TWiki> DICE Web>InfrastructureUnit>RolesFAQ (revision 2)EditAttach

How do I find out what roles a person has?

Use the roles command.

e.g. roles -v <username>

The roles command reports on all the roles a user possesses. Using the -v option reports which are primary (allocated directly from the database), which are secondary (manually allocated to the entity object in prometheus) and which are inherited. Inherited roles are either (1) those which are inherited from other roles, or (2) roles which are preserved during a user's grace period.

How do I find out which users possess a given role?

Use ldapsearch to look at the Capabilities map

e.g. ldapsearch -b ou=Capabilities,dc=inf,dc=ed,dc=ac,dc=uk cn=role/<rolename>

Capabilities and Netgroup maps are maintained in our regular LDAP tree. For any existing role, there is a canonical entitlement role/<rolename>. This means that anyone possessing a particular role will be a member of the cn=role/<rolename> capabilities map.

How do I add/remove a role to/from a user?

Use modify-user to give a user an additional (secondary) role.

e.g. modify-user --trigger --addrole <rolename> <username>

The --trigger argument adds a job to prometheus's event queue (see PrometheusEventQueue) so that changes are propagated out to LDAP immediately.

Use --removerole to remove a role.

How do I add/remove a single entitlement to/from a user?

Use modify-user to give a user an additional (secondary) entitlement.

e.g. modify-user --trigger --addentitlement <entitlement> <username>

The --trigger argument adds a job to prometheus's event queue (see PrometheusEventQueue) so that changes are propagated out to LDAP immediately.

Use --removeentitlement to remove an entitlement.

How do I query a role in prometheus?

ldapsearch -h prometheus:1234 -b ou=Roles,o=Prometheus,dc=inf,dc=ed,dc=ac,dc=uk cn=<rolename>

All roles in prometheus live under ou=Roles,o=Prometheus,dc=inf,dc=ed,dc=ac,dc=uk. They are synchronised directly from the rfe roles maps.

When does a role exist?

A role is defined in the rfe map roles/<rolename>. A role is not deemed to exist unless there is a corresponding rfe roles map. If a role does not exist, then no role/<rolename> capabilities map (see above) is created.

More information on roles in prometheus


-- TobyBlake - 07 Feb 2017
Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 07 Feb 2017 - 11:12:11 - TobyBlake
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies