Administering User and Group Accounts from the Command Line

Creating a New User Account

The ovirt-aaa-jdbc-tool user add command is used to create user accounts.

To create a new user account:

Log in to the host that is running the Manager.
Create a new user account.
```
ovirt-aaa-jdbc-tool user add username option
```
To view a full list of options available for creating a user account, run the ovirt-aaa-jdbc-tool user add --help command.

The following example shows how to create a new user account and add a first and last name to associate with the account.
```
# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe
adding user test1...
user added successfully
Note: by default created user cannot log in. see:
/usr/bin/ovirt-aaa-jdbc-tool user password-reset --help.
```
Note:

After creating a new user account, you must set a password so that the user can log in. See Setting the Password for a User Account.
Add the newly created user in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

Setting the Password for a User Account

The ovirt-aaa-jdbc-tool password-reset command is used to set (or reset) passwords for a user account.

To set (or reset) the password for a user account:

Log in to the host that is running the Manager.
Set (or reset) the password for a user account.
```
ovirt-aaa-jdbc-tool user password-reset username --password-valid-to "yyyy-MM-dd HH:mm:ssZ"
```
Note:

You must set a value for the --password-valid-to option; otherwise the password expiry time defaults to the time of the last login.
By default, the password policy for user accounts on the internal domain has the following restrictions:
- A user password must be a minimum length of 6 characters.
- When resetting a password, you cannot use the three previous passwords used for the user account.
For more information on the password policy and other default settings, run the ovirt-aaa-jdbc-tool settings show command.

The following example shows how to set a user password. In the example, 0800 stands for GMT minus 8 hours.
```
# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800"
Password:
Reenter password:
updating user test1...
user updated successfully
```

Editing User Information

The ovirt-aaa-jdbc-tool user edit command is used to edit user information associated with a user account.

To edit user information:

Log in to the host that is running the Manager.
Edit the user account.
```
ovirt-aaa-jdbc-tool user edit username option
```
To view a full list of options available for editing user information, run the ovirt-aaa-jdbc-tool user edit --help command.

The following example shows to edit a user account by adding an email address to associate with this user.
```
# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
updating user test1...
user updated successfully
```

Viewing User Information

The ovirt-aaa-jdbc-tool user show command is used to display user information.

To view detailed user information:

Log in to the host that is running the Manager.

Display information about a user.

ovirt-aaa-jdbc-tool user show username

The following example shows how to view details about a user account.

# ovirt-aaa-jdbc-tool user show test1
-- User test1(e9e4b7d0-8ffd-45a3-b6ea-1f519238e766) --
Namespace: *
Name: test1
ID: e9e4b7d0-8ffd-45a3-b6ea-1f519238e766
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-26 18:59:16Z
Account Valid To: 2219-08-26 18:59:16Z
Account Without Password: false
Last successful Login At: 2019-08-27 15:21:20Z
Last unsuccessful Login At: 2019-08-27 15:20:59Z
Password Valid To: 2025-08-01 20:00:00Z

Removing a User

The ovirt-aaa-jdbc-tool user delete command is used to remove a user.

To remove a user account:

Log in to the host that is running the Manager.

Remove a user.

ovirt-aaa-jdbc-tool user delete username

The following example shows how to remove a user account.

# ovirt-aaa-jdbc-tool user delete test1
deleting user test1...
user deleted successfully

Disabling User Accounts

You can disable users on the local domains, including the internal admin user created that is created when you run the engine-setup command.

Important:

Make sure you have at least one user in the environment with full administrative permissions before disabling the default internal administrative user account (admin user). The SuperUser role gives a user full administrative permissions.

To disable a user:

Log in to the host that is running the Manager.
Disable the user.
```
ovirt-aaa-jdbc-tool user edit username --flag=+disabled
```
The following example shows how to disable the admin user.
```
# ovirt-aaa-jdbc-tool user edit admin --flag=+disabled
updating user admin...
user updated successfully
```
Note:

If for some reason you need to re-enable the internal admin user after it has been disabled, you can do so by running the ovirt-aaa-jdbc-tool user edit admin --flag=-disabled command.

Creating Group Accounts

The ovirt-aaa-jdbc-tool command is used to create and manage group accounts on the internal domain. Managing group accounts is similar to managing user accounts. To view all available options for managing group accounts, run the ovirt-aaa-jdbc-tool group --help command. Common examples are provided in this section.

Creating a Group

To create a group account:

Log in to the host that is running the Manager.
Create a new group account.
```
ovirt-aaa-jdbc-tool group add group-name
```
Note:

Users must be created before they can be added to groups.
The following examples shows how to add a new group account.
```
# ovirt-aaa-jdbc-tool group add group1
adding group group1...
group added successfully
```
Add users to the group:
```
ovirt-aaa-jdbc-tool group-manage  useradd group-name --user=username                
```
To view a full list of the options for adding or removing members to and from groups, run the ovirt-aaa-jdbc-tool group-manage --help command.
The following example shows how to add users to a group.
```
# ovirt-aaa-jdbc-tool group-manage useradd group1 --user test1
updating user group1...
user updated successfully
```

Display group account details.

ovirt-aaa-jdbc-tool group show group-name

The following example shows how to display details about a group account.

# ovirt-aaa-jdbc-tool group show group1
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description:

Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

The users in the group inherit the roles and permissions of the group.

Creating Nested Groups

To create nested groups:

Log in to the host that is running the Manager.

Create the first group account.

ovirt-aaa-jdbc-tool group add group1

The following examples shows how to add a new group account.

# ovirt-aaa-jdbc-tool group add group1
adding group group1...
group added successfully

Create the second group account.

ovirt-aaa-jdbc-tool group add group2

The following examples shows how to create the second group account.

# ovirt-aaa-jdbc-tool group add group2
adding group group2...
group added successfully

Add the second group to the first group.

ovirt-aaa-jdbc-tool group manage group add group1 --group=group2

The following examples shows how to add the second group to the first group.

# ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group2
updating group group1...
group updated successfully

Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

Removing a Group Account

To remove a group account:

Log in to the host that is running the Manager.

Remove a group account.

ovirt-aaa-jdbc-tool group delete group-name

The following example shows how to remove a group account.

# ovirt-aaa-jdbc-tool group delete group3
deleting group group3...
group deleted successfully

Querying Users and Groups

The ovirt-aaa-jdbc-tool query command is used to query user and group information. To view a full list of options available for querying users and groups, run the ovirt-aaa-jdbc-tool query --help command.

Listing All User or Group Account Details

To list all account information:

Log in to the host that is running the Manager.

Display account details.

List all user account details.

ovirt-aaa-jdbc-tool query --what=user

The following example shows sample output from the

ovirt-aaa-jdbc-tool query
                      --what=user

command.

# ovirt-aaa-jdbc-tool query --what=user
-- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) --
Namespace: *
Name: test2
ID: 35e8b35e-2320-45da-b59e-1076b521d13f
Display Name:
Email:
First Name: Jane
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-09-06 16:51:32Z
Account Valid To: 2219-09-06 16:51:32Z
Account Without Password: false
Last successful Login At: 2019-09-06 17:12:08Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
-- User admin(89559d7f-3b48-420b-bd4d-2790122c199b) --
Namespace: *
Name: admin
ID: 89559d7f-3b48-420b-bd4d-2790122c199b
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 2019-03-07 11:09:07Z
Account Valid From: 2019-01-24 21:18:11Z
Account Valid To: 2219-01-24 21:18:11Z
Account Without Password: false
Last successful Login At: 2019-09-06 18:10:11Z
Last unsuccessful Login At: 2019-09-06 18:09:36Z
Password Valid To: 2025-08-01 20:00:00Z
-- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) --
Namespace: *
Name: test1
ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-29 18:15:20Z
Account Valid To: 2219-08-29 18:15:20Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z

List all group account details. ovirt-aaa-jdbc-tool query --what=group

The following example shows sample output from the

ovirt-aaa-jdbc-tool
                      query --what=group

command.

# ovirt-aaa-jdbc-tool query --what=group
-- Group group2(d6e0b913-d038-413a-b732-bc0c33ea1ed4) --
Namespace: *
Name: group2
ID: d6e0b913-d038-413a-b732-bc0c33ea1ed4
Display Name:
Description:
-- Group group1-1(e43ba527-6256-4c29-bd7a-0fb08b990b72) --
Namespace: *
Name: group1-1
ID: e43ba527-6256-4c29-bd7a-0fb08b990b72
Display Name:
Description:
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description:

Listing Filtered Account Details

To apply filters when listing account information:

Log in to the host that is running the Manager.

Filter account details using the --pattern keyword.

List user account based on a pattern.

ovirt-aaa-jdbc-tool query --what=user --pattern=attribute=value

The following example shows how to filter the output of the ovirt-aaa-jdbc-tool query command to display only user account details that start with the character J.

# ovirt-aaa-jdbc-tool query --what=user --pattern="firstName=J*"
-- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) --
Namespace: *
Name: test1
ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-29 18:15:20Z
Account Valid To: 2219-08-29 18:15:20Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
-- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) --
Namespace: *
Name: test2
ID: 35e8b35e-2320-45da-b59e-1076b521d13f
Display Name:
Email:
First Name: Jane
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-09-06 16:51:32Z
Account Valid To: 2219-09-06 16:51:32Z
Account Without Password: false
Last successful Login At: 2019-09-06 17:12:08Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z

List groups based on a pattern.

ovirt-aaa-jdbc-tool-query --what=group --pattern=attribute=value

The following example shows how to filter the output of the ovirt-aaa-jdbc-tool query command to display only group account details that match the description documentation-group.

# ovirt-aaa-jdbc-tool query --what=group --pattern="description=documentation-group"
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description: documentation-group

Managing Account Settings

The ovirt-aaa-jdbc-tool settings command is used to change the default account settings.

To change the default account settings:

Log in to the host that is running the Manager.
(Optional) Display all the settings that are available.
```
ovirt-aaa-jdbc-tool settings show
```

Change the desired settings.

ovirt-aaa-jdbc-tool settings set --name=setting-name --value=value