6.9.3. Configure User Role Assignment using the Management CLI

Procedure 6.7. Viewing Role Assignment Configuration

1. Use the :read-children-names operation to get a complete list of the configured roles:

   /core-service=management/access=authorization:read-children-names(child-type=role-mapping)

   Copy to Clipboard Toggle word wrap

   [standalone@localhost:9999 access=authorization] :read-children-names(child-type=role-mapping)
   {
       "outcome" => "success",
       "result" => [
           "Administrator",
           "Deployer",
           "Maintainer",
           "Monitor",
           "Operator",
           "SuperUser"
       ]
   }
   

   Copy to Clipboard Toggle word wrap
2. Use the read-resource operation of a specified role-mapping to get the full details of a specific role:

   /core-service=management/access=authorization/role-mapping=ROLENAME:read-resource(recursive=true)

   Copy to Clipboard Toggle word wrap

   [standalone@localhost:9999 access=authorization] ./role-mapping=Administrator:read-resource(recursive=true)
   {
       "outcome" => "success",
       "result" => {
           "include-all" => false,
           "exclude" => undefined,
           "include" => {
               "user-theboss" => {
                   "name" => "theboss",
                   "realm" => undefined,
                   "type" => "USER"
               },
               "user-harold" => {
                   "name" => "harold",
                   "realm" => undefined,
                   "type" => "USER"
               },
               "group-SysOps" => {
                   "name" => "SysOps",
                   "realm" => undefined,
                   "type" => "GROUP"
               }
           }
       }
   }
   [standalone@localhost:9999 access=authorization]
   

   Copy to Clipboard Toggle word wrap

Procedure 6.8. Add a new role

• Use the add operation to add a new role configuration.

  /core-service=management/access=authorization/role-mapping=ROLENAME:add

  Copy to Clipboard Toggle word wrap
  ROLENAME is the name of the role that the new mapping is for.

  [standalone@localhost:9999 access=authorization] ./role-mapping=Auditor:add             
  {"outcome" => "success"}
  [standalone@localhost:9999 access=authorization]
  

  Copy to Clipboard Toggle word wrap

Procedure 6.9. Add a user as included in a role

• Use the add operation to add a user entry to the includes list of the role.

  /core-service=management/access=authorization/role-mapping=ROLENAME/include=ALIAS:add(name=USERNAME, type=USER)

  Copy to Clipboard Toggle word wrap
  ROLENAME is the name of the role being configured.
  ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as user-USERNAME.
  USERNAME is the name of the user being added to the include list.

   [standalone@localhost:9999 access=authorization] ./role-mapping=Auditor/include=user-max:add(name=max, type=USER)
  {"outcome" => "success"}
  [standalone@localhost:9999 access=authorization]
  

  Copy to Clipboard Toggle word wrap

Procedure 6.10. Add a user as excluded in a role

• Use the add operation to add a user entry to the excludes list of the role.

  /core-service=management/access=authorization/role-mapping=ROLENAME/exclude=ALIAS:add(name=USERNAME, type=USER)

  Copy to Clipboard Toggle word wrap
  ROLENAME is the name of the role being configured.
  USERNAME is the name of the user being added to the exclude list.
  ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as user-USERNAME.

  [standalone@localhost:9999 access=authorization] ./role-mapping=Auditor/exclude=user-max:add(name=max, type=USER)
  {"outcome" => "success"}
  [standalone@localhost:9999 access=authorization]
  

  Copy to Clipboard Toggle word wrap

Procedure 6.11. Remove user role include configuration

• Use the remove operation to remove the entry.

  /core-service=management/access=authorization/role-mapping=ROLENAME/include=ALIAS:remove

  Copy to Clipboard Toggle word wrap
  ROLENAME is the name of the role being configured
  ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as user-USERNAME.

  [standalone@localhost:9999 access=authorization] ./role-mapping=Auditor/include=user-max:remove
  {"outcome" => "success"}
  [standalone@localhost:9999 access=authorization]
  

  Copy to Clipboard Toggle word wrap
  Removing the user from the list of includes does not remove the user from the system, nor does it guarantee that the role won't be assigned to the user. The role might still be assigned based on group membership.

Procedure 6.12. Remove user role exclude configuration

• Use the remove operation to remove the entry.

  /core-service=management/access=authorization/role-mapping=ROLENAME/exclude=ALIAS:remove

  Copy to Clipboard Toggle word wrap
  ROLENAME is the name of the role being configured.
  ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as user-USERNAME.

  [standalone@localhost:9999 access=authorization] ./role-mapping=Auditor/exclude=user-max:remove
  {"outcome" => "success"}
  [standalone@localhost:9999 access=authorization]
  

  Copy to Clipboard Toggle word wrap
  Removing the user from the list of excludes does not remove the user from the system, nor does it guarantee the role will be assigned to the user. Roles might still be excluded based on group membership.