WIMManagementCommands command group for the AdminTask object

You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the WIMManagementCommands group can be used to create and manage groups, members, and users in the virtual member manager.

Note: If the Use global security settings option is selected for the user realm or the Global federated repositories option is selected as the realm type for the specified domain, the user and group management commands are executed on the federated repository of the admin domain. For example, if you run the createUser command for the specified domain, the user is created in the admin domain. However, configuration changes that are performed on the domain are applied to the security domain-specific configuration.
The WIMManagementCommands command group for the AdminTask object includes the following commands:

addMemberToGroup

The addMemberToGroup command adds a member to a group in the virtual member manager. If successful, the addMemberToGroup command returns the unique name of the added member.

Parameters and return values

-memberUniqueName
Specifies the unique name value for the user or group that you want to add to the specified group. This parameter maps to the uniqueName property in virtual member manager.
-groupUniqueName
Specifies the unique name value for the group to which you want to add the user or group that you specifed in the memberUniqueName parameter. This parameter maps to the uniqueName property in virtual member manager.
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

changeMyPassword

The changeMyPassword command allows you to change your password when you are logged into WebSphere® Application Server. It requires you to specify your old password and the new password, and then confirm your new password. If your old password is validated successfully, and the new password that you specify exactly matches your confirmation of the new password, then the password is changed.

Important: You can use the changeMyPassword command only for repositories that have a write adapter for federated repositories. It will not work for read-only adapters or the federated repositories user registry bridge that is configured with the local operating system user registry or a custom user registry.

Parameters and return values

-oldPassword
The old password of the user. The value of the oldPassword parameter is validated against the password of the user in the repository. (String, required)
-newPassword
The new password that must be set for the user. (String, required)
-confirmNewPassword
The new password that must be set for the user. The value of the newPassword and confirmNewPassword parameters must match. (String, required)
Note: After you change your password, your old password might continue to remain in effect, allowing you to login using your old password. This happens if both the authentication cache and basic authentication cache keys are enabled, causing the old password to remain valid according to the value specified for cache timeout or cache size.

You can clear the WebSphere Application Server security cache so that you do not have to wait for the cacheTimeout to expire. To clean entries from the AuthCache, you must use the SecurityAdmin MBeanclearAuthCache methods, clearAuthCache or purgeUserFromCache.

Call one of the following MBean methods on each WebSphere Application Server process that requires the subject of the user to be cleared from the cache. The AuthCache is a cache for each process, so every process (not just the dmgr) that has the user authenticated must have this method called:
  • /**
     * clearAuthCache
     */
    public void clearAuthCache()
  • /**
     * purgeUserFromCache
     */
    public void purgeUserFromAuthCache(String realm, String userid)
The following example shows how you can use wsadmin to call the clearAuthCache method on the dmgr process:
set sa [$AdminControl queryNames type=SecurityAdmin,process=dmgr,*]
$AdminControl invoke $sa clearAuthCache

For more information, read Authentication cache settings.

Examples

Batch mode example usage:

Interactive mode example usage:

clearIdMgrRepositoryCache

Use the clearIdMgrRepositoryCache command to clear all the entities from all of the caches of a specified repository adapter or all repository adapters.

Avoid trouble Avoid trouble: Frequent use of this command to clear the cache may result in performance degradation. When the entire cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data; so the subsequent operation takes longer to complete.gotcha

Parameters and return values

-id
Use this parameter to specify the repository ID of the repository adapter whose cache must be cleared. If you do not specify this parameter all the caches of all of the repository adapters are cleared. (String, optional)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

clearIdMgrUserFromCache

Use the clearIdMgrUserFromCache command to clear the specified user from the cache of the repository adapter, if the user exists in the cache.

Important: The clearIdMgrUserFromCache command does not clear the group membership details of the user. To clear group membership information for a user from the cache, use the getMembershipOfUser wsadmin command with the -clearCache parameter. For more information see the description of the getMembershipOfUser command.

Parameters and return values

-principalName
Use this parameter to specify the login ID of the user to be cleared from the cache. If the user is in an LDAP repository, then the principalName must be the distinguished name (DN) of the entry. The user is removed from the cache of the adapter of the repository where the user exists. If more than one user is found for the same principal name, then all of them are cleared from the cache. If the user is not found in the cache, then cache is not cleared and no error message appears. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

createGroup

The createGroup command creates a new group in the virtual member manager. After the command completes, the new group will appear in the repository. For LDAP, a group must contain a member. The memberUniqueName parameter is optional in this case. If you set the memberUniqueName parameter to the unique name of a group or a user, the group or user will be added as a member of the group.

Parameters and return values

-cn
Specifies the common name for the group that you want to create. This parameter maps to the cn property in virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)
-description
Specifies additional information about the group that you want to create. This parameter maps to the description property in a virtual member manager object. (String, optional)
-parent
Specifies the repository in which you want to create the group. This parameter maps to the parent property in the virtual member manager. (String, optional)
-memberUniqueName
Specifies the unique name value for the user or group that you want to add to the new group. This parameter maps to the uniqueName property in the virtual member manager. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

createUser

The createUser command creates a new user in the default repository or a repository that the parent command parameter specifies. This command creates a person entity and a login account entity in the virtual member manager.

Parameters and return values

-uid
Specifies the unique ID for the user that you want to create. Virtual member manager then creates a uniqueId value and a uniqueName value for the user. This parameter maps to the uid property in the virutal member manager. (String, required)
-password
Specifies the password for the user. This parameter maps to the password property in the virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)
-confirmPassword
Specifies the password again to validate how it was entered for the password parameter. This parameter maps to the password property in virtual member manager. (String, optional)
-cn
Specifes the first name or given name of the user. This parameter maps to the cn property in virutal member manager. (String, required)
-sn
Specifies the last name or family name of the user. This parameter maps to the sn property in virtual member manager. (String, required)
-mail
Specifies the email address of the user. This parameter maps to the ibm-PrimaryEmail property in the virtual member manager. (String, optional)
-parent
Specifies the repository in which you want to create the user. This parameter maps to the parent property in the virtual member manager. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

deleteGroup

The deleteGroup command deletes a group in the virtual member manager. You cannot use this command to delete descendants. When this command completes, the group will be deleted from the repository.

Parameters and return values

-uniqueName
Specifies the unique name value for the group that you want to delete. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

deleteUser

The deleteUser command deletes a user from the virtual member manager. This includes a person object and an account object in the non-merged repositories.

Parameters and return values

-uniqueName
Specifies the unique name value for the user that you want to delete. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

duplicateMembershipOfGroup

Use the duplicateMembershipOfGroup command to make a one group a member of all of the same groups as another group. For example, group A is in group B and group C. To add group D to the same groups as group A, use the duplicateMembershipOfGroup command.

Parameters and return values

-copyToUniqueName
Specifies the name of the group to which you want to add the memberships of the group specified in the copyFromUniqueName parameter. (String, required)
-copyFromUniqueName
Specifies the name of the group from which you want to copy the group memberships for another group to use. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

duplicateMembershipOfUser

Use the duplicateMembershipOfUser command to make a one user a member of all of the same groups as another user. For example, user 1 is in group B and group C. To add user 2 to the same groups as user 1, use the duplicateMembershipOfUser command.

Parameters and return values

-copyToUniqueName
Specifies the name of the user to which you want to add the memberships of the user specified in the copyFromUniqueName parameter. (String, required)
-copyFromUniqueName
Specifies the name of the user from which you want to copy the group memberships for another user to use. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

getGroup

The getGroup command retrieves the common name and description of a group.

Parameters and return values

-uniqueName
Specifies the unique name value for the group that you want to view. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-clearCache
Specifies whether the repository adapter cache should be cleared before retrieving the specified group information. (String, optional)
Valid values are:
  • clearEntity: Clears the cache for the specified group, if the group exists in the cache.
  • clearAll: Clears cached information for all of the entities in the adapter of the repository where the specified group exists.
The values are not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearEntity or clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data. The impact on performance is more pronounced if you use the clearAll mode, as this invalidates the entire cache, and the subsequent operation takes longer to complete.gotcha
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

getIdMgrSupportedDataTypes

The getIdMgrSupportedDataTypes command returns a list of all data types that are supported by a specified repository or all default data types that are supported by federated repositories. This command is available in both connected and local modes.

Parameters and return values

-id
Use this parameter to specify the ID of the repository. If you do not specify this parameter, the default data types that are supported by federated repositories are returned. (String, optional)
Specify LA as the value of the –id parameter to retrieve the data types supported by property extension repository.
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

The getIdMgrSupportedDataTypes command returns a list with the names of supported data types:

String
Int
Boolean
Long
Double
Base64binary
AnySimpleType
AnyURI
Byte
DateTime
Date
Short
Token
IdentifierType

Examples

Batch mode example usage:

Interactive mode example usage:

getMembershipOfGroup

The getMembershipOfGroup command retrieves the groups of which a group is a member.

Parameters and return values

-uniqueName
Specifies the unique name value for the group whose group memberships you want to view. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-clearCache
Specifies whether the repository adapter cache should be cleared before retrieving the specified group information. (String, optional)
Valid values are:
  • clearEntity: Clears the cache for the specified group, if the group exists in the cache.
  • clearAll: Clears cached information for all of the entities in the adapter of the repository where the specified group exists.
The values are not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearEntity or clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data. The impact on performance is more pronounced if you use the clearAll mode, as this invalidates the entire cache, and the subsequent operation takes longer to complete.gotcha
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

getMembershipOfUser

The getMembershipOfUser command retrieves the groups of which a user is a member.

Parameters and return values

-uniqueName
Specifies the unique name value for the user whose group memberships you want to view. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-clearCache
Specifies whether the repository adapter cache should be cleared before retrieving the specified user information. (String, optional)
Valid values are:
  • clearEntity: Clears the cache for the specified user, if the user exists in the cache.
  • clearAll: Clears cached information for all of the entities in the adapter of the repository where the specified user exists.
The values are not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearEntity or clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data. The impact on performance is more pronounced if you use the clearAll mode, as this invalidates the entire cache, and the subsequent operation takes longer to complete.gotcha
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

getMembersOfGroup

The getMembersOfGroup command retrieves the members of a group.

Parameters and return values

-uniqueName
Specifies the unique name value for the group whose members you want to view. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-clearCache
Specifies whether the repository adapter cache should be cleared before retrieving the specified group information. (String, optional)
Valid values are:
  • clearEntity: Clears the cache for the specified group, if the group exists in the cache.
  • clearAll: Clears cached information for all of the entities in the adapter of the repository where the specified group exists.
The values are not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearEntity or clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data. The impact on performance is more pronounced if you use the clearAll mode, as this invalidates the entire cache, and the subsequent operation takes longer to complete.gotcha
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

getUser

The getUser command retrieves information about a user in the virtual member manager.

Parameters and return values

-uniqueName
Specifies the unique name value for the user that you want to view. This parameter maps to the uniqueName property in the virtual member manager. (String, required)
-clearCache
Specifies whether the repository adapter cache should be cleared before retrieving the specified user information. (String, optional)
Valid values are:
  • clearEntity: Clears the cache for the specified user, if the user exists in the cache.
  • clearAll: Clears cached information for all of the entities in the adapter of the repository where the specified user exists.
The values are not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearEntity or clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data. The impact on performance is more pronounced if you use the clearAll mode, as this invalidates the entire cache, and the subsequent operation takes longer to complete.gotcha
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

removeMemberFromGroup

The removeMemberFromGroup command removes a user or a group from a group.

Parameters and return values

-memberUniqueName
Specifies the unique name value for the user or group that you want to remove from the specified group. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-groupUniqueName
Specifies the unique name value for the group from which you want to remove the user or group that you specified with the memberUniqueName paramter. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

searchGroups

Use the searchGroups command to find groups in the virtual member manager that match criteria that you provide. For example, you can use the searchGroups command to find all of the groups with a common name that begins with IBM®. You can search for any virtual member manager property because the command is generic.

Parameters and return values

-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)
-cn
The first name or given name of the user. This parameter maps to the cn property in the virtual member manager. You must set this parameter or the description parameter, but not both. (String, optional)
-description
Specifies information about the group. This parameter maps to the description entity in a virtual member manager object. You must set this parameter or the cn parameter, but not both. (String, optional)
-timeLimit
Specifies the maximum amount of time in milliseconds that the search can run. The default value is no time limit. (String, optional)
-countLimit
Specifies the maximum number of results that you want returned from the search. By default, all groups found in the search are returned. (String, optional)
-clearCache
Specifies whether the repository adapter cache should be cleared before performing the search operation for groups. (String, optional)
The valid value is clearAll, which clears all of the cached information in the repository adapter. The value is not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data; so the subsequent operation takes longer to complete.gotcha

Examples

Batch mode example usage:

Interactive mode example usage:

searchUsers

Use the searchUsers command to find users in the virtual member manager that match criteria that you provide. For example, you can use the searchUsers command to find all of the telephone numbers that contain 919. You can search for any virtual member manager property because the command is generic.

Parameters and return values

-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)
-principalName
Specifies the principal name oft he user that is used as the logon ID for the user in the system. This parameter maps to the principalName property in virtual member manager. You must specify only one of the following parameters: principalName, uid, cn, sn, or ibm-primaryEmail. (String, optional)
-uid
Specifies the unique ID value for the user for whom you want to search. This parameter maps to the uid property in virtual member manage. You must specify only one of the following parameters: principalName, uid, cn, sn, or ibm-primaryEmail. (String, optional)
-cn
Specifies the first name or given name of the user. This parameter maps to the cn property in virtual member manager. You must specify only one of the following parameters: principalName, uid, cn, sn, or ibm-primaryEmail. (String, optional)
-sn
Specifies the last name or family name of the user. This parameter maps to the sn property in virtual member manager. You must specify only one of the following parameters: principalName, uid, cn, sn, or ibm-primaryEmail. (String, optional)
-ibm-primaryEmail
Specifies the email address of the user. This parameter maps to the ibm-PrimaryEmail property in the virtual member manager. You must specify only one of the following parameters: principalName, uid, cn, sn, or ibm-primaryEmail. (String, optional)
-timeLimit
Specifies the maximum amount of time in milliseconds that the search can run. The default is not time limit. (String, optional)
-countLimit
Specifies the maximum number of results that you want returned from the search. By default, all users found int he search are returned. (String, optional)
-clearCache
Specifies whether the repository adapter cache should be cleared before performing the search operation for users. (String, optional)
The valid value is clearAll, which clears all of the cached information in the repository adapter. The value is not case-sensitive. There is no default value for this parameter. If you do not specify a value, or specify a value other than clearAll, an error message appears.
Avoid trouble Avoid trouble: Frequent use of this parameter to clear the cache may result in performance degradation. When the cache is cleared, the subsequent operation has to get the details from the repository and update the cache with this newly retrieved data; so the subsequent operation takes longer to complete.gotcha

Examples

Batch mode example usage:

Interactive mode example usage:

updateGroup

The updateGroup command updates the common name or the description of a group.

Parameters and return values

-uniqueName
Specifies the unique name value for the group for which you want to modify the properties. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)
-cn
Specifies the new common name used for the group. This parameter maps to the cn property in virtual member manager. (String, optional)
-description
Specifies the new information about the group. This parameter maps to the description entity in a virtual member manager object. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

updateUser

The updateUser command updates the following properties: uniqueName, uid, password, cn, sn, or ibm-primaryEmail.

Parameters and return values

-uniqueName
Specifies the unique name value for the user for which you want to modify the properties. This parameter maps to the uniqueName property in virtual member manager. (String, required)
-securityDomainName
Specifies the name that uniquely identifies the security domain. If you do not specify this parameter, the command uses the global federated repository. (String, optional)
-uid
Specifies the new unique ID value for the user. This parameter maps to the uid property in virtual member manager. (String, optional)
-password
Specifies the new password for the user. This parameter maps to the password property in virtual member manager. (String, optional)
-confirmPassword
Specifies the password again to validate how it was entered on the password parameter. This parameter maps to the password property in virtual member manager. (String, optional)
-cn
Specifies the new first name or given name of the user. This parameter maps to the cn property in virtual member manager. (String, optional)
-surname
Specifies the new last name or family name of the user. This parameter maps to the sn property in virtual member manager. (String, optional)
-ibm-primaryEmail
Specifies the new email address of the user. This parameter maps to the mail property in virtual member manager.  (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:




Related tasks
Using the wsadmin scripting AdminTask object for scripted administration
Related reference
Commands for the AdminTask object using wsadmin scripting
Authentication cache settings
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Jan 30, 2014 9:17:32 AM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-iseries&topic=rxml_atwimmgt
File name: rxml_atwimmgt.html