Page History

...

Command	Category	Documentation
get-account / store-account	Accounts	JS7 - Management of User Accounts, Roles and Permissions JS7 - Manage User Accounts
rename-account / remove-account
get-account-permission
set-account-password / reset-account-password
enable-account / disable-account
block-account / unblock-account
get-role / store-role	Roles	JS7 - Management of User Accounts, Roles and Permissions JS7 - Manage Roles and Permissions JS7 - Default Roles and Permissions
rename-role / remove-role	Roles
get-permission / set-permission	Permissions
rename-permission / remove-permission	Permissions
get-folder / set-folder	Folder Permissions
rename-folder / remove-folder	Folder Permissions
get-service / store-service	Identity Services	JS7 - Identity Services
rename-service / remove-service
get-service-settings / store-service-settings

...

Code Block

title	Usage

Usage: deploy-identity-service.sh [Command] [Options] [Switches]

  Commands:
    get-account             --service [--account] [--enabled] [--disabled] [--blocked]
    store-account           --service  --account  [--role] [--disabled] [--account-password] [--force-password-change]
    rename-account          --service  --account   --new-account
    remove-account          --service  --account  [--enabled] [--disabled]
    get-account-permission  --service  --account
    set-account-password    --service  --account   --account-password --new-account-password
    reset-account-password  --service  --account
    enable-account          --service  --account
    disable-account         --service  --account
    block-account           --service  --account [--comment]
    unblock-account         --service  --account

    get-role                --service [--role]
    store-role              --service  --role [--ordering]
    rename-role             --service  --role  --new-role
    remove-role             --service  --role

    get-permission          --service  --role [--controller-id]
    set-permission          --service  --role  --permission [--excluded] [--controller-id]
    rename-permission       --service  --role  --permission  --new-permission [--excluded] [--controller-id]
    remove-permission       --service  --role  --permission [--controller-id]

    get-folder              --service  --role [--folder] [--controller-id]
    set-folder              --service  --role  --folder  [--recursive] [--controller-id]
    rename-folder           --service  --role  --folder   --new-folder [--recursive] [--controller-id]
    remove-folder           --service  --role  --folder  [--controller-id]

    get-service            [--service]
    store-service           --service --service-type [--ordering] [--required] [--disabled]
                           [--authentication-scheme] [--singlesecond-factor-certificate] [--single-factor-password]service]
    rename-service          --service --new-service
    remove-service          --service
    get-service-settings    --service --service-type
    store-service-settings  --service --service-type --settings

  Options:
    --url=<url>                        | required: JOC Cockpit URL
    --user=<account>                   | required: JOC Cockpit user account
    --password=<password>              | optional: JOC Cockpit password
    --ca-cert=<path>                   | optional: path to CA Certificate used for JOC Cockpit login
    --client-cert=<path>               | optional: path to Client Certificate used for login
    --client-key=<path>                | optional: path to Client Key used for login
    --timeout=<seconds>                | optional: timeout for request, default: 60
    --controller-id=<id>               | optional: Controller ID
    --account=<name[,name]>            | optional: list of accounts
    --new-account=<name[,name]>        | optional: new account names
    --account-password=<password>      | optional: password for account
    --new-password=<password>          | optional: new password for account
    --service=<name>                   | required: Identity Service name
    --service-type=<id>                | optional: Identity Service type such as JOC, LDAP, LDAP-JOC, OIDC, OIDC-JOC
    --ordering=<number>                | optional: ordering of Identity Service or role by ascending number
    --new-service=<name>               | optional: new Identity Service name
    --authenticationsecond-scheme=<factor>service=<name>            | optional: second Identity Service for MFA
  authentication scheme: SINGLE---authentication-scheme=<factor>   | optional: Identity Service authentication scheme: SINGLE-FACTOR, TWO-FACTOR
    --settings=<json>                  | optional: Identity Service settings in JSON format
    --role=<name[,name]>               | optional: list of roles
    --new-role=<name>                  | optional: new role name
    --permission=<id[,id]>             | optional: list of permission identifiers assigned a role
    --new-permission=<id>              | optional: new permission identifier assigned a role
    --folder=<name[,name]>             | optional: list of folders assigned a role
    --new-folder=<name>                | optional: new folder assigned a role
    --audit-message=<string>           | optional: audit log message
    --audit-time-spent=<number>        | optional: audit log time spent in minutes
    --audit-link=<url>                 | optional: audit log link
    --log-dir=<directory>              | optional: path to directory holding the script's log files

  Switches:
    -h | --help                        | displays usage
    -v | --verbose                     | displays verbose output, repeat to increase verbosity
    -p | --password                    | asks for password
    -a | --account-password            | asks for account password
    -n | --new-password                | asks for new account password
    -f | --force-password-change       | enforces password change on next login
    -e | --enabled                     | filters for enabled accounts
    -d | --disabled                    | filters for disabled accounts or disables Identity Services
    -xb | --excludedblocked                     | filters setsfor excludedblocked permissionsaccounts
    -qx | --requiredexcluded                    | enforcessets use of Identity Serviceexcluded permissions
    -rq | --recursiverequired                    | appliesenforces folderuse operationof toIdentity sub-foldersService
    --single-factor-certificate       r | certificate--recursive allowed as single factor
    --single-factor-password           | passwordapplies allowedfolder asoperation singleto factorsub-folders
    --show-logs                        | shows log output if --log-dir is used
    --make-dirs                        | creates directories if they do not exist

see https://kb.sos-berlin.com/x/lwTWCQ

...

--url
- Specifies the URL by which JOC Cockpit is accessible using <http|https>://<host>:<port>.
- Example: http://centostest-primary.sos:4446
- Example: https://centostest-primary.sos:4443
--user
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
- If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
--password
- Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
- Password input from the command line is considered insecure. Consider use of the -p switch offering a secure option for interactive keyboard input.
--ca-cert
- Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
--client-cert
- Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
--client-key
- Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
--timeout
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
--controller-id
- Specifies the identification of the Controller.
--account
- When used with commands on accounts, specifies the related account.
- When used with the remove-account, reset-account-password, enable-account and disable-account commands, one or more accounts can be specified separated by comma, for example:: --account=user1,user2.
--new-account
- When used with the rename-account command, specifies the new name of the account.
--account-password
- When used with the store-account and set-account-password commands, specifies the account's password.
- Command line input for passwords is considered insecure. Consider use of the -a switch for secure interactive keyboard input for passwords.
--new-password
- When used with the set-account-password command, specifies the account's new password.
- Command line input for passwords is considered insecure. Consider use of the -n switch for secure interactive keyboard input for passwords.
--service
- Specifies the name of the Identity Service.
--service-type
- The option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
--ordering
- When used with the store-role command, specifies the role's position in the list of roles. If the option is not used, then a newly added role will be appended.
- When used with the store-service command, specifies the Identity Service's position in the list of Identity Services. The ordering of Identity Services specifies the sequence by which Identity Services will be triggered if more than one Identity Service is used for authentication.
--new-service
- When used with the rename-service command, specifies the new name of the Identity Service.
--authenticationsecond-schemeservice
- When used with the store-service command, specifies the identifier of a second Identity Service that is used for multi-factor authentication (MFA).
- Use of the option requires to specify the --authentication-scheme option with the value TWO-FACTOR.
--authentication-scheme
- When used with the store-service command, specifies single-factor or two-factor authentication using one of the values: SINGLE-FACTOR, TWO-FACTOR.
- Use of the option value TWO-FACTOR requires to specify the --second-service option.
--role
- Specifies the name of a role. for role-based or permission-based commands.
- If more than one role is specified, then they are separated by comma, for example: --role=administrator,business-user.
--new-role
- When used with the rename-role command, specifies the new name of the role.
--permission
- When used with the set-permission, rename-permission and remove-permission commands, specifies the permission identifiers to be used. For available permission identifiers see JS7 - Default Roles and Permissions.
- If more than one permission is used, then permission identifiers are separated by comma, for example: --permission='sos:products:controller:view','sos:products:controller:agents:view'.
--new-permission
- When used with the rename-permission command, specifies the new permission identifier.
--folder
- Specifies the folder to which permissions are applied and that limit user access to JOC Cockpit inventory folders.
- If more than one folder is used, then they are separated by comma, for example --folder=/accounting,/reporting.
--new-folder
- When used with the rename-folder command, specifies the new permission identifier.
--audit-message
- Specifies a message that is made available to the Audit Log.
- Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
--audit-time-spent
- Specifies the time spent to perform an operation which is added to the Audit Log.
- The option can be specified if the --audit-message option is used.
--audit-link
- Specifies a link (URL) which is added to the Audit Log.
- The option can be specified if the --audit-message option is used.
--log-dir
- If a log directory is specified then the script will log information about processing steps to a log file in this directory.
- File names are created according to the pattern: deploy-identity-service.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example: deploy-identity-service.2024-10-19T20-50-45.log

...

-h | --help
- Displays usage.
-v | --verbose
- Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
- When used twice as with -v -v then curl verbose output will be displayed.
-p | --password
- Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
- The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
-a | --account-password
- When used with the store-account and set-account-password commands, asks the user for interactive keyboard input of the existing password used for the account.
- The switch is used for secure interactive input as an alternative to use of the --account-password=<password> option.
-n | --new-password
- When used with the set-account-password command, asks the user for interactive keyboard input of the new password used for the account.
- The switch is used for secure interactive input as an alternative to use of the --new-account-password=<password> option.
-f | --force-password-change
- When used with the store-account command, specifies that the user will be challenged to type a new password on next login.
- The switch is used for existing accounts. Use of the switch is not required in the following situations that will automatically challenge the user to specify a new password on next login:
  - For new accounts using the initial password and for accounts assigned a password using the --account-password option or switch.
  - If the account is assigned a password using the set-account-password command.
  - If the account's password is reset to the initial password using the reset-account-password command
-e | --enabled
- When used with the get-account command, filters results to enabled accounts.
- When used with the remove-account command, limits the operation to enabled accounts.
-d | --disabled
- When used with the get-account command, filters results to disabled accounts.
- When used with the store-account command, specifies that the indicated account will be deactivated.
- When used with the remove-account command, limits the operation to disabled accounts.
- When used with the store-service command, specifies that the Identity Service will be deactivated.
-b | --blocked
- When used with the get-service command, returns the list of blocked accounts.
- The result list will be filtered if the --acount option is specified for an account.
-x | --excluded
- When used with the set-permission command, specifies that the permission will be denied. This applies to JOC Cockpit permissions and to permissions for all Controllers.
-q | --required
- When used with the store-service command, specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
-r | --recursive
- When used with the set-folder and rename-folder commands, specifies that folder permissions are applied to sub-folders.
--single-factor-certificate
- When used with the store-service command, specifies that a certificate acts as a single factor for authentication.
--single-factor-password
- When used with the store-service command, specifies that a password acts as a single factor for authentication.
--show-logs
- Displays the log output created by the script if the --log-dir option is used.
--make-dirs
- If directories are missing that are indicated with the --log-dir option then they will be created.

...

Space shortcuts

Page tree

Versions Compared

Old Version 23

New Version 24

Key