cas-group-remove-entry [common options] user groupName nickname
cas-group-remove-entry [common options] object groupName objectSpec objectSpecDesc
cas-group-remove-entry [common options] serviceAction groupName serviceTypeName actionName

Tool description

Use cas-group-remove-entry to remove users from a user group, objects from an object group, or service/actions from a service/action group. Note: to add or delete groups, see [fixme olink to other clients].

Removing User From A User Group

To remove a user from a user group, the user must have cas/remove_group_entry permission on that particular user group.

If the group member being removed does not exist, an error is not thrown.

casAdmin$ cas-group-remove-entry [common options] user groupName nickname

where:

groupName: Indicates the user group name from which the member needs to be removed.
nickname: Indicates the nickname of the user to be removed from this group.

Removing Member From An Object Group

To remove an object from an object group the user must have cas/remove_group_entry permission on that particular object group:

If the group member being removed does not exist, an error is not thrown.

casAdmin$ cas-group-remove-entry [common options] object groupName objectSpec objectSpecDesc

where:

groupName

Indicates the object group name from which the member needs to be removed.

objectSpecDesc

Indicates the type of CasObject. Can be one of the following options:

trustAnchor
user
userGroup
object
namespace
serviceType

objectSpec

Indicates the identifier for the CasObject the user is adding. Can be one of the following:

nickname if adding a trustAnchor or user
groupName if adding a userGroup
objectNamespace objectName if adding an object
nickname if adding a namespace
serviceTypeName if adding a serviceType

Removing A Service/Action From A Service/Action Group

To remove a service/action from a service/action group, the user must have cas/remove_group_entry permission on that particular service/action group.

If the action being removed does not exist, an error is not thrown.

casAdmin$ cas-group-remove-entry [common options] serviceAction groupName serviceTypeName actionName

where:

groupName: Indicates the serviceAction group name from which the service/action needs to be removed.
serviceTypeName: Indicates the service type name part of the mapping to be removed from the group.
actionName: Indicates the action name part of the mapping to be removed from the group.

Options

Important

If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).

-a, --anonymous

Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.

-c, --serverCertificate <file>

Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.

-debug

Runs the client with debug message traces and error stack traces.

-f, --descriptor <file>

Specifies a client security descriptor. Overrides all other security settings.

-help

Prints the usage message for the client.

-l, --contextLifetime <value>

Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.

-m, --securityMech <type>

Specifies the authentication mechanism. The value type can be:

msg for GSI Secure Message, or
conv for GSI Secure Conversation.

-p, --protection <type>

Specifies the protection level. type can be:

sig for signature, or
enc for encryption.

-s cas-url

Sets the CAS Service instance, where cas-url is the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.

The instance URL typically looks like http://Host:Port/wsrf/services/CASService, where Host and Port are the host and port where the container with the CAS service is running.

-v

Prints the version number.

-x, --proxyFilename <value>

Sets the proxy file to use as client credential.

-z authorization

Specifies the type of authorization used, such as self or host.

If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.

Alternatively, an environment variable can be set as shown here.

If none of the above are set, host authorization is done by default and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.

	Note
	If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.

Prev	Up	Next
cas-group-add-entry	Home	cas-rights-admin