Administration Commands and External Users and Groups
You can perform administrative commands on users and groups defined either locally (in the EMS server’s local configuration files), or externally (in an external directory accessed through JAAS, or in an OAuth 2.0 provider). Furthermore, you can combine users and groups that are defined in different locations (for example, you can grant and revoke permissions for users and groups defined externally, or add externally-defined users to locally-defined groups).
user_auth
configuration parameter must have at least two authentication methods specified. See Authentication Methods for details.When you attempt to view users and groups using the
show user/s
or
show group/s
commands, any externally-defined users and groups have an asterisk next to their names. Externally-defined users and groups will only appear in the output of these commands in the following situations:
- an externally-defined user successfully authenticates
- a user belonging to an externally-defined group successfully authenticates
- an externally-defined user has been added to a locally-defined group
- permissions on a topic or queue have been granted to an externally-defined user or group
Therefore, not all externally-defined users and groups may appear when the show
user/s
or
show group/s
commands are executed. Only the users and groups that meet the above criteria at the time the command is issued will appear.
You can create users and groups with the same names as externally-defined users and groups. If a user or group exists in the server’s configuration and is also defined externally, the local definition of the user takes precedence. Locally-defined users and groups will not have an asterisk by their names in the
show user/s
or
show group/s
commands.
You can also issue the
delete user
or
delete group
command to delete users and groups from the local server’s configuration. The permissions assigned to the user or group are also deleted when the user or group is deleted. If you delete a user or group that is defined externally, this deletes the user or group from the server’s memory and deletes any permissions assigned in the access control list, but it has no effect on the external definition of that user or group (for example, it will not be deleted from the external directory or OAuth 2.0 provider). The externally-defined user can once again log in, and the user is created in the server’s memory and any groups to which the user belongs are also created. However, any permissions for the user or group have been deleted and therefore must be re-granted.