Administration Commands and External Users and Groups

You can perform administrative commands on users and groups defined either locally (in the EMS server’s local configuration files) or through JAAS. Furthermore, you can combine users and groups that are defined in different locations (for example, you can grant and revoke permissions for users and groups defined through JAAS, or add JAAS-defined users to locally-defined groups).

Note: Combining authentication sources requires that the configuration parameter user_auth includes both jaas and local.

When you attempt to view users and groups using the show user/s or show group/s commands, any users and groups that exist in external directories have an asterisk next to their names. Users and groups from external directories will only appear in the output of these commands in the following situations:

  • an externally-defined user successfully authenticates
  • a user belonging to an externally-defined group successfully authenticates
  • an externally-defined user has been added to a locally-defined group
  • permissions on a topic or queue have been granted to an externally-defined user or group

Therefore, not all users and groups defined in the external directory may appear when the show user/s or show group/s commands are executed. Only the users and groups that meet the above criteria at the time the command is issued will appear.

You can create users and groups with the same names as externally-defined users and groups. If a user or group exists in the server’s configuration and is also defined externally, the local definition of the user takes precedence. Locally-defined users and groups will not have an asterisk by their names in the show user/s or show group/s commands.

You can also issue the delete user or delete group command to delete users and groups from the local server’s configuration. The permissions assigned to the user or group are also deleted when the user or group is deleted. If you delete a user or group that is defined externally, this deletes the user or group from the server’s memory and deletes any permissions assigned in the access control list, but it has no effect on the external directory. The externally-defined user can once again log in, and the user is created in the server’s memory and any groups to which the user belongs are also created. However, any permissions for the user or group have been deleted and therefore must be re-granted.