Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

11.9.6. Configure Group Role Assignment with jboss-cli.sh

Groups to be included or excluded from a role can be configured in the Management Console and the jboss-cli.sh tool. This topic only shows using the jboss-cli.sh tool.
The configuration of mapping users and groups to roles is located in the management API at: /core-service=management/access=authorization as role-mapping elements.
Only users in the SuperUser or Administrator roles can perform this configuration.

Procedure 11.16. Viewing Group Role Assignment Configuration

  1. Use the read-children-names operation to get a complete list of the configured roles: 
    /core-service=management/access=authorization:read-children-names(child-type=role-mapping)
    [standalone@localhost:9999 access=authorization] :read-children-names(child-type=role-mapping)
{
    "outcome" => "success",
    "result" => [
        "ADMINISTRATOR",
        "DEPLOYER",
        "MAINTAINER",
        "MONITOR",
        "OPERATOR",
        "SuperUser"
    ]
}
  2. Use the read-resource operation of a specified role-mapping to get the full details of a specific role: 
    /core-service=management/access=authorization/role-mapping=ROLENAME:read-resource(recursive=true)
    [standalone@localhost:9999 access=authorization] ./role-mapping=ADMINISTRATOR:read-resource(recursive=true)
{
    "outcome" => "success",
    "result" => {
        "include-all" => false,
        "exclude" => undefined,
        "include" => {
            "user-theboss" => {
                "name" => "theboss",
                "realm" => undefined,
                "type" => "USER"
            },
            "user-harold" => {
                "name" => "harold",
                "realm" => undefined,
                "type" => "USER"
            },
            "group-SysOps" => {
                "name" => "SysOps",
                "realm" => undefined,
                "type" => "GROUP"
            }
        }
    }
}
[standalone@localhost:9999 access=authorization]

Procedure 11.17. Add a new role

This procedure shows how to add a role-mapping entry for a role. This must be done before the role can be configured.
  • Use the add operation to add a new role configuration. 
    /core-service=management/access=authorization/role-mapping=ROLENAME:add
    [standalone@localhost:9999 access=authorization] ./role-mapping=AUDITOR:add             
{"outcome" => "success"}
[standalone@localhost:9999 access=authorization]

Procedure 11.18. Add a Group as included in a role

This procedure shows how to add a Group to the included list of a role.
If no configuration for a role has been done, then a role-mapping entry for it must be done first.
  • Use the add operation to add a Group entry to the includes list of the role. 
    /core-service=management/access=authorization/role-mapping=ROLENAME/include=ALIAS:add(name=GROUPNAME, type=GROUP)
    ROLENAME is the name of the role being configured.
    GROUPNAME is the name of the group being added to the include list.
    ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as group-GROUPNAME. 
    [standalone@localhost:9999 access=authorization] ./role-mapping=AUDITOR/include=group-investigators:add(name=investigators, type=GROUP)
{"outcome" => "success"}
[standalone@localhost:9999 access=authorization]

Procedure 11.19. Add a group as excluded in a role

This procedure shows how to add a group to the excluded list of a role.
If no configuration for a role has been done, then a role-mapping entry for it must be created first.
  • Use the add operation to add a group entry to the excludes list of the role. 
    /core-service=management/access=authorization/role-mapping=ROLENAME/exclude=ALIAS:add(name=GROUPNAME, type=GROUP)
    ROLENAME is the name of the role being configured
    GROUPNAME is the name of the group being added to the include list
    ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as group-GROUPNAME. 
    [standalone@localhost:9999 access=authorization] ./role-mapping=AUDITOR/exclude=group-supervisors:add(name=supervisors, type=USER)
{"outcome" => "success"}
[standalone@localhost:9999 access=authorization]

Procedure 11.20. Remove group role include configuration

This procedure shows how to remove a group include entry from a role mapping.
  • Use the remove operation to remove the entry. 
    /core-service=management/access=authorization/role-mapping=ROLENAME/include=ALIAS:remove
    ROLENAME is the name of the role being configured
    ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as group-GROUPNAME. 
    [standalone@localhost:9999 access=authorization] ./role-mapping=AUDITOR/include=group-investigators:remove
{"outcome" => "success"}
[standalone@localhost:9999 access=authorization]
    Removing the group from the list of includes does not remove the group from the system, nor does it guarantee that the role won't be assigned to users in this group. The role might still be assigned to users in the group individually.

Procedure 11.21. Remove a user group exclude entry

This procedure shows how to remove a group exclude entry from a role mapping.
  • Use the remove operation to remove the entry. 
    /core-service=management/access=authorization/role-mapping=ROLENAME/exclude=ALIAS:remove
    ROLENAME is the name of the role being configured.
    ALIAS is a unique name for this mapping. Red Hat recommends that you use a naming convention for your aliases such as group-GROUPNAME. 
    [standalone@localhost:9999 access=authorization] ./role-mapping=AUDITOR/exclude=group-supervisors:remove
{"outcome" => "success"}
[standalone@localhost:9999 access=authorization]
    Removing the group from the list of excludes does not remove the group from the system. It also does not guarantee the role will be assigned to members of the group. Roles might still be excluded based on group membership.
Report a bug