Qorus Integration Engine
3.0.4.p7
|
Contents of this section:
Edit the System Options File file, and ensure a line appears as follows:
qorus.rbac-security: true
Then restart the server. To disable RBAC security, change "true" in the above line to "false", or comment out the line and restart the Qorus server.
"LOGIN"
and "SHUTDOWN"
rolesEdit the System Options File file, and ensure a line appears for each host or ip range as follows:
qorus.rbac-force-user: <host|ip-range>=<user>
Then restart the server.
The user parameter must be set to a valid user; every unauthenticated connection from the given host or IP range will be made with the user given on the line. The rbac-force-user option may be given any number of times in the System Options File file.
IP ranges must be specified using ‘*’ as a wildcard as in the following examples:
qorus.rbac-force-user: 192.168.*=user qorus.rbac-force-user: 10.135.11.*=remote-user
Hostnames are given literally:
qorus.rbac-force-user: localhost=admin
Changes to the System Options File file only take effect when the Qorus server is restarted.
To list all users in Qorus, we use the user-tool program to do an offline listing (user-tool accesses the Qorus database directly and therefore can be used when the database is online but the Qorus server is offline).
unixprompt% user-tool -ll
All user information is displayed except password information. The output should look as follows (use only one “l" above to display the users without role lists; note that the output has been truncated for formatting purposes):
+ USER: "admin" (Qorus Administrator) created=2007-05-20 14:11:15.625 modified=2007-05-20 14:11:15.625 * SYSTEM: CALL-SYSTEM-SERVICES-RW * SYSTEM: CALL-USER-SERVICES-RW * SYSTEM: EDIT-WORKFLOW-DATA * SYSTEM: EXEC-SYNC-WORKFLOW * SYSTEM: LOGIN * SYSTEM: OPTION-CONTROL * SYSTEM: ROTATE-LOG-FILES * SYSTEM: SERVICE-CONTROL * SYSTEM: SHUTDOWN * SYSTEM: SUBMIT-ORDER * SYSTEM: USER-CONTROL * SYSTEM: WORKFLOW-CONTROL + USER: "user1" (operator) created=2007-05-23 21:47:38.199 modified=2007-05-23 21:47:38.199 * SYSTEM: CALL-SYSTEM-SERVICES-RW * SYSTEM: CALL-USER-SERVICES-RW ...
If an error message appears, see the following section for causes.
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any network client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To create a new user online (while the system is running, in a way that the new user is immediately available to make a connection) from an existing profile, call the omq.system.add-user-from-profile() API method as follows.
unixprompt% ocmd add-user-from-profile <name> <pw> “<desc>" <profile_name>
For example:
unixprompt% ocmd add-user-from-profile fred mypass123 “Fred Smith" operator
Or, to create a new user giving an explicit list of roles:
unixprompt% ocmd add-user <name> <password> “<desc>" <role>[,<role>,...]
For example:
unixprompt% ocmd add-user fred mypass123 “Fred Smith" LOGIN,CALL-SYSTEM-SERVICES-RW,CALL-USER-SERVICES-RW,WORKFLOW-CONTROL,OPTION-CONTROL,SHUTDOWN
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Invalid Role
ERROR: RBAC-ADD-USER-ERROR: cannot add user “fred"; role “LOGIN1" is not currently cached
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again |
Error: Invalid Profile
ERROR: RBAC-ADD-USER-ERROR: profile “operator2" is not currently cached
Possible Cause | Action to Take |
The profile does not exist | Check the profile name and try the command again |
The profile has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: User Already Exists
ERROR: RBAC-ADD-USER-ERROR: user “fred" already exists
Possible Cause | Action to Take |
The user already exists | Check the user name and try again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any network client, including Qorus command-line tools.
To create a new user while Qorus is offline; we use the user-tool program as follows:
unixprompt% user-tool -A<name>,<pass>,<profile>,"<description>"
For example:
unixprompt% user-tool –Afred,mypass123,operator,“Fred Smith"
All user information is displayed except password information. The output should look as follows (the output has been truncated for formatting purposes):
+ creating operator USER “fred" (Fred Smith): * adding role CALL-SYSTEM-SERVICES-RW * adding role CALL-USER-SERVICES-RW * adding role EDIT-WORKFLOW-DATA * adding role LOGIN * adding role OPTION-CONTROL ...
If an error message appears, see the following section for causes.
Invalid Role
INVALID-ROLE: ROLE “LOGIN1" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
Error: Invalid Profile
INVALID-PROFILE: profile “operator2" does not exist
Possible Cause | Action to Take |
The profile does not exist | Check the profile name and try the command again. |
Error: User Already Exists
USER-ERROR: user “fred" already exists
Possible Cause | Action to Take |
The user already exists | Check the user name and try again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role (unless the current user’s password is being updated, in which case "LOGIN"
is sufficient).
To update an existing user online (while the system is running, in a way that the changes take effect immediately) call the omq.system.update-user() API method as follows (at least one of the hash options must be given):
unixprompt% ocmd update-user <name> [pass=<pass>,name=<name>,roles=<roles>]
For example:
unixprompt% ocmd update-user fred name="Fred Smyth",pass=new_password
The output should look as follows:
OK
"user-tool –R"
program option can use used to add individual roles to an existing user, user-tool –O deletes individual roles from users. Don’t forget to call "user-tool -s"
after making changes with user-tool to synchronize the RBAC cache with the database.If an error message appears, see the following section for causes.
Error: Invalid Role
ERROR: RBAC-ADD-USER-ERROR: cannot add user “fred"; role “LOGIN1" is not currently cached
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Invalid User
ERROR: RBAC-ADD-USER-ERROR: user “fred" does not exist
Possible Cause | Action to Take |
The user does not exist | Check the username and try the command again. |
The user has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To update an existing user while Qorus is offline; we use the user-tool program as follows (at least the name or pass options have to be used):
unixprompt% user-tool -d<name>:[pass=<pass>,name=<name>]
For example:
unixprompt% user-tool –dfred:pass=new_password,name="Fred Smythe"
The output should look as follows
+ USER “fred" updated
"user-tool –R"
(to add roles), or "user-tool –O"
(to delete roles).If an error message appears, see the following section for causes.
Error: Invalid User
INVALID-USER: user “fred" does not exist
Possible Cause | Action to Take |
The user does not exist | Check the username and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To change your own user’s password online (while the system is running, in a way that the change takes effect immediately) call the omq.system.update-current-user() API method as follows:
unixprompt% ocmd update-current-user pass=<new_pass>
For example:
unixprompt% ocmd update-current-user fred pass=new_password
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To delete an existing user online (while the system is running, in a way that the changes take effect immediately) call the omq.system.delete-user() API method as follows:
unixprompt% ocmd delete-user <name>
For example:
unixprompt% ocmd delete-user fred
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Invalid User
ERROR: RBAC-DELETE-USER-ERROR: user “fred" does not exist
Possible Cause | Action to Take |
The user does not exist | Check the username and try the command again. |
The user has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To delete an existing user while Qorus is offline; we use the user-tool program as follows:
unixprompt% user-tool –Xuser:<name>
For example:
unixprompt% user-tool –Xuser:fred
The output should look as follows:
+ USER “fred" deleted (11 roles cleared)
If an error message appears, see the following section for causes.
Invalid User
INVALID-USER: user “fred" does not exist
Possible Cause | Action to Take |
The user does not exist | Check the username and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To list all profiles in Qorus, we use the user-tool program to do an offline listing (user-tool accesses the Qorus database directly and therefore can be used when the database is online but the Qorus server is offline).
unixprompt% user-tool –pp
All profile information is displayed. The output should look as follows (use only one “p" above to display the profiles without role lists; note that the output has been truncated for formatting purposes):
+ PROFILE: "superuser" (superuser with all system roles) created=2007-05-20 14:11:13.160 modified=2007-05-20 14:11:13.160 * SYSTEM: CALL-SYSTEM-SERVICES-RW * SYSTEM: CALL-USER-SERVICES-RW * SYSTEM: EDIT-WORKFLOW-DATA * SYSTEM: EXEC-SYNC-WORKFLOW * SYSTEM: LOGIN * SYSTEM: OPTION-CONTROL * SYSTEM: ROTATE-LOG-FILES * SYSTEM: SERVICE-CONTROL * SYSTEM: SHUTDOWN * SYSTEM: SUBMIT-ORDER * SYSTEM: USER-CONTROL * SYSTEM: WORKFLOW-CONTROL + PROFILE: "operator" (operator profile) created=2007-05-20 14:11:13.162 modified=2007-05-20 14:11:13.162 * SYSTEM: CALL-SYSTEM-SERVICES-RW * SYSTEM: CALL-USER-SERVICES-RW ...
If an error message appears, see the following section for causes.
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To create a new profile online (while the system is running, in a way that the changes take effect immediately) call the omq.system.add-profile() API method as follows:
unixprompt% ocmd add-profile <name> “<desc>" <roles>
For example:
unixprompt% ocmd add-profile operator2 “Limited Operator" LOGIN,CALL-SYSTEM-SERVICES-RO,CALL-USER-SERVICES-RO,OPTION-CONTROL
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Profile Already Exists
ERROR: RBAC-ADD-PROFILE-ERROR: profile “operator2" already exists
Possible Cause | Action to Take |
The profile already exists | Check the profile name and try again, or modify the profile if needed |
Error: Invalid Role
ERROR: RBAC-ADD-PROFILE-ERROR: cannot add profile “operator2"; role “LOGIN1" is not currently cached
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To create a new profile while Qorus is offline; we use the user-tool program as follows:
unixprompt% user-tool –P<name>:"<description>":<role>[,<role>...]
For example:
unixprompt% user-tool –Xoperator2:"Limited Operator":LOGIN,CALL-SYSTEM-SERVICES-RO,CALL-USER-SERVICES-RO,OPTION-CONTROL
The output should look as follows:
+ PROFILE “operator2" (Limited Operator) created with 4 roles
If an error message appears, see the following section for causes.
Error: Profile Already Exists
PROFILE-ERROR: PROFILE “operator2" already exists
Possible Cause | Action to Take |
The profile already exists | Check the profile name and try again, or modify the profile if needed |
Error: Invalid Role
INVALID-ROLE: ROLE “LOGIN1" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To update an existing profile online (while the system is running, in a way that the changes take effect immediately) call the omq.system.update-profile() API method as follows:
unixprompt% ocmd update-profile <name> <desc> <roles>
For example:
unixprompt% ocmd update-profile operator2 “New Operator Profile" LOGIN,SHUTDOWN,OPTION-CONTROL,WORKFLOW-CONTROL
The output should look as follows:
OK
"user-tool –F"
program option can use used to add individual roles to an existing profile; "user-tool –I"
deletes individual roles from profiles. Don’t forget to call "user-tool -s"
after making changes with user-tool to synchronize the RBAC cache with the database.If an error message appears, see the following section for causes.
Error: Invalid Profile
ERROR: RBAC-UPDATE-PROFILE-ERROR: profile “operator2" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Invalid Role
ERROR: RBAC-UPDATE-PROFILE-ERROR: cannot update profile “operator2"; role “LOGIN1" is not currently cached
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To update an existing profile while Qorus is offline; we use the user-tool program as follows (at least one of the desc
, roles
, or groups
options has to be used):
unixprompt% user-tool -Udesc="<description>"
For example:
unixprompt% user-tool –Uoperator2:desc="New Operator Profile"
The output should look as follows:
+ PROFILE “operator2" updated
"user-tool –F"
(to add roles), or "user-tool –I"
(to delete roles).If an error message appears, see the following section for causes.
Error: Invalid Profile
INVALID-PROFILE: PROFILE “operator2" does not exist
Possible Cause | Action to Take |
The profile does not exist | Check the profile name and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To delete an existing profile online (while the system is running, in a way that the changes take effect immediately) call the omq.system.delete-profile() API method as follows:
unixprompt% ocmd delete-profile <name>
For example:
unixprompt% ocmd delete-profile operator2
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Invalid Profile
ERROR: RBAC-DELETE-PROFILE-ERROR: profile “operator2" does not exist
Possible Cause | Action to Take |
The profile does not exist | Check the profile name and try the command again. |
The profile has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To delete an existing profile while Qorus is offline; we use the user-tool program as follows:
unixprompt% user-tool –Xprofile:<name>
For example:
unixprompt% user-tool –Xprofile:operator2
The output should look as follows:
+ PROFILE “operator2" deleted (4 roles cleared)
If an error message appears, see the following section for causes.
Error: Invalid User
PROFILE-ERROR: profile “operator2" does not exist
Possible Cause | Action to Take |
The profile does not exist | Check the profile name and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To list all roles in Qorus, we use the user-tool program to do an offline listing (user-tool accesses the Qorus database directly and therefore can be used when the database is online but the Qorus server is offline).
unixprompt% user-tool –L
All "SYSTEM"
and "USER"
roles are displayed. The output should look as follows (note that the output has been truncated for formatting purposes):
+ ROLE SYSTEM: "LOGIN": Allows logging in to the system + ROLE SYSTEM: "SHUTDOWN": Allows shutting down the system + ROLE SYSTEM: "WORKFLOW-CONTROL": Allows starting, stopping, ... + ROLE SYSTEM: "SERVICE-CONTROL": Allows services to be stopped / deleted + ROLE SYSTEM: "EDIT-WORKFLOW-DATA": Allows workflow data to be edited + ROLE SYSTEM: "CALL-USER-SERVICES-RO": Allows read-only user services ... + ROLE SYSTEM: "CALL-USER-SERVICES-RW": Allows all user services to be ... + ROLE SYSTEM: "CALL-SYSTEM-SERVICES-RO": Allows read-only system ... + ROLE SYSTEM: "CALL-SYSTEM-SERVICES-RW": Allows all system services ... + ROLE SYSTEM: "USER-CONTROL": Allows creating, deleting, changing ... + ROLE SYSTEM: "OPTION-CONTROL": Allows changing system options + ROLE SYSTEM: "SUBMIT-ORDER": Allows submitting order data for a workflow + ROLE SYSTEM: "ROTATE-LOG-FILES": Allows rotating log files + ROLE SYSTEM: "EXEC-SYNC-WORKFLOW": Allows executing workflows ...
If an error message appears, see the following section for causes.
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To create a new user role online (while the system is running, in a way that the changes take effect immediately) call the omq.system.add-role() API method as follows:
unixprompt% ocmd add-role <name> “<description>"
For example:
unixprompt% ocmd add-role USER-ROLE-1 “User Role 1"
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Role Already Exists
ERROR: RBAC-ADD-ROLE-ERROR: role “USER-ROLE-1" already exists
Possible Cause | Action to Take |
The role already exists | Check the role name and try again, or modify the role if needed |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To create a new user role while Qorus is offline; we use the user-tool program as follows:
unixprompt% user-tool –N<name>:"<description>"
For example:
unixprompt% user-tool –NUSER-ROLE-1:"User Role 1"
The output should look as follows:
+ ROLE USER “USER-ROLE-1" (User Role 1) created
If an error message appears, see the following section for causes.
Error: Role Already Exists
ADD-ROLE-ERROR: ROLE “USER-ROLE-1" already exists
Possible Cause | Action to Take |
The role already exists | Check the role name and try again, or modify the role if needed |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
This action requires the "USER-CONTROL"
role.
To update the description for an existing user role online (while the system is running, in a way that the changes take effect immediately) call the omq.system.update-role() API method as follows:
unixprompt% ocmd update-role <name> <description>
For example:
unixprompt% ocmd update-role USER-ROLE-1 “New Operator Role"
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Invalid Role
ERROR: RBAC-UPDATE-ROLE-ERROR: role “USER-ROLE-1" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.
To update an existing user role while Qorus is offline; we use the user-tool program as follows (at least the name or pass options have to be used):
unixprompt% user-tool -E<name>:"<description>"
For example:
unixprompt% user-tool –EUSER-ROLE-1:"New Operator Role"
The output should look as follows:
+ ROLE “USER-ROLE-1" updated
If an error message appears, see the following section for causes.
Error: Invalid Role
INVALID-ROLE: ROLE “USER-ROLE-1" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
This action requires the "USER-CONTROL"
role.
To delete an existing user role online (while the system is running, in a way that the changes take effect immediately) call the omq.system.delete-role() API method as follows:
unixprompt% ocmd delete-role <name>
For example:
unixprompt% ocmd delete-role USER-ROLE-1
The output should look as follows:
OK
If an error message appears, see the following section for causes.
Error: Invalid Role
ERROR: RBAC-DELETE-ROLE-ERROR: role “USER-ROLE-1" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
The role has been created in the database but has not been cached | Call "user-tool –s" to synchronize the RBAC cache with the database and try the command again. |
Error: Role Is Associated with One Or More Users or Profiles
ERROR: RBAC-DELETE-ROLE-ERROR: role “USER-ROLE-1" is referenced by one of more users; remove the role from all users and profiles before deleting or use user-tool to perform an offline cascading delete of the role
Possible Cause | Action to Take |
The role is associated with one or more users or profiles | Remove the roles from the users and profiles ("user-tool -w[role] -r[role]" will list all users and profiles using the role) and try again, or execute "user-tool –c –Xrole:[role]" to perform a cascading delete of the role. |
Error: Role Is System Role
ERROR: RBAC-DELETE-ROLE-ERROR: role “LOGIN" is a SYSTEM role and cannot be deleted
Possible Cause | Action to Take |
Role name was misspelled | Check the role name and try again |
To delete an existing user role while Qorus is offline; we use the user-tool program as follows:
unixprompt% user-tool –Xrole:<name>
For example:
unixprompt% user-tool –Xrole:USER-ROLE-1
If the role is not associated to any users or profiles, the output should look as follows:
+ ROLE “USER-ROLE-1" deleted (0 profile, 0 user references deleted)
If an error message appears, see the following section for causes.
Error: Invalid Role
DELETE-ROLE-ERROR: role “USER-ROLE-1" does not exist
Possible Cause | Action to Take |
The role does not exist | Check the role name and try the command again. |
Error: Role Is Associated with One Or More Users or Profiles
DELETE-ROLE-ERROR: The following users reference role “USER-ROLE-1": list: (“username"), to delete all references, specify –cascade or –c on the command-line
Possible Cause | Action to Take |
The role is associated with one or more users or profiles | Remove the roles from the users and profiles ("user-tool -w[role] -r[role]" will list all users and profiles using the role) and try again, or execute "user-tool –c –Xrole:[role]" to perform a cascading delete of the role. |
Error: Role Is System Role
DELETE-ROLE-ERROR: role “LOGIN" is a SYSTEM role and cannot be deleted
Possible Cause | Action to Take |
Role name was misspelled | Check the role name and try again. |
Error: Communication, Authentication, and Environment Error
See Common Client Errors for more information. These errors could affect any client, including Qorus command-line tools.