-add_user_role|-aur}
|
Add user role |
|
|
Add multiple user roles |
|
|
Add users |
{-by_login <login>|-bl}
|
Login name of user |
{-by_name <name>|-bn}
|
Name of entity |
{-child_user_group_id <commaSeparatedIdList>|-cugid}
|
Child user group ID |
{-child_user_group_name <commaSeparatedNameList>|-cugn}
|
Child group name |
{-del_child_user_groups |-dcugs}
|
Delete child user groups |
{-description <description>|-desc}
|
Description of entity |
{-del_ldap_group|-dldapg}
|
Delete LDAP group |
{-del_permission|-dp}
|
Delete permission |
{-del_parent_user_groups|-dpugs}
|
Delete parent user groups |
{-del_user|-du}
|
Delete user |
{-del_user_group|-dug}
|
Delete user group |
{-del_user_groups|-dugs}
|
Delete user groups |
{-del_user_role|-dur}
|
Delete user role |
{-del_user_roles|-durs}
|
Delete user roles |
{-del_users|-dus}
|
Delete users |
{-email <emailAddress>|-e}
|
|
{-event_assignment <defaultIsTrue>|-ea}
|
Event assignment |
{-event_assignment_user_group|-eaug}
|
Event assignment user group |
{-event_assignment_user_group_id <eventAssignmentUserGroupId>|-eaugid}
|
Event assignment user group ID |
{-examples|-ex}
|
Show examples |
{-help|-h}
|
Print this message and exit |
{-inactive <defaultIsFalse>|-ia}
|
Inactive |
-id <id>
|
ID of entity |
{-jks <arg>|-j}
|
Use a java key store for authentication |
{-jksPassword <arg>|-jp}
|
Password for accessing java key store |
{-login <loginName>|-l}
|
Login |
{-list_auth_resources|-lar}
|
List authorizable resources |
{-ldap_auto_assignment <defaultIsTrue>|-ldapaa}
|
LDAP auto assignment |
{-ldap_domain <ldap_group_name>|-ldapd}
|
LDAP domain |
{-ldap_id <ldapGroupID>|-ldapid}
|
LDAP ID |
{-ldap_name <ldap_group_name>|-ldapn}
|
LDAP name |
{-ldap_server <ldap_server>|-ldaps}
|
LDAP server |
{-ldap_user <defaultIsFalse>|-ldapu}
|
LDAP user |
{-list_timezones|-ltz}
|
List time zones |
{-list_users|-lu}
|
List users |
{-list_user_groups|-lug}
|
List user groups |
{-list_user_roles|-lur}
|
List user roles |
{-modify_ldap_group|-mldapg}
|
Modify LDAP group |
{-modify_user|-mu}
|
Modify user |
{-modify_user_group|-mug}
|
Modify user group |
{-modify_user_role|-mur}
|
Modify user role |
{-name <name>|-n}
|
Name of entity |
{-operation <operationKey>|-op}
|
Operation |
{-port <port>|-p}
|
Set the port number. Default is 80 for HTTP and 443 for HTTPS. This option cannot be specified in conjunction with the option URL. |
{-parent_user_group_id <commaSeparatedIdList>|-pugid}
|
Parent user group ID |
{-parent_user_group_name <commaSeparatedNameList>|-pugn}
|
Parent group name |
{-password <password>|-pw}
|
Password for the specified user |
{-super_admin <defaultIsFalse>|-sa}
|
Super admin |
{-smartcard|-sc}
|
Use authentication stored on smart card or security token for authentication. |
{-show_details|-sd}
|
Show entity details |
-server <gatewayserver>
|
Set target gateway server. The value can be a hostname or IP address of a gateway server. This option cannot be specified in conjunction with the option URL. |
-ssl
|
Set the protocol for HTTPS. Default is to use HTTP. This option cannot be specified in conjunction with the option URL. |
{-time_zone <timeZone>|-tz}
|
Timezone |
{-url <URL>|-u}
|
URL of the gateway server. This option cannot be specified in conjunction with the options ssl, server, or port. |
{-user_group_ID <commaSeparatedIDList>|-ugid}
|
User group ID |
{-user_group_name <commaSeparatedNameList>|-ugn}
|
User group name |
{-user_ID <commaSeparatedIDList>|-uid}
|
User ID |
{-user_login <commaSeparatedLoginList>|-ul}
|
User login |
{-user_password <password>|-upw}
|
User password |
{-user_role_id <commaSeparatedIdList>|-urid}
|
User role ID |
{-user_role_name <commaSeparatedNameList>|-urid}
|
User role name |
{-username <login name>|-user}
|
Login name of the user required for authentication |
{-verbose|-v}
|
Print verbose output. |
-version
|
Print the version information and exit. |
{-winCrypto|-wc}
|
Use windows certificate store for authentication. This option is only available on Windows systems. |
Exit Status
|
Exit Status |
Description |
Output |
|---|---|---|
0
|
Successful completion of the requested operation |
No output. |
1
|
Failure of the requested operation |
An error message stating why the operation failed, followed by the tool's help text. |
300‑399
|
HTTP Redirection (300-399) |
An error message stating the HTTP error number and description. For more information about HTTP error status values, see publicly available HTTP documentation. |
400‑499
|
HTTP Client Error (400-499) |
|
500‑599
|
HTTP Internal Server Error (500-599) |
Restrictions
-
Permissions. The user running the opr-user command-line interface must be an OMi user with super-administrative rights.
Examples
This section shows a number of examples you can use as a starting point for developing your own opr-user commands.
-
List current user groups with details:
opr-user -username user -password passwd -list_user_groups -show_details -
For each permission you want to assign to a role, select the resource key and the operation key from the output. For example, to assign permissions to the RTSM view "All My Windows Servers", identify the following keys:
From the list of authorization resources:
ResourceKey = rtsm-view.All My Windows ServersOperationKey = view -
Create a role and configure the permissions identified in the previous step:
opr-user -user username -pw password -add_user_role -name "Role with RTSM view CLI Tool" -description "Role with RTSM view CLI Tool" -add_permission -auth_resource "rtsm-view.All My Windows Servers" -operation viewTip Get the role ID from the output for later use, for example:
UserRoleId = 8df36ec5-3829-41b7-a1b7-a86f-c31a3429d8 -
Create a user group and assign a role to the group. In this example, grant permissions to all LDAP users:
Example: Grant permissions to all LDAP users
-
Prerequisite. LDAP mapping settings must be configured with “Automatically create LDAP users” and “Add new users to groups”.
-
Enter the following command:
opr-user -username user -password passwd -add_user_group -name "Group Name" -ldap_auto_assignment true -add_user_roles -user_role_id 8df36ec5-3829-41b7-a1b7-a86f-c31a3429d8
Example: Grant permissions to users that are members of specific LDAP groups
-
Prerequisite. LDAP mapping settings must be configured with “Synchronize LDAP groups with OMi groups”.
-
List all available LDAP groups using the User Management Web Services.
Example:
GET - https://server:port/opr-web/admin/rest/10.01/ldap_group_listIdentify the LDAP groups in the output to which you want to assign to the role.
-
Enter the following command:
opr-user -user myUser -pw myPassword -add_user_group -name "Group Name" -description "Group with LDAP mapping and Role for mapped LDAP users" -ldap_auto_assignment false -add_user_roles -user_role_id 8df36ec5-3829-41b7-a1b7-a86f-c31a3429d8 -add_ldap_group -ldap_name "EMEA Operators" -ldap_domain emea -ldap_server YourLDAPServer
-