JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 13

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CommandCategoryDocumentation
get-account / store-accountAccounts

JS7 - Management of User Accounts, Roles and Permissions

JS7 - Manage User Accounts

rename-account / remove-account
get-account-permission
set-account-password / reset-account-password
enable-account / disable-account
get-role / store-roleRoles


JS7 - Management of User Accounts, Roles and Permissions

JS7 - Manage Roles and Permissions

JS7 - Default Roles and Permissions





rename-role / remove-role
get-permission / set-permission

Permissions


rename-permission / remove-permission
get-folder / set-folder

FoldersFolder Permissions

rename-folder / remove-folder
get-service / store-service

Identity Services


JS7 - Identity Services

rename-service / remove-service

...

Download: JS7 - Download (Section: Unix Shell ClICLI)

Usage

Invoking the script without arguments displays the usage clause:

...

All commands make use of the --service option to specify the Identity Service on which the operation is performed.

Accounts

Operations on accounts are available for to Identity Services only that hold account information using the service types JOC, KEYCLOAK-JOC, LDAP-JOC, OIDC-JOC, CERTIFICATE and FIDO. For Identity Services that manage accounts on their own such as KEYCLOAK, LDAP, OIDC, the JOC Cockpit does not provide account information. For details see JS7 - Identity Services.

  • get-account

    • Returns information about the indicated account or all accounts if the --account option is not specified. 

    • Accounts can be filtered:
      • The --enabled switch returns will filter results to active accounts only
      • The --disabled switch returns will filter results to inactive accounts only.
  • store-account
    • Stores an account to the Identity Service. 
      • An existing role can be assigned using the --role option.
      • The password can be specified using the --account-password option. Consider to use secure input from the commandline using the -a switch. If no password is specified then the initial password is assigned. If a password is specified or the initial password is used, then JOC Cockpit will challenge the user to specify a new password on next login.
      • The --force-password-change switch can be used to make JOC Cockpit challenge the user to specify a new password on next login. The operation is available for existing accounts that hold a password. For new accounts and for accounts assigned a new password users are automatically challenged to specify a new password on next login.
      • The --disabled switch can be used to deactivate an account when it is created. For later enabling/disabling of existing accounts see the enable-account and disable-account commands.
    • Handling of passwords allows the API user to specify passwords for other accounts. However, for the affected account users have to change the password on next login.
  • rename-account
    • Renames the indicated account.
  • remove-account
    • Removes the indicated account from the Identity Service.
  • get-account-permission
    • Returns the list of permissions per role assigned the given account.
  • set-account-password
    • Sets the password for the indicated account. Consider to use secure input from the commandline using the -a switch.
    • The user will be challenged to specify a new password on next login.
  • reset-account-password
    • Resets the account's password to the initial password.
    • The user will be challenged to specify a new password on next login.
  • enable-account
    • Activates the account which allows login to JOC Cockpit.
  • disable-account
    • Deactivates the account which denies login to JOC Cockpit.

...

  • get-role
    • Returns the indicated role if the --role option is used and otherwise returns all roles.
  • store-role
    • Stores a role from its name to JOC Cockpit. Default permissions will be applied to new roles.
    • The --ordering option can be used to specify the position of the role in the list of roles available for the given Identity Service.
  • rename-role
    • Renames an existing role.
  • remove-role
    • Removes the indicated role from the Identity Service.

Permissions

Permissions are applied to limit operations in the JOC Cockpit API and GUI to certain roles.

For default permissions and permission identifiers see JS7 - Default Roles and Permissions.

  • get-permission
    • Returns permissions the indicated
    get-permission
    • Returns permissions the indicated role.
  • set-permission
    • Assigns the role one or more permission that are specified from permission identifiers using the --permission option. If more than one permission is used then they separated by comma, for example --permission='sos:products:controller:view','sos:products:controller:agents:view'. Use of single quotes or double quotes is recommended.
    • If the --excluded switch is used, then permission is permissions are denied. This applies to JOC Cockpit permissions and to all Controller permissionsControllers for which the indicated permissions will be denied.
    • The Controller ID can be specified using the --controller-id option for permissions that should be limited to limit permissions to the given Controller.
  • rename-permission
    • Renames Switches an existing permission by switching to a different permission identifier.
  • remove-permission
    • Removes the indicated permission from the role.

Folder Permissions

Folder permissions are used to apply permissions to certain folders in the JOC Cockpit inventory and to limit user access to folders.

For default permissions and permission identifiers see JS7 - Default Roles and Permissions.

  • get-folder
    • If the --folder option is used, returns the indicated folder and otherwise returns all folders assigned the given role.
  • set-folder
    • Assigns the indicated role one or more folders. If more than one folder is specified, then they are separated by comma, for example --folder=/accounting,/reporting.
    • The --recursive switch can be used to specify that sub-folders similarly should be accessible to the given role.
  • rename-folder
    • Switches folder assignment to a different folder.
  • remove-folder
    • Removes the indicated folder from the role.

...

  • get-service
    • If the --service option is used, returns the indicated Identity Service and otherwise returns the list of Identity Services.
  • store-service
    • Stores the indicated Identity Service.
    • The following options and switches can be used: 
      • The --service-type option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
      • The --required switch specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
      • The --disabled switch can be used to deactivate an Identity Serivce which denies login by any accounts using the Identity Service.
      • The --ordering option can be used to specifiy the position of the Identity Service in the list of Identity Services.
      • The --authentication-scheme option allows to specify the following valluesvalues: SINGLE-FACTOR, TWO-FACTOR.
        • Single-factor authentication specifies that the Identity Service is used as a single factor for authentication.
          • The --single-factor-certificate switch is used for the JS7 - Certificate Identity Service to specify that a certificate acts as the single factor for authentication.
          • The --single-factor-password switch is used to specify that a password is used as the single factor for authentication.
        • Two-factor authentication specifies that a second Identity Service is used and that successful authentication with both Identity Services is required. For example an Identity Serivce using the LDAP service type can use FIDO as a second factor. This implies that secrets are stored on different media: the LDAP password is stored with the user's brain while the FIDO secret is stored on the user's device, for example on a USB key or in an authenticator application on a smartphone. 
  • rename-service
    • Renames the indicated Identity Service.
  • remove-service

...

  • --url
  • --user
    • Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
    • If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
  • --password
    • Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
    • Password input from the command line is considered insecure. Consider use of the -p switch offering a secure option for interactive keyboard input.
    • Consider use of the encrypt command to encrypt a password: ./operate-joc.sh encrypt --in=root --cert=encrypt.crt.
      • The encryption result will include the prefix enc: followed by the encrypted symmetric key, initialization vector and encrypted secret separated by space.
      • If an encrypted password is specified, then it will be decrypted using the Private Key file: ./operate-joc.sh <command> --password="enc:BF8J8KP7TPlxy..." --key=encrypt.key.
  • --ca-cert
    • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
  • --client-cert
    • Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
  • --client-key--ca-cert
    • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
    --client-cert
    • Specifies the path to a file in PEM format that holds the Client Certificate Client Private Key if HTTPS mutual authentication is used..
  • --client-key
    • Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
    --timeout
    • Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
  • --controller-id
    • Specifies the identification of the Controller.
  • --agent-id
    • The Agent ID specifies a unique identifier for a Standalone Agent or Agent Cluster that cannot be changed later on.
    • Agents are identified from their Agent ID.
    account
    • When used with commands on accounts, specifies the related account.
    • When used with the remove-account, reset-account-password, enable-account and disable-account commands, one or more accounts can be specified separated by commea, for example:: --account=user1,user2.
  • --new-account--service-type
    • When used with the restartrename-serviceaccount command, specifies the service that should be restarted.One of the following services can be specified: cluster, history, dailyplan, cleanup, monitornew name of the account.
  • --validityaccount-dayspassword
    • When used with the checck-license command, specifies the number of days before expiration of a JS7 license.
      • Exit code 2 signals an expired license or an inapplicable license check if the Open Source License is used.
      • Exit code 3 signals a valid license that is about to expire within the number of days specified.
  • --settings
    • When used with the store-settings command, specifies settings from their JSON format.
  • --key
    • When used with the decrypt command, specifies the path to a file that holds the Private Key in PEM format used for decryption.
  • --cert
    • When used with the encrypt command, specifies the path to a file that holds the CA-signed or self-signed X.509 Certificate. Alternatively, the path to a file holding the Public Key can be specified. The Certificate/Public Key is expected in PEM format.
    • For encryption the Certificate/Public Key must match the Private Key used for later decryption specified with the --key option.
  • --key-password
    • When used with the decrypt command, specifies the password for access to the key file using the --key option.
    • Password input from the command line is considered insecure.
      • Consider use of the -k switch or more elaborate mechanisms, for example by temporarily populating the system keystore form a security key such as a YubiKey® or similar.
      • Consider use of encrypted passwords as explained with the --password option.
  • --in
    • When used with the encrypt and decrypt commands, specifies the input value that should be encrypted or decrypted.,
    • One of the options --in or --infile can be specified.
  • --infile
    • When used with the encrypt and decrypt commands, specifies the path to the input file that should be encrypted/decrypted.
    • One of the options --in or --infile can be specified. This option requires use of the --outfile option.
  • --outfile
    • When used with the encrypt command, specifies the path to the output file that will be created holding the encrypted content of the input file.
    • When used with the decrypt command, specifies the path to the output file that will be created holding the decrypted content of the input file.
    • The option is required if the --infile option is specified
  • --java-home
    • When used with the encrypt and decrypt commands or with encrypted passwords, specifies the Java home directory. By default the JAVA_HOME environment variable is used to determine the location of Java.
    • The Java home directory is the top-level directory of a Java installation. The directory includes the bin sub-directory and java executable.
    • store-account and set-account-password commands, specifies the account's password.
    • Command line input for passwords is considered insecure. Consider use of the -a switch for secure interactive keyboard input for passwords.
  • --new-password
    • When used with the set-account-password commands, specifies the account's new password.
    • Command line input for passwords is considered insecure. Consider use of the -n switch for secure interactive keyboard input for passwords.
  • --service
    • Specifies the name of the Identity Service.
  • --service-type
    • The option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
  • --ordering
    • When used with the store-role command, specifies the role's position in the list of roles. If the option is not used, then a newly added role will be appended.
    • When used with the store-service command, specifies the Identity Service's position in the list of Identity Services. The ordering of Identity Services specifies the sequence by which Identity Services will be triggered if more than one Identity Service is used for authentication.
  • --new-service
    • When used with the rename-service command, specifies the new name of the Identity Service.
  • --authentication-scheme
    • When used with the store-service command, specifies single-factor or two-factor authentication using one of the values: SINGLE-FACTOR, TWO-FACTOR.
  • --role
    • For role-based or permission-based command specifies the name of a role.
    • If more than one role is specified, then they are separated by comma, for example: --role=administrator,business-user.
  • --new-role
    • When used with the rename-role command, specifies the new name of the role.
  • --permission
    • When used with the set-permission, rename-permission and remove-permission commands, specifies the permission identifiers to be used. For available permission identifiers see JS7 - Default Roles and Permissions.
    • If more than one permission is used, then permission identifiers are separated by comma, for example: --permission='sos:products:controller:view','sos:products:controller:agents:view'
  • --new-permission
    • When used with the rename-permission command, specifies the new permission identifier.
  • --folder
    • Specifies the folder to which permissions are applied and that limit user access to JOC Cockpit inventory folders.
    • If more than one folder is used, then they are separated by comma, for example --folder=/accounting,/reporting.
  • --new-folder
    • When used with the rename-folder command, specifies the new permission identifier
    --java-lib
    • When used with the encrypt and decrypt commands or with encrypted passwords, a number of Java libraries are required to perform encryption/decryption.
    • The Java libraries are expected in the lib sub-directory of the JS7 Unix Shell CLI. Default: ./lib.
  • --audit-message
    • Specifies a message that is made available to the Audit Log.
    • Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
  • --audit-time-spent
    • Specifies the time spent to perform an operation which is added to the Audit Log.
    • The option can be specified if the --audit-message option is used.
  • --audit-link
    • Specifies a link (URL) which is added to the Audit Log.
    • The option can be specified if the --audit-message option is used.
  • --log-dir
    • If a log directory is specified then the script will log information about processing steps to a log file in this directory.
    • File names are created according to the pattern: operate-joc.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
    • For example: operate-joc.2022-03-19T20-50-45.log

...