Thursday, October 20, 2011

Managing Groups with vicfg-user

You can efficiently manage some user attributes by creating groups. A group is a set of users that you manage through a common set of permissions.
A user can be a member of more than one group. When you assign permissions to a group, all users in the group inherit those permissions. Using groups can reduce the time it takes to set up your permissions model.
The group list in an ESX/ESXi host is drawn from a table that is maintained by the host. You can change the group list by using the vSphere Client or vCLI.
n Use the Users and Groups tab in the vSphere Client when the vSphere Client is connected directly to the host.
n Use the vicfg-user vCLI command.

Before you can add users to a group, you must create the group by using the vicfg-user add command, as in the following examples.
n Add group40 to the existing groups. If you do not specify a group ID, the system assigns an ID for the group.
vicfg-user <conn_options> -e group -o add -d group40 -D 55

C:\>vicfg-user.pl --server esx1 --username root -e group -o add -d group40 -D 55
Enter password:
Created group group40 successfully.

C:\>vicfg-user.pl --server esx2 --username root -e group -o add -d group40 -D 55
Enter password:
Created group group40 successfully.

C:\>vicfg-user.pl --server esx1 --username root -e group -o list -d group40
Enter password:

Group Information:
Principal -: group40
Full Name -:
GID       -: 55

------------------

C:\>vicfg-user.pl --server esx2 --username root -e group -o list -d group40
Enter password:

Group Information:
Principal -: group40
Full Name -:
GID       -: 55

------------------


n Create a group with predefined readonly privileges that you can later use to assign readonly privileges to multiple users.
vicfg-user <conn_options> --entity group --operation add --group group42 --groupid 4242 --role read-only

C:\>vicfg-user.pl --server esx1 --username root --entity group --operation add --group group42 --groupid 4242 --role read-only
Enter password:
Created group group42 successfully.
Assigned the role read-only

C:\>vicfg-user.pl --server esx2 --username root --entity group --operation add --group group42 --groupid 4242 --role read-only
Enter password:
Created group group42 successfully.
Assigned the role read-only

C:\>vicfg-user.pl --server esx1 --username root -e group -o list -d group42
Enter password:

Group Information:
Principal -: group42
Full Name -:
GID       -: 4242

------------------

C:\>vicfg-user.pl --server esx2 --username root -e group -o list -d group42
Enter password:

Group Information:
Principal -: group42
Full Name -:
GID       -: 4242

------------------

You can then add and remove users from the group, as in the following example scenario.
To add and remove users from groups
1 Add a user with user name test to a group group42.
vicfg-user <conn_options> -e group -o modify -d group45 --adduser test

C:\>vicfg-user.pl --server esx1 --username root -e group -o modify -d group42 --adduser test
Enter password:
Error: Specified user or group does not exist.

You must specify the user name to add a user to a group. The user ID is not acceptable.
2 Add users with user names u1, u2, and u3 to group45, which has readonly privileges.
vicfg-user <conn_options> -e group -o modify -d group42 --adduser u1,u2,u3

3 Remove the user with user name u3 from the group.
vicfg-user <conn_options> -e group -o modify -d group42 --removeuser u3

4 Remove the group with group name group45.
vicfg-user <conn_options> -e group -o delete -d group42

C:\>vicfg-user.pl --server esx1 --username root -e group -o delete -d test
Enter password:
Deleted test successfully.

C:\>vicfg-user.pl --server esx1 --username root -e group -o delete -d group40
Enter password:
Deleted group40 successfully.

C:\>vicfg-user.pl --server esx1 --username root -e group -o delete -d group42
Enter password:
Deleted group42 successfully.

C:\>vicfg-user.pl --server esx2 --username root -e group -o delete -d test
Enter password:
Deleted test successfully.

C:\>vicfg-user.pl --server esx2 --username root -e group -o delete -d group40
Enter password:
Deleted group40 successfully.

C:\>vicfg-user.pl --server esx2 --username root -e group -o delete -d group42
Enter password:
Deleted group42 successfully.

No comments: