14.8. Administering User Tasks From the Command Line

14.8.1. Managing Users

You can use the ovirt-aaa-jdbc-tool tool to manage user accounts on the internal domain. Changes made using the tool take effect immediately and do not require you to restart the ovirt-engine service. For a full list of user options, run ovirt-aaa-jdbc-tool user --help. Common examples are provided in this section.

Procedure 14.12. Creating a User

This procedure shows you how to create a user, set the user password, and add it to your Red Hat Enterprise Virtualization environment.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Create a new user account. Optionally use --attribute to specify account details. For a full list of options, run ovirt-aaa-jdbc-tool user add --help.
    # ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe 
    adding user test1...
    user added successfully
  3. Set a password. You must set a value for --password-valid-to, otherwise the password expiry time defaults to the current time. The date format is yyyy-MM-dd HH:mm:ssX. In this example, -0800 stands for GMT minus 8 hours. For more options, run ovirt-aaa-jdbc-tool user password-reset --help.
    # ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800"
    Password:
    updating user test1...
    user updated successfully
    

    Note

    By default, the password policy for user accounts on the internal domain has the following restrictions:
    • A minimum of 6 characters.
    • Three previous passwords used cannot be set again during the password change.
    For more information on the password policy and other default settings, run ovirt-aaa-jdbc-tool settings show.
  4. Add the newly created user in the Administration Portal and assign the user appropriate roles and permissions. See Section 14.7.1, “Adding Users and Assigning User Portal Permissions” for more information.

Procedure 14.13. Viewing User Information

This procedure shows you how to view user account information. More information is displayed than in the Administration Portal, Users tab.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Run the following command:
    # ovirt-aaa-jdbc-tool user show test1

Procedure 14.14. Editing User Information

This procedure shows you how to update user account information.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Run the following command to edit user information. This example updates the email address.
    # ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com

Procedure 14.15. Removing a User

This procedure shows you how to delete a user account
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Delete the user:
    # ovirt-aaa-jdbc-tool user delete test1
  3. Remove the user from the Administration Portal. See Section 14.7.4, “Removing Users” for more information.

14.8.2. Changing the Password for the Internal Administrative User

To reset the password of the internal administrative user (admin@internal), use the ovirt-aaa-jdbc-tool tool. You do not need to restart the ovirt-engine service for the password change to take effect.
By default, the password policy for user accounts on the internal domain has the following restrictions:
  • A minimum of 6 characters.
  • Three previous passwords used cannot be set again during the password change.
For more information on the password policy and other default settings, run ovirt-aaa-jdbc-tool settings show.

Procedure 14.16. Resetting the Password for the Internal Administrative User

  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. To change the password in interactive mode, run the following command. You must set a value for --password-valid-to, otherwise the password expiry time defaults to the current time. The date format is yyyy-MM-dd HH:mm:ssX. In this example, Z stands for UTC time. For more options, run ovirt-aaa-jdbc-tool user password-reset --help.
    # ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2025-08-01 12:00:00Z"

14.8.3. Disabling the Internal Administrative User

You can disable users on the local domains including the admin@internal user created during engine-setup. Make sure you have at least one user in the envrionment with full administrative permissions before disabling the default admin user.

Procedure 14.17. Disabling the Internal Administrative User

  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Make sure another user with the SuperUser role has been added to the environment. See Section 14.7.1, “Adding Users and Assigning User Portal Permissions” for more information.
  3. Disable the default admin user:
    # ovirt-aaa-jdbc-tool user edit admin --flag=+disabled

    Note

    To enable a disabled user, run ovirt-aaa-jdbc-tool user edit username --flag=-disabled

14.8.4. Managing Groups

You can use the ovirt-aaa-jdbc-tool tool to manage group accounts on your internal domain. Managing group accounts is similar to managing user accounts. For a full list of group options, run ovirt-aaa-jdbc-tool group --help. Common examples are provided in this section.

Procedure 14.18. Creating a Group

This procedure shows you how to create a group account, add users to the group, and view the details of the group.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Create a new group:
    # ovirt-aaa-jdbc-tool group add group1
  3. Add users to the group. The users must be created already.
    # ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1

    Note

    For a full list of the group-manage options, run ovirt-aaa-jdbc-tool group-manage --help.
  4. View group account details:
    # ovirt-aaa-jdbc-tool group show group1
  5. Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. The users in the group inherit the roles and permissions of the group. See Section 14.7.1, “Adding Users and Assigning User Portal Permissions” for more information.

Procedure 14.19. Creating Nested Groups

This procedure shows you how to create groups within groups.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Create the first group:
    # ovirt-aaa-jdbc-tool group add group1
  3. Create the second group:
    # ovirt-aaa-jdbc-tool group add group1-1
  4. Add the second group to the first group:
    # ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1
  5. Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Section 14.7.1, “Adding Users and Assigning User Portal Permissions” for more information.

14.8.5. Querying Users and Groups

The query module allows you to query user and group information. For a full list of options, run ovirt-aaa-jdbc-tool query --help.

Procedure 14.20. Listing All User or Group Account Details

This procedure shows you how to list all account information.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
    • List all user account details:
      # ovirt-aaa-jdbc-tool query --what=user
    • List all group account details:
      # ovirt-aaa-jdbc-tool query --what=group

Procedure 14.21. Listing Filtered Account Details

This procedure shows you how to apply filters when listing account information.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
    • List user account details with names that start with the character j.
      # ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
    • List groups that have the department attribute set to marketing:
      # ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"

14.8.6. Managing Account Settings

To change the default account settings, use the ovirt-aaa-jdbc-tool settings module.

Procedure 14.22. Updating Account Settings

This procedure shows you how to update the default account settings.
  1. Log in to the machine on which the Red Hat Enterprise Virtualization Manager is installed.
  2. Run the following command to show all the settings available:
    # ovirt-aaa-jdbc-tool setting show
  3. Change the desired settings:
    • This example updates the default log in session time to 60 minutes for all user accounts. The default value is 10080 minutes.
      # ovirt-aaa-jdbc-tool setting set --name=MAX_LOGIN_MINUTES --value=60
    • This example updates the number of failed login attempts a user can perform before the user account is locked. The default value is 5.
      # ovirt-aaa-jdbc-tool setting set --name=MAX_FAILURES_SINCE_SUCCESS --value=3

      Note

      To unlock a locked user account, run ovirt-aaa-jdbc-tool user unlock test1.