The user may grant permissions to a user group on an object or object group to perform a service action or service action group (that is, to perform any action that is a member of the service action group to which permission is granted), provided the user has both:

cas/grant permission on the object or object group, and
permission to perform the service action or service action group on the object or object group.

casAdmin$ cas-rights-admin [common options] grant userGroupName objectSpecDesc objectSpec actionSpecDesc actionSpec

where:

userGroupName

Indicates the user group to be granted permission.

objectSpec

Indicates the identifier for the object or object group.

objectSpecDesc

Indicates the type:

object
objectGroup

actionSpec

Indicates the identifier for action or action group.

actionSpecDesc

Indicates the type:

serviceAction
serviceActionGp

Revoking A Policy In The CAS Database

The user may revoke a policy in the CAS database if the user has cas/revoke permission on the object or object group on which the policy is defined.

casAdmin$ cas-rights-admin [common options] revoke userGroupName  objectSpecDesc objectSpec  actionSpecDesc actionSpec

where:

userGroupName

Indicates the user group for which you want to grant permission.

objectSpecDesc

Indicates the type of CasObject. Can be one of the following:

trustAnchor
user
userGroup
object
namespace
serviceType
userGroup

objectSpec

Indicates the identifier for the object or object group.

actionSpec

Indicates the identifier for the action or action group.

actionSpecDesc

Indicates the type (serviceAction or serviceActionGp).

Options

-a, --anonymous

Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.

-c, --serverCertificate <file>

Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.

-debug

Runs the client with debug message traces and error stack traces.

-f, --descriptor <file>

Specifies a client security descriptor. Overrides all other security settings.

-help

Prints the usage message for the client.

-l, --contextLifetime <value>

Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism [FIXME glossterm?].

-m, --securityMech <type>

Specifies the authentication mechanism. The value type can be:

msg for GSI Secure Message, or
conv for GSI Secure Conversation.

-p, --protection <type>

Specifies the protection level. type can be:

sig for signature, or
enc for encryption.

-x, --proxyFilename <value>

Sets the proxy file to use as client credential.

-s cas-url

Sets the CAS Service instance, where cas-url is the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.

The instance URL typically looks like http://Host:Port/wsrf/services/CASService, where Host and Port are the host and port where the container with the CAS service is running.

-z authorization

Specifies the type of authorization used, such as self or host.

If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.

Alternatively, an environment variable can be set as shown here.

If none of the above are set, host authorization is done by default and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.

	Note
	If the service being contacted is using GSI Secure Transport [FIXME glossterm], then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.

-v

Prints the version number.

	Important
	If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).

Usage

Example of granting permissions to a user group on an object/object group:

FIXME

Example of revoking a policy in the CAS database:

FIXME

Prev	Up	Next
cas-group-remove-entry	Home	GT 4.1.2 CAS Query Command Reference