Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Server Automation10.60

Use > Server Automation > Global Shell utilities syntax > aaa utility

aaa utility

The aaa utility grants and revokes permissions for operations that use the OGFS. For example, the aaa utility grants permission for the readServerFilesystem operation, allowing you to browse a server’s file system in the SA Client. To run the aaa utility, you must belong to the Administrators user group.

The permissions granted and revoked by the aaa utility are stored in the /opsw/Permissions directory of the OGFS. For details on the contents of the directory, see /opsw/Permissions directory.

aaa syntax
aaa usage rules
aaa examples

aaa syntax

The aaa utility has the following syntax:

aaa shell-perm (grant | revoke) -o operation [-u user-group]

[-f facility | -c customer | -g device-group [-s | -l login]]

The following table describes the command options and Global Shell operations (permissions) lists the operations that can be granted or revoked the aaa utility.

AAA Options
Option	Description
`-o` operation	The operation on which to grant or revoke the permission. For a list of allowed values, see the Operation column in Global Shell operations.
`-u` user-group	The SA user group that is assigned the permission. This value is inferred from the current working directory if it corresponds to a user group. If it cannot be inferred, specify a user group.
`-f` facility	The name, ID, or path to a facility, such as: `/opsw/Facility/Chicago`Permission will be granted to all servers in this facility.
`-c` customer	The name, ID, or path to a customer, such as: `/opsw/Customer/Alpha`Permission will be granted to all servers that belong to this customer.
`-g` device-group	The name, ID, or path to a public device group, such as: `/opsw/Group/Public/Unix Servers`Permission will be granted to all servers that belong to this group. To specify the device group by name, omit the following: `/opsw/Group/`
`-l` login	A login account on the servers that are specified by the `-f`, `-c`, or `-g` option. On a UNIX server, for example, the login is the UNIX user name. Login accounts with multi-byte characters are not supported.
-s	The login account on the servers (specified by `-f`, `-c`, or `-g`) is the same as the SA user name. (Use of `-s` is also referred to as defining a reflexive permission.)

aaa usage rules

The following usage rules and recommendations apply to the aaa utility:

For operations that are performed on a server, one of the -f, -c, or -g options is required.
As a best practice, when you are granting permissions, use care when you select servers so that you do not capture more servers than you intend. This is particularly important when using the -c or -f option. For example, if you want to grant permission to the loginToServer operation for all servers in the Chicago facility as root, you could use the -f option to select all servers in a particular facility. However, this may also select Windows servers, which is probably not desired since the root user does not typically exist on Windows servers. In this case, you should define a public device group that only includes servers in the Chicago facility which are running a UNIX operating system.
If you specify the -f, -c, or -g option, you must also specify either the -s or -l option. The choice of the -s or -l option depends on the policies of your organization. If users log into managed servers with generic user names (such as root), then you should specify the -l option. If users log into managed servers with individual user names, which are the same as their SA user names, they should specify the -s option.
The -f and -c options are provided as a convenience; however, in general, it is recommended that you define permissions based on device groups instead.
The revoke command can only remove a permission that was previously granted. If the permission was not previously granted, the revoke command has no effect.
The revoke command only removes a permission for a specific user group. If a user has overlapping permissions, revoking permissions from a single user group will not prevent the user from performing that operation. For example, suppose a user belongs to two user groups that both have the launchGlobalShell permission. If this permission is revoked from only one of those user groups, the user still has the launchGlobalShell permission.

aaa examples

The following example gives all members of the AdvancedUsers group permission to open a Global Shell session:

aaa shell-perm grant -o launchGlobalShell \

-u ‘Advanced Users’

The following command allows members of the Advanced Users group to view the file systems as root of all UNIX servers:

aaa shell-perm grant -o readServerFilesystem \

-u 'Advanced Users' -g 'Public/All Unix Servers' -l root

The next example gives all members of the Unix Admin user group permission to log in as root to all servers in the Public/Trading Servers device group:

aaa shell-perm grant -o loginToServer -u ‘Unix Admin’\

-g ‘Public/Trading Servers’ -l root

The following example allows the Advanced Users group to run commands as root on servers associated with the Acme Inc customer.

aaa shell-perm grant -o runCommandOnServer \

-u ‘Advanced Users’ -c ‘Acme Inc’ -l root

The next example removes the permission for the UnixAdmin user group to log into servers that belong to the device group named Public/Unix Servers. The command applies to any login, because the -l option is not specified.

aaa shell-perm revoke -o loginToServer -u ‘Unix Admin’\

-g ‘Public/Unix Servers’

The following example allows the Oracle Users group to log into servers that belong to the device group OracleServers as the login oracle. For instance, if the SA user joe belongs to the Oracle Users group, he can log into the servers as the server user oracle.

aaa shell-perm grant -u ‘Oracle Administrators’ \

-o loginToServer -g ‘/opsw/Group/Public/Oracle Servers’ \

-l oracle

Instead of the -l option, the next example has the -s option, which allows the Oracle Users group to log into servers that belong to the device group Oracle Servers as the login that matches the SA user name. For instance, if the SA user joe belongs to the Oracle Users group, he can log into the servers as the server user joe.

aaa shell-perm grant -u ‘Oracle Administrators’ \

-o loginToServer -g ‘/opsw/Group/Public/Oracle Servers’ -s

Send Help Center feedback