Permalink
Fetching contributors…
Cannot retrieve contributors at this time
128 lines (106 sloc) 4.84 KB
---
title: Creating and Managing Users with the cf CLI
owner: CLI
---
Using the Cloud Foundry Command Line Interface (cf CLI), administrators, Org Managers, and Space Managers can manage users.
Cloud Foundry uses role-based access control, with each role granting
permissions in either an organization or an application space.
For more information, see [Organizations, Spaces, Roles, and Permissions](../concepts/roles.html).
## <a id='understand-roles'></a>Understanding Roles ##
To manage all users, organizations, and roles with the cf CLI, log in with your admin credentials. <%=vars.info_loc%>, <%=vars.uaa_cred%> for the admin name and password.
If the feature flag `set_roles_by_username` is enabled, Org Managers can [assign org roles](#org-roles) to existing users in their org and Space Managers can [assign space roles](#space-roles) to existing users in their space. For more information about using feature flags, see the [Feature Flags](listing-feature-flags.html) topic.
## <a id='create-user'></a>Creating and Deleting Users ##
<table border="1" class="nice" >
<tr>
<th><strong>FUNCTION</strong></th>
<th><strong>COMMAND</strong></th>
<th><strong>EXAMPLE</strong></th>
</tr>
<tr>
<td width='25%'>Create a new user</td>
<td>cf create-user USERNAME PASSWORD</td>
<td><code>cf create-user Alice pa55w0rd</code></td>
</tr>
<tr>
<td>Create a new user, specifying LDAP as an external identity provider</td>
<td>cf create-user USERNAME --origin ORIGIN</td>
<td><code>cf create-user Aayah ldap</code></td>
</tr>
<td>Create a new user, specifying SAML or OpenID Connect as an external identity provider</td>
<td>cf create-user USERNAME --origin ORIGIN</td>
<td><code>cf create-user Aiko provider-alias</code></td>
</tr>
<tr>
<td>Delete a user</td>
<td>cf delete-user USERNAME</td>
<td><code>cf delete-user Alice</code></td>
</tr>
</table>
### <a id='create-admin'></a>Creating Administrator Accounts ###
To create a new administrator account, use the [UAA CLI](../uaa/uaa-user-management.html#creating-admin-users).
<p class="note"><strong>Note</strong>: The cf CLI cannot create new administrator accounts.</p>
## <a id='orgs-spaces'></a>Org and App Space Roles ##
A user can have one or more roles.
The combination of these roles defines the user's overall permissions in the org
and within specific app spaces in that org.
### <a id='org-roles'></a>Org Roles ###
Valid [org roles](../concepts/roles.html#roles) are OrgManager, BillingManager, and OrgAuditor.
<table border="1" class="nice" >
<tr>
<th><strong>FUNCTION</strong></th>
<th><strong>COMMAND</strong></th>
<th><strong>EXAMPLE</strong></th>
</tr>
<tr>
<td>View the organizations belonging to an account</td>
<td>cf orgs</td>
<td><code>cf orgs</code></td>
</tr>
<tr>
<td>View all users in an organization by role</td>
<td>cf org-users ORGANIZATION-NAME</td>
<td><code>cf org-users my-example-org</code></td>
</tr>
<tr>
<td>Assign an org role to a user</td>
<td>cf set-org-role USERNAME ORGANIZATION-NAME ROLE</td>
<td><code>cf set-org-role Alice my-example-org OrgManager</code></td>
</tr>
<tr>
<td>Remove an org role from a user</td>
<td>cf unset-org-role USERNAME ORGANIZATION-NAME ROLE</td>
<td><code>cf unset-org-role Alice my-example-org OrgManager</code></td>
</tr>
</table>
If multiple accounts share a username, `set-org-role` and `unset-org-role` return an error. See [Identical Usernames in Multiple Origins](../cf-cli/getting-started.html#multi-origin) for details.
### <a id='space-roles'></a>App Space Roles ###
Each app space role applies to a specific app space.
Valid [app space roles](../concepts/roles.html#roles) are SpaceManager, SpaceDeveloper, and SpaceAuditor.
<table border="1" class="nice" >
<tr>
<th><strong>FUNCTION</strong></th>
<th><strong>COMMAND</strong></th>
<th><strong>EXAMPLE</strong></th>
</tr>
<tr>
<td>View the spaces in an org</td>
<td>cf spaces</td>
<td><code>cf spaces</code></td>
</tr>
<tr>
<td>View all users in a space by role</td>
<td>cf space-users ORGANIZATION-NAME SPACE-NAME</td>
<td><code>cf space-users my-example-org development</code></td>
</tr>
<tr>
<td>Assign a space role to a user</td>
<td>cf set-space-role USERNAME ORGANIZATION-NAME SPACE-NAME ROLE</td>
<td><code>cf set-space-role Alice my-example-org development SpaceAuditor</code></td>
</tr>
<tr>
<td>Remove a space role from a user</td>
<td>cf unset-space-role USERNAME ORGANIZATION-NAME SPACE-NAME ROLE</td>
<td><code>cf unset-space-role Alice my-example-org development SpaceAuditor</code></td>
</tr>
</table>
If multiple accounts share a username, `set-space-role` and `unset-space-role` return an error. See [Identical Usernames in Multiple Origins](../cf-cli/getting-started.html#multi-origin) for details.