B.18 user-rights-map

Use this utility to map the rights of the mapped eDirectory and Active Directory users, groups, and containers. The mapped rights information is stored in a file and assigned an ID. Using this id, you can synchronize the rights of the users.

B.18.1 Syntax

user-rights-map -l

user-rights-map -L

user-rights-map -v <volume name> [[-u <User Map name 1 or the User Map 1 XML file path>,<User Map name 2 or the User Map 2 XML file path>,...,<User Map name n or the User Map n XML file path> |-i <-U username -P password>]][-a -m -r]

user-rights-map -S -M <map rights id> [-O <ad | edir>]

B.18.2 Options

-l, --list-map-rights

Lists the id, name of the user map, and the volume for which the rights are mapped.

-L, --list-usermaps

Lists the name of the user map, object mapping type (user to user, group to group, or container to group), eDirectory tree context, and Active Directory server context.

-v, --volume <volume name>

Specify the NSS volume on which rights will be provisioned for the mapped users. The volume name should always be specified in upper case.

-u, --usermap <user map name or path of the user map xml file>

Specify the name of the user map or the path of the user map (.xml) file that contains the mapping details of the eDirectory and Active Directory users, groups, or containers. If any of the user map names contain special characters, ensure to enclose all the user map names within double quotes.

NOTE:If you need to perform sync, you must pass the name of the user map as an input parameter. Whereas, if the sync operation is performed using the user map (.xml) file, it cannot be synced later.

-i, --use-IDM <-U username -P password>

Specify the eDirectory admin credentials (in LDAP format) to authenticate to eDirectory. The user map created using IDM is used for mapping the rights.

-a, --apply-to-salvage

Performs rights mapping on files and folders in the salvage system.

-m, --migrate-ids

Migrates the IDs [owner, archiver, metadata modifier, deletor] of files and folders to the mapped Active Directory users. This operation might take a while to complete.

-r, --remove-old-trustee

Removes the eDirectory user as a trustee on the files and folders after successfully mapping the user rights. Removes the Active Directory or eDirectory user as a trustee on the files and folders when used with -S and -O options. This operation is irreversible.

-S, --sync

Synchronizes the rights for both the eDirectory and Active Directory trustees. By default, it merges the rights of both the eDirectory and Active Directory trustees. To overwrite trustee rights, use the -O option. It is mandatory to use the sync option with the -M option.

NOTE:The sync operation only synchronizes rights (applicable to salvage option). When creating the user map, if the options migrate-ids or remove-old-trustee are passed, they are ignored.

-M, --map-rights-id <arg>

Specify the id of the map rights operation. This option is used only with the sync option.

-O, --overwrite-with <ad | edir>

You must either pass ad or edir as an input parameter. When ad parameter is passed, the rights of the eDirectory trustees are overwritten with the rights of the Active Directory trustees. When edir is passed, the rights of the Active Directory trustees are overwritten with the rights of the eDirectory trustees. This option is used only with the sync option.

-h, --help

Displays the usage information of the command.

B.18.3 Examples

  1. Provision the rights on all files and folders of the volume MKTVOL, including the ones in the salvage system.

    user-rights-map -v MKTVOL -u /root/temp/UserMap.xml,usermap2 -a -m -r

    After successful execution of the user-rights-map operation, all the files and folders are provisioned with rights, all the ids are migrated, and the eDirectory user is removed as a trustee.

    NOTE:If any of the user map names contain special characters, ensure to enclose all the user map names within double quotes. For example, user-rights-map -v MKTVOL -u "/root/temp/UserMap.xml,usermap#2 -a -m -r.

  2. To list the user maps:

    user-rights-map -L or

    user-rights-map --list-usermaps

  3. To list the user rights map ids:

    user-rights-map -l or

    user-rights-map --list-map-rights

  4. To sync rights between Active Directory and eDirectory trustees. The rights of the eDirectory user1 are RWF and the rights of Active Directory user1 are FMA on file1:

    user-rights-map -S -M 2

    After successful execution of the command, the rights of eDirectory and Active Directory trustees are merged. The rights of eDirectory user1 are RWFMA and the rights of Active Directory user1 are RWFMA on file1.

  5. After the sync, the rights of the eDirectory trustees are overwritten with the rights of Active Directory trustees. The rights of the eDirectory user2 are RWF and the rights of Active Directory user2 are FMA on file2:

    user-rights-map -S -M 1 -O ad

    After successful execution of the command, the rights of eDirectory user2 are FMA and the rights of Active Directory user2 are FMA on file2.

  6. To synchronize rights between eDirectory and AD trustees (two way sync):

    user-rights-map -S -M 2 -O edir -m -r

    Synchronizes the rights of eDirectory trustees with AD trustees using the map rights job id “2”. During the sync process, it overwrites the Active Directory trustees with eDirectory trustees, migrates all the IDs, and the eDirectory trustee information is removed from the source after the sync process.

    user-rights-map -S -M 2 -O ad -m

    Synchronizes the rights of AD trustees with eDirectory trustees using the map rights job id “2”. During the sync process, it overwrites the eDirectory trustees with AD trustees, migrates all the IDs, and the AD trustee information is removed from the source after the sync process.