Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide (coming soon)
- Migrating from GT2
- Migrating from GT3
Reference
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces (coming soon)
- Resource Properties
- Samples
- Glossary
- Performance Studies (coming soon)
Manuals
Common Runtime
Security
- Non-WS (General) Security
- WS Java Security
- Message-level
- Authz Framework
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
- SGAS
Data Mgt
MDS4
Execution Mgt
Name
cas-group-admin — Maintains user groups, object groups, or serviceAction groups
Synopsis
cas-group-admin [common options] [ user | object | serviceAction ] create userGpName groupName cas-group-admin [common options] [ user | object | serviceAction ] delete groupName
Tool description
Use cas-group-admin to create or delete user groups, object groups, or serviceAction groups. Note: to add or delete entries to these groups, see [olink to other clients].
Adding user groups
To create a new user group the user must have cas/create_user_group permission (that is, the user must have permission to perform the create_user_group action on the cas service type). The user group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created user group. If the user group that is chosen to have cas/grantAll permission is the new group created, then the user making this request is added to the new group.
To add a user group:
casAdmin$cas-group-admin [common options] user createuserGpNamegroupName
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this trust anchor entity.
groupName- Indicates the name of the user group being created.
Deleting user groups
To delete a user group, the user must have cas/delete_user_group entry permission on that user group. The group must be empty and also must not be referenced from other entities in the database (for example, it should not be a member of some object group).
If the user group specified does not exist, an error is not thrown. If the delete operation is successful, all policy data on that user group is purged.
casAdmin$cas-group-admin [common options] user deletegroupName
where:
groupName- Indicates the name of the user group to be deleted.
Creating An Object Group
To create a new object group, the user must have cas/create_object_group permission (that is, the user must have permission to perform the create_object_group action on the CAS service type). The object group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created object group.
casAdmin$cas-group-admin [common options] object createuserGpNamegroupName
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this object group.
groupName- Indicates the object group name.
Deleting An Object Group
To delete an object group, the user must have cas/delete_user_group entry permission on that object group. The group must be empty.
If the object group specified does not exist, an error is not thrown. If the delete operation is successful, all policy data on that object group is purged.
casAdmin$cas-group-admin [common options] object deletegroupName
where:
groupName- The name of the object group to be deleted.
Creating A Service/Action Group
To create a new service/action group, the user must have cas/create_serviceAction_group permission (that is, the user must have permission to perform the create_serviceAction_group action on the CAS service type). The serviceAction group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created serviceAction group.
casAdmin$cas-group-admin [common options] serviceAction createuserGpNamegroupName
where:
-
userGpName - Indicates the user group to which cas/grantAll permission should be granted on this service/action group.
groupName- Indicates the name of the service/action group being created.
Deleting A Service/Action Group
To delete a service/action group, the user must have cas/delete_user_group entry permission on that service/action group. The group must be empty and also must not be referenced from any other entity in the database. For example, it should not be a member of some object group.
If the service/action group specified does not exist, an error is not thrown. If the delete operation is successful, all policy data on that service/action group is purged.
casAdmin$cas-group-admin [common options] serviceAction deletegroupName
where:
-
groupName - Indicates the name of the service/action group to be deleted.
Options
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism [FIXME glossterm?].- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport [FIXME glossterm], then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
- -v
Prints the version number.
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ). |