User/group management

The omero user and omero group commands provide functionalities to add and manage users and groups on your database.

User creation

New users can be added to the database using the omero user add command:

$ bin/omero user add -h

During the addition of the new user, you will need to specify the first and last name of the new user and their username as well as the groups the user belongs to. To add John Smith identified as jsmith as a member of the group named test-group, enter:

$ bin/omero user add jsmith John Smith --group-name test-group

Additional parameters such as the email address, institution, middle name etc. can be passed as optional arguments to the omero user add command.

For managing the permissions of restricted administrators, OMERO.cli does provide means but that functionality is not yet offered in a friendly manner by the omero user command. The OMERO.web Admin interface is recommended for this task instead.

If you are using ldap as an authentication backend, you can create an OMERO user account for jsmith using the omero ldap create command, which allows the administrator to add jsmith to an OMERO group, before they have ever logged in to OMERO:

$ bin/omero ldap create jsmith

Converting non-LDAP users to LDAP authentication

If you want to take an existing (non-LDAP) user and ‘upgrade’ them to using LDAP you can do so using the omero ldap setdn command:

$ bin/omero ldap setdn -h

The process is also reversible so that the OMERO password for a user rather than the LDAP password will be used. See the caveat in the setdn help output below:

usage: bin/omero ldap setdn [-h] [--user-id USER_ID] [--user-name USER_NAME]
                            [--group-id GROUP_ID] [--group-name GROUP_NAME]
                            [-C] [-s SERVER] [-p PORT] [-g GROUP] [-u USER]
                            [-w PASSWORD] [-k KEY] [--sudo ADMINUSER] [-q]

Enable LDAP login for user (admins only)

Once LDAP login is enabled for a user, the password set via OMERO is
ignored, and any attempt to change it will result in an error. When
you disable LDAP login, the previous password will be in effect, but if the
user never had a password, one will need to be set!

Positional Arguments:
  choice                            Enable/disable LDAP login (true/false)

Optional Arguments:
  In addition to any higher level options

  -h, --help                        show this help message and exit
  --user-id USER_ID                 ID of the user.
  --user-name USER_NAME             Name of the user.
  --group-id GROUP_ID               ID of the group.
  --group-name GROUP_NAME           Name of the group.

Login arguments:
  Environment variables:
    OMERO_USERDIR     Set the base directory containing the user's files.
                      Default: $HOME/omero
    OMERO_SESSIONDIR  Set the base directory containing local sessions.
                      Default: $OMERO_USERDIR/sessions
    OMERO_TMPDIR      Set the base directory containing temporary files.
                      Default: $OMERO_USERDIR/tmp
    OMERO_PASSWORD    Set the user's password for creating new sessions.
                      Ignored if -w or --password is used.
  Optional session arguments:

  -C, --create                      Create a new session regardless of existing ones
  -s SERVER, --server SERVER        OMERO server hostname
  -p PORT, --port PORT              OMERO server port
  -g GROUP, --group GROUP           OMERO server default group
  -u USER, --user USER              OMERO username
  -w PASSWORD, --password PASSWORD  OMERO password
  -k KEY, --key KEY                 OMERO session key (UUID of an active session)
  --sudo ADMINUSER                  Create session as this admin. Changes meaning of password!
  -q, --quiet                       Quiet mode. Causes most warning and diagnostic messages to be suppressed.

User deactivation

To deactivate a user, remove him/her from the system group user. Use the command omero user leavegroup and specify the user group as the target:

# Remove jsmith from group user
$ bin/omero user leavegroup user --name=jsmith

To reactivate the user, add him/her back to the system group user i.e.:

$ bin/omero user joingroup user --name=jsmith

User editing

Updating the details of a user e.g. the email address can be achieved using the omero obj update command:

# Determine the ID of jsmith
$ bin/omero user info --user-name jsmith
# Change the email address of jsmith. Replace 123 by the ID of jsmith
$ bin/omero obj update Experimenter:123

Group creation

New groups can be added to the database using the omero group add command:

$ bin/omero group add -h

During the addition of the new group, you need to specify the name of the new group:

$ bin/omero group add newgroup

The permissions of the group are set to private by default. Alternatively you can specify the permissions using --perms or --type optional arguments:

$ bin/omero group add read-only-1 --perms='rwr---'
$ bin/omero group add read-annotate-1 --type=read-annotate

See also

Groups and permissions system
Description of the group permissions levels.

Lists of users/groups on the OMERO server can be queried using the omero user list and omero group list commands:

$ bin/omero user list
$ bin/omero group list

Group membership

Users can be added to existing groups using the omero user joingroup or omero group adduser commands. Similarly, users can be removed from existing groups using the omero user leavegroup or omero group removeuser commands:

# Add jsmith to group read-annotate-1
$ bin/omero group adduser jsmith --name=read-annotate-1
# Remove jsmith from group read-annotate-1
$ bin/omero group removeuser jsmith --name=read-annotate-1
# Add jsmith to group read-only-1
$ bin/omero user joingroup read-only-1 --name=jsmith
# Remove jsmith from group read-only-1
$ bin/omero user leavegroup read-only-1 --name=jsmith

By passing the --as-owner option, these commands can also be used to manage group owners

# Add jsmith to the owner list of group read-annotate-1
$ bin/omero group adduser jsmith --name=read-annotate-1 --as-owner
# Remove jsmith from the owner list of group read-annotate-1
$ bin/omero user leavegroup read-annotate-1 --name=jsmith --as-owner

Group copy

To create a copy of a group, you must first create a new group using the omero group add command:

$ bin/omero group add read-only-2 --perms='rwr---'

Then you can use the omero group copyusers command to copy all group members from one group to another:

$ bin/omero group copyusers read-only-1 read-only-2

To copy the group owners, use the same command with the --as-owner optional argument:

$ bin/omero group copyusers read-only-1 read-only-2 --as-owner

Group modification

To change the permissions of a group, for example to make the group read-annotate-1 a read-write group, run:

$ bin/omero group perms --perms='rwrw--' --name='read-annotate-1'

If you want to change its name to read-write-1 afterwards, run:

$ bin/omero obj update ExperimenterGroup:123 name='read-write-1'