15.7. Administering User Tasks From the Command Line
15.7.1. Managing Users
ovirt-aaa-jdbc-tool
tool to manage user accounts on the internal domain. Changes made using the tool take effect immediately and do not require you to restart the ovirt-engine
service. For a full list of user options, run ovirt-aaa-jdbc-tool user --help
. Common examples are provided in this section.
Procedure 15.12. Creating a User
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Create a new user account. Optionally use
--attribute
to specify account details. For a full list of options, runovirt-aaa-jdbc-tool user add --help
.# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe adding user test1... user added successfully
- Set a password. You must set a value for
--password-valid-to
, otherwise the password expiry time defaults to the current time. The date format isyyyy-MM-dd HH:mm:ssX
. In this example,-0800
stands for GMT minus 8 hours. For more options, runovirt-aaa-jdbc-tool user password-reset --help
.# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" Password: updating user test1... user updated successfully
Note
By default, the password policy for user accounts on the internal domain has the following restrictions:For more information on the password policy and other default settings, run- A minimum of 6 characters.
- Three previous passwords used cannot be set again during the password change.
ovirt-aaa-jdbc-tool settings show
. - Add the newly created user in the Administration Portal and assign the user appropriate roles and permissions. See Section 15.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
Procedure 15.13. Viewing User Information
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Run the following command:
# ovirt-aaa-jdbc-tool user show test1
Procedure 15.14. Editing User Information
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Run the following command to edit user information. This example updates the email address.
# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
Procedure 15.15. Removing a User
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Delete the user:
# ovirt-aaa-jdbc-tool user delete test1
- Remove the user from the Administration Portal. See Section 15.6.4, “Removing Users” for more information.
15.7.2. Changing the Password for the Internal Administrative User
admin@internal
), use the ovirt-aaa-jdbc-tool
tool. You do not need to restart the ovirt-engine
service for the password change to take effect.
- A minimum of 6 characters.
- Three previous passwords used cannot be set again during the password change.
ovirt-aaa-jdbc-tool settings show
.
Procedure 15.16. Resetting the Password for the Internal Administrative User
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- To change the password in interactive mode, run the following command. You must set a value for
--password-valid-to
, otherwise the password expiry time defaults to the current time. The date format isyyyy-MM-dd HH:mm:ssX
. In this example,Z
stands for UTC time. For more options, runovirt-aaa-jdbc-tool user password-reset --help
.# ovirt-aaa-jdbc-tool user password-reset
admin
--password-valid-to="2025-08-01 12:00:00Z"
15.7.3. Disabling the Internal Administrative User
admin@internal
user created during engine-setup
. Make sure you have at least one user in the envrionment with full administrative permissions before disabling the default admin
user.
Procedure 15.17. Disabling the Internal Administrative User
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Make sure another user with the
SuperUser
role has been added to the environment. See Section 15.6.1, “Adding Users and Assigning User Portal Permissions” for more information. - Disable the default
admin
user:# ovirt-aaa-jdbc-tool user edit
admin
--flag=+disabledNote
To enable a disabled user, runovirt-aaa-jdbc-tool user edit username --flag=-disabled
15.7.4. Managing Groups
ovirt-aaa-jdbc-tool
tool to manage group accounts on your internal domain. Managing group accounts is similar to managing user accounts. For a full list of group options, run ovirt-aaa-jdbc-tool group --help
. Common examples are provided in this section.
Procedure 15.18. Creating a Group
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Create a new group:
# ovirt-aaa-jdbc-tool group add group1
- Add users to the group. The users must be created already.
# ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1
Note
For a full list of the group-manage options, runovirt-aaa-jdbc-tool group-manage --help
. - View group account details:
# ovirt-aaa-jdbc-tool group show group1
- Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. The users in the group inherit the roles and permissions of the group. See Section 15.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
Procedure 15.19. Creating Nested Groups
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Create the first group:
# ovirt-aaa-jdbc-tool group add group1
- Create the second group:
# ovirt-aaa-jdbc-tool group add group1-1
- Add the second group to the first group:
# ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1
- Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Section 15.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
15.7.5. Querying Users and Groups
query
module allows you to query user and group information. For a full list of options, run ovirt-aaa-jdbc-tool query --help
.
Procedure 15.20. Listing All User or Group Account Details
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- List all user account details:
# ovirt-aaa-jdbc-tool query --what=user
- List all group account details:
# ovirt-aaa-jdbc-tool query --what=group
Procedure 15.21. Listing Filtered Account Details
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- List user account details with names that start with the character j.
# ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
- List groups that have the department attribute set to marketing:
# ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"
15.7.6. Managing Account Settings
ovirt-aaa-jdbc-tool
settings
module.
Procedure 15.22. Updating Account Settings
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Run the following command to show all the settings available:
# ovirt-aaa-jdbc-tool setting show
- Change the desired settings:
- This example updates the default log in session time to 60 minutes for all user accounts. The default value is 10080 minutes.
# ovirt-aaa-jdbc-tool setting set --name=MAX_LOGIN_MINUTES --value=60
- This example updates the number of failed login attempts a user can perform before the user account is locked. The default value is 5.
# ovirt-aaa-jdbc-tool setting set --name=MAX_FAILURES_SINCE_SUCCESS --value=3
Note
To unlock a locked user account, runovirt-aaa-jdbc-tool user unlock test1
.