{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"}

{: #bluemixadmincli}

You can manage your {{site.data.keyword.Bluemix_notm}} Local or {{site.data.keyword.Bluemix_notm}} Dedicated environment by using the Cloud Foundry command line interface with the {{site.data.keyword.Bluemix_notm}} Admin CLI plug-in. For example, you can add users from an LDAP registry. For information about managing your {{site.data.keyword.Bluemix_notm}} Public account, see administering.

Before you begin, install the Cloud Foundry command line interface. The {{site.data.keyword.Bluemix_notm}} Admin CLI plug-in requires cf version 6.11.2 or later. Download Cloud Foundry command line interface {: new_window}

Restriction: The Cloud Foundry command line interface is not supported by Cygwin. Use the Cloud Foundry command line interface in a command line window other than the Cygwin command line window.

Note: {{site.data.keyword.Bluemix_notm}} admin CLI is only used for {{site.data.keyword.Bluemix_notm}} Local and {{site.data.keyword.Bluemix_notm}} Dedicated environment. It is not supported by {{site.data.keyword.Bluemix_notm}} Public.

After the Cloud Foundry command line interface is installed, you can add the {{site.data.keyword.Bluemix_notm}} admin CLI plug-in.

Note: If you have previously installed the {{site.data.keyword.Bluemix_notm}} Admin plug-in, you might need to uninstall the plug-in, delete the repository, and then reinstall to get the latest updates.

Complete the following steps to add the repository and install the plug-in:

1. To add the {{site.data.keyword.Bluemix_notm}} admin plug-in repository, run the following command:
   
   cf add-plugin-repo IBMCloudAdmin https://tools.ng.bluemix.net/
   
   
2. To install the {{site.data.keyword.Bluemix_notm}} Admin CLI plug-in, run the following command:
   
   cf install-plugin IBMCloudAdminCLI -r IBMCloudAdmin

If you need to uninstall the plug-in, you can use the following commands, then you can add the updated repository and install the latest plug-in:

• Uninstall the plug-in: cf uninstall-plugin IBMCloudAdminCLI
• Remove the plug-in repository: cf remove-plugin-repo IBMCloudAdmin

You can use the {{site.data.keyword.Bluemix_notm}} Admin CLI plug-in to add or remove users, assign or unassign users from orgs, and to perform other management tasks.

To see a list of commands, run the following command:

cf plugins

{: codeblock}

For more help for a command, use the -help option.

Before you can use the Admin CLI plug-in, you must connect and log in, if you are not already.

1. To connect to the {{site.data.keyword.Bluemix_notm}} API endpoint, run the following command:
   
   cf ba api https://console.<subdomain>.bluemix.net

   <subdomain>

   Subdomain of the URL for your {{site.data.keyword.Bluemix_notm}} instance.
   

   You can check the Admin Console Resources and information page for the correct URL. The URL is shown in the API information section in the **API URL** field.

2. Log in to {{site.data.keyword.Bluemix_notm}} with the following command:
   
   cf login

{: #admin_users}

{: #admin_add_user}

To add a user to your {{site.data.keyword.Bluemix_notm}} environment from the user registry for your environment, use the following command:

cf ba add-user <user_name> <organization> <first_name> <last_name>

{: codeblock}

Note: To add a user to a specific organization, you must be an Admin with the users.write (or Superuser) permission. If you are an organization manager, you can also be provided with the capability to add users to your organization by a Superuser who runs the enable-managers-add-users command. For more information, see Enabling managers to add users.

<user_name>

The name of the user in the LDAP registry.

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to add the user to.

<first_name>

The first name of the user to be added to the organization.

<last_name>

The last name of the user to be added to the organization.

Tip: You can also use ba au as an alias for the longer ba add-user command name.

{: #admin_dedicated_invite_public}

Each {{site.data.keyword.Bluemix_dedicated_notm}} environment has a public, client-owned, corporate account in {{site.data.keyword.Bluemix_notm}}. In order for users in the Dedicated environment to create clusters with the {{site.data.keyword.containershort}}, the administrator must add the users to this public corporate account. Once the users are added to the public corporate account, their Dedicated and public accounts are linked together. Users can then use their IBMid to log in to both Dedicated and public simultaneously, and can create resources in the public account from the Dedicated interface. For more information, see Setting up IBM Cloud Container Service on Dedicated. To invite Dedicated users to the public account:

cf ba invite-users-to-public -userid=<user_email> -organization=<dedicated_org_id> -apikey=<public_api_key> -public_org_id=<public_org_id>

{: pre}

Note: To add Dedicated environment users to your {{site.data.keyword.Bluemix_notm}} public account, you must be an Admin of the Dedicated account.

<user_email>

If you are inviting a single user, the email of the user.

<dedicated_org_id>

If you are inviting all users currently in a Dedicated account organization, the Dedicated account organization ID.

<public_api_key>

An API key for inviting users to the public account. This must be generated by the Admin of the public account.

<public_org_id>

The ID of the public account organization you are inviting users to.

{: #admin_dedicated_list}

If you have invited Dedicated environment users to your {{site.data.keyword.Bluemix_notm}} account with the invite-users-to-public command, you can list the users in your account to see their invite status. Invited users that have an existing IBMid has a status of ACTIVE. Invited users that did not have an existing IBMid has a status of either PENDING or ACTIVE depending on whether or not they have accepted the invitation to the account yet. To list the users in your {{site.data.keyword.Bluemix_notm}} account:

cf ba invite-users-status -apikey=<public_api_key>

{: pre}

Note: To add Dedicated environment users to your {{site.data.keyword.Bluemix_notm}} public account, you must be an Admin of the Dedicated account.

<public_api_key>

The API key that was used to invite the users to the account. This must be generated by the Admin of the public account.

{: #admin_search_user}

To search for a user, use the following command with the optional search filter parameters (name, permission, organization, and role):

cf ba search-users -name=<user_name_value> -permission=<permission_value> -organization=<organization_value> -role=<role_value>

{: codeblock}

<user_name_value>

The name of the user in {{site.data.keyword.Bluemix_notm}}.

<permission_value>

The permission assigned to the user. The available permissions are: admin (or superuser), login (or basic), catalog.read, catalog.write, reports.read, reports.write, users.read, or users.write. For more information about assigned user permissions, see [Permissions](/docs/admin/index.html#permissions). You cannot use this parameter with the organization parameter in the same query.

<organization_value>

The organization name that the user belongs to. You cannot use this parameter with the permission parameter in the same query.

<role_value>

The organization role assigned to the user. The available roles are: 'auditors', 'managers', and 'billing_managers'. You must specify the organization with this parameter.

Tip: You can also use ba su as an alias for the longer ba search-users command name.

{: #admin_setperm_user}

To set permissions for a specified user, use the following command:

cf ba set-permissions <user_name> <permission> <access>

{: codeblock}

Note: You can set one permission at a time.

<user_name>

The name of the user in {{site.data.keyword.Bluemix_notm}}.

<permission>

Set the permissions for the user: Admin (available alternative is Superuser), Login (available alternative is Basic), Catalog (read or write access), Reports (read or write access), or Users (read or write access).

<access>

For Catalog, Reports, or Users permissions, you must also set the level of access as read or write.

Tip: You can also use ba sp as an alias for the longer ba set-permissions command name.

{: #admin_remov_user}

To remove a user from your {{site.data.keyword.Bluemix_notm}} environment, use the following command:

cf ba remove-user <user_name>

{: codeblock}

<user_name>

The name of the user in {{site.data.keyword.Bluemix_notm}}.

Tip: You can also use ba ru as an alias for the longer ba remove-user command name.

{: #clius_emau}

If you have the Superuser permission in your {{site.data.keyword.Bluemix_notm}} environment, you can enable organization managers to add users to the organizations they manage. To enable managers to add users, use the following command:

cf ba enable-managers-add-users

{: codeblock}

Tip: You can also use ba emau as an alias for the longer ba enable-managers-add-users command name.

{: #clius_dmau}

If organization managers have been enabled to add users to the organizations they manage in your {{site.data.keyword.Bluemix_notm}} environment with the enable-managers-add-users command, and if you have the Superuser permission, you can remove this setting. To disable managers from adding users, use the following command:

cf ba disable-managers-add-users

{: codeblock}

Tip: You can also use ba dmau as an alias for the longer ba disable-managers-add-users command name.

{: #admin_orgs}

{: #admin_add_org}

To add an organization, use the following command:

cf ba create-org <organization> <manager>

{: codeblock}

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to add.

<manager>

The user name of the manager for the org.

Tip: You can also use ba co as an alias for the longer ba create-org command name.

{: #admin_delete_org}

To delete an organization, use the following command:

cf ba delete-org <organization>

{: codeblock}

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to delete.

Tip: You can also use ba do as an alias for the longer ba delete-org command name.

{: #admin_ass_user_org}

To assign a user in your {{site.data.keyword.Bluemix_notm}} environment to a particular organization, use the following command:

cf ba set-org <user_name> <organization> [<role>]

{: codeblock}

<user_name>

The name of the user in {{site.data.keyword.Bluemix_notm}}.

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to assign the user to.

<role>

See [Roles](/docs/admin/users_roles.html) for {{site.data.keyword.Bluemix_notm}} user roles and descriptions.

Tip: You can also use ba so as an alias for the longer ba set-org command name.

{: #admin_unass_user_org}

To unassign a user in your {{site.data.keyword.Bluemix_notm}} environment from a particular organization, use the following command:

cf ba unset-org <user_name> <organization> [<role>]

{: codeblock}

<user_name>

The name of the user in {{site.data.keyword.Bluemix_notm}}.

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to assign the user to.

<role>

See [Assigning roles](/docs/admin/users_roles.html) for {{site.data.keyword.Bluemix_notm}} user roles and descriptions.

Tip: You can also use ba uo as an alias for the longer ba unset-org command name.

OrgManager

Organization manager. An org manager has authority to do the following actions:

• Create or delete spaces within the organization.
• Invite users to the organization and manage users.
• Manage domains of the organization.

BillingManager

Billing manager. A billing manager can view runtime and service usage information for the organization.

OrgAuditor

Organization auditor. An organization auditor can view application and service content in the space.

{: #admin_set_org_quota}

To set the usage quota for a particular organization, use the following command:

cf ba set-quota <organization> <plan>

{: codeblock}

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to set the quota for.

<plan>

The quota plan for an organization.

Tip: You can also use ba sq as an alias for the longer ba set-quota command name.

{: #admin_find_containquotas}

To find the quota for containers for an organization, use the following command:

cf ibmcloud-admin containers-quota <organization>

{: codeblock}

<organization>

The name or ID of the organization in IBM Cloud. This parameter is required.

Tip: You can also use ba cq as an alias for the longer ibmcloud-admin containers-quota command name.

{: #admin_set_containquotas}

To set the quota for containers in an organization, use the following command with at least one of the options included:

cf ibmcloud-admin set-containers-quota <organization> <options>

{: codeblock}

Note: You can include multiple options, but you must include at least one.

<organization>

The name or ID of the organization in IBM Cloud. This parameter is required.

<options>

Include one or more of the following options in which the value must be an integer:

• floating-ips-max <value>
• floating-ips-space-default <value>
• memory-max <value>
• memory-space-default <value>
• image-limit <value>

Tip: You can also use the following short names as an alias for the longer options names:

floating-ips-max <value>

fim

floating-ips-space-default <value>

fisd

memory-max <value>

mm

memory-space-default <value>

msd

image-limit <value>

il

Optionally, you can provide a file that contains specific configuration parameters in a valid JSON object. If you use the -file option, it takes precedence and the other options are ignored. To provide a file instead of setting the options, use the following command:

cf ibmcloud-admin set-containers-quota <organization> <-file path_to_JSON_file>

{: codeblock}

The JSON file should have the format that is shown in the following example:

{
  "floating_ips_max": 10,
  "floating_ips_space_default": 0,
  "ram_max": 4096,
  "ram_space_default": 0,
  "image_limit": 10
}

{: codeblock}

Tip: You can also use ba scq as an alias for the longer ibmcloud-admin set-containers-quota command name.

{: #admin_spaces}

To add a space in the organization, use the following command:

cf ibmcloud-admin create-space <organization> <space_name>

{: codeblock}

<organization>

The name or GUID of the organization that the space is to be added to.

<space_name>

The name of the space that is to be created in the organization.

Tip: You can also use ba cs as an alias for the longer ba create-space command name.

To remove a space from the organization, use the following command:

cf ibmcloud-admin delete-space <organization> <space_name>

{: codeblock}

<organization>

The name or GUID of the organization that the space is to be removed from.

<space_name>

The name of the space that is to be removed from the organization.

Tip: You can also use ba cs as an alias for the longer ba delete-space command name.

To create a user in a space with a specified role, use the following command:

cf ibmcloud-admin set-space <organization> <space_name> <user_name> <role>

{: codeblock}

<organization>

The name or GUID of the organization that the user is to be added to.

<space_name>

The name of the space that the user is to be added to.

<user_anme>

The name of the user that is to be added.

<role>

The role of the user that is to be assigned. The value can be Manager, Developer, or Auditor. See [Assigning roles](/docs/admin/users_roles.html) for {{site.data.keyword.Bluemix_notm}} user roles and descriptions in a space.

Tip: You can also use ba ss as an alias for the longer ba set-space command name.

To remove the role of a user in a space, use the following command:

cf ibmcloud-admin unset-space <organization> <space_name> <user_name> <role>

{: codeblock}

<organization>

The name or GUID of the organization that the user is to be added to.

<space_name>

The name of the space that the user is to be added to.

<user_anme>

The name of the user that is to be added.

<role>

The role of the user that is to be assigned. The value can be Manager, Developer, or Auditor. See [Assigning roles](/docs/admin/users_roles.html) for {{site.data.keyword.Bluemix_notm}} user roles and descriptions in a space.

Tip: You can also use ba us as an alias for the longer ba unset-space command name.

{: #admin_catalog}

{: #admin_ena_service_org}

To enable a service to be displayed in the {{site.data.keyword.Bluemix_notm}} catalog for all organizations, use the following command:

cf ba enable-service-plan <plan_identifier>

{: codeblock}

<plan_identifier>

The name or GUID of the service plan that you want to enable. If you enter a non-unique service plan name, for example "Standard" or "Basic," you are prompted with service plans to choose from. To identify a service plan name, select the service category from the home page, then select **Add** to view the services for that category. Click the service name to open the details view, then you can view the names of the service plans that are available for that service.

Tip: You can also use ba esp as an alias for the longer ba enable-service-plan command name.

{: #admin_dis_service_org}

To disable a service from being visible in the {{site.data.keyword.Bluemix_notm}} catalog for all organizations, use the following command:

cf ba disable-service-plan <plan_identifier>

{: codeblock}

<plan_identifier>

The name or GUID of the service plan that you want to enable. If you enter a non-unique service plan name, for example "Standard" or "Basic," you are prompted with service plans to choose from. To identify a service plan name, select the service category from the home page, then select **Add** to view the services for that category. Click the service name to open the details view, then you can view the names of the service plans that are available for that service.

Tip: You can also use ba dsp as an alias for the longer ba disable-service-plan command name.

{: #admin_addvis_service_org}

You can add an organization from the list of organizations that can see a specific service in the {{site.data.keyword.Bluemix_notm}} catalog. To allow an organization to view a specific service in the {{site.data.keyword.Bluemix_notm}} catalog, use the following command:

cf ba add-service-plan-visibility <plan_identifier> <organization>

{: codeblock}

<plan_identifier>

The name or GUID of the service plan that you want to enable. If you enter a non-unique service plan name, for example "Standard" or "Basic," you are prompted with service plans to choose from. To identify a service plan name, select the service category from the home page, then select **Add** to view the services for that category. Click the service name to open the details view, then you can view the names of the service plans that are available for that service.

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to add to the service's visibility list.

Tip: You can also use ba aspv as an alias for the longer ba add-service-plan-visibility command name.

{: #admin_remvis_service_org}

You can remove an organization from the list of organizations that can see a specific service in the {{site.data.keyword.Bluemix_notm}} catalog. To remove the visibility of a service in the {{site.data.keyword.Bluemix_notm}} catalog for an organization, use the following command:

cf ba remove-service-plan-visibility <plan_identifier> <organization>

{: codeblock}

<plan_identifier>

TThe name or GUID of the service plan that you want to enable. If you enter a non-unique service plan name, for example "Standard" or "Basic," you are prompted with service plans to choose from. To identify a service plan name, select the service category from the home page, then select **Add** to view the services for that category. Click the service name to open the details view, then you can view the names of the service plans that are available for that service.

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to remove from the service's visibility list.

Tip: You can also use ba rspv as an alias for the longer ba remove-service-plan-visibility command name.

{: #admin_editvis_service_org}

You can edit and replace the list of services that specific organizations can see in the {{site.data.keyword.Bluemix_notm}} catalog. To replace all existing visible services for an organization or multiple organizations, use the following command:

cf ba edit-service-plan-visibilities <plan_identifier> <organization_1> <optional_organization_2>

{: codeblock}

Note: This command replaces existing visible services for the specified organizations with the service that you specify in the command.

<plan_identifier>

The name or GUID of the service plan that you want to enable. If you enter a non-unique service plan name, for example "Standard" or "Basic," you are prompted with service plans to choose from. To identify a service plan name, select the service category from the home page, then select **Add** to view the services for that category. Click the service name to open the details view, then you can view the names of the service plans that are available for that service.

<organization>

The name or GUID of the {{site.data.keyword.Bluemix_notm}} org to add visibility for. You can enable visibility of the service for more than one organization by entering more organization names or GUIDs in the command.

Tip: You can also use ba espv as an alias for the longer ba edit-service-plan-visibility command name.

{: #admin_add_report}

{: #admin_adding_report}

To add a security report, use the following command:

cf ba add-report <category> <date> <PDF|TXT|LOG> <RTF>

{: codeblock}

Note: If you have write access for the reports permission, you can create a new category and add a report in any of the accepted formats for your users. Enter the new category name for the category parameter, or add your new report to an existing category.

<category>

The category for the report. If there is a space in the name, use quotation marks around the name.

<date>

The report date in the format YYYYMMDD.

<PDF|TXT|LOG>

The path for the report PDF, text file, or log file to upload.

<RTF>

An option to include a Rich Text Format (RTF) version of the PDF. This option applies only if you included a path to the report PDF. The RTF version is used for indexing and searching.

Tip: You can also use ba ar as an alias for the longer ba add-report command name.

{: #admin_del_report}

To delete a security report, use the following command:

cf ba delete-report <category> <date> <name>

{: codeblock}

<category>

The category for the report. If there is a space in the name, use quotation marks around the name.

<date>

The report date in the format YYYYMMDD.

<name>

The name of the report.

Tip: You can also use ba dr as an alias for the longer ba delete-report command name.

{: #admin_retr_report}

To retrieve a security report, use the following command:

cf ba retrieve-report <search>

{: codeblock}

<search>

The filename of the report. If there is a space in the name, use quotation marks around the name.

Tip: You can also use ba rr as an alias for the longer ba retrieve-report command name.

{: #cliresourceusage}

You can view resource metric information, including memory, disk, and CPU usage. You can see a summary of the available physical and reserved resources as well as the usage of physical and reserved resources. You can also see droplet execution agents (DEAs) and cells (Diego architecture) usage data. To view the resource metric information, use the following command:

cf ba resource-metrics

Tip: You can also use ba rsm as an alias for the longer ba resource-metrics command name.

{: #cliresourceusagehistory}

You can retrieve resource metric history for memory and disk usage. The metrics returned include the amount of resources that are used out of the total available, for both physical and reserved resources. Historical data for memory and disk usage can be displayed hourly, daily, or monthly. You can specify start and end dates to retrieve data within a specific date range. The default historical data, when no dates are specified, are hourly memory data for the latest 48 hours. Data is displayed in descending order, with more recent dates shown first. To view the resource metric history information, use the following command:

cf ba resource-metrics-history <hourly|daily|monthly>  <memory|disk >  <start|end>

{: codeblock}

<--hourly>

View the historical data for the last 48 hours. This is the default value.

<--daily>

View the historical data daily average for the last 30 days.

<--monthly>

View the historical data monthly average for the last 6 months.

<--memory>

View the used and total Reserved and Physical memory.

<--disk>

View the used and total Reserved and Physical disk.

<--start>

Specify a start date for daily or monthly (format must be mm-dd-yyyy), or start date a time for hourly (format must be mm-dd-yyyy hh:mm:ss time zone)

<--end>

Specify an end date for daily or monthly (format must be mm-dd-yyyy), or end date and time for hourly (format must be mm-dd-yyyy hh:mm:ss time zone)

{: codeblock}

<Examples>

cf ibmcloud-admin resource-metrics-history

cf ibmcloud-admin resource-metrics-history --daily --disk --start=07-04-2017

cf ibmcloud-admin resource-metrics-history --monthly --memory

cf ibmcloud-admin resource-metrics-history --hourly --start="06-01-2017 00:00:00 EDT" --end="06-30-2017 23:59:00 EDT

You can view the previous list of command parameters and examples by using the following command:

cf ba resource-metrics-history -help

Tip: You can also use ba rsmh as an alias for the longer ba resource-metrics-history command name.

{: #admin_servbro}

{: #clilistservbro}

To list service all brokers, use the following command:

cf ba service-brokers <broker_name>

{: codeblock}

Note: To list all service brokers, enter the command without the broker_name parameter.

<broker_name>

Optional: The name of the custom service broker. Use this parameter, if you want to get information for a specific service broker.

Tip: You can also use ba sb as an alias for the longer ba service-brokers command name.

{: #cliaddservbro}

To add a service broker, so that you can add a custom service to your {{site.data.keyword.Bluemix_notm}} catalog, use the following command:

cf ba add-service-broker <broker_name> <user_name> <password> <broker_url>

{: codeblock}

<broker_name>

The name of the custom service broker.

<user_name>

The user name for the account that has access to the service broker.

<password>

The password for the account that has access to the service broker.

<broker_url>

The URL for the service broker.

Tip: You can also use ba asb as an alias for the longer ba add-service-broker command name.

{: #clidelservbro}

To delete a service broker that removes the custom service from your {{site.data.keyword.Bluemix_notm}} catalog, use the following command:

cf ba delete-service-broker <service_broker>

{: codeblock}

<service_broker>

The name or guid of the custom service broker.

Tip: You can also use ba dsb as an alias for the longer ba delete-service-broker command name.

{: #cliupdservbro}

To update a service broker, use the following command:

cf ba update-service-broker <broker_name> <user_name> <password> <broker_url>

{: codeblock}

<broker_name>

The name of the custom service broker.

<user_name>

The user name for the account that has access to the service broker.

<password>

The password for the account that has access to the service broker.

<broker_url>

The URL for the service broker.

Tip: You can also use ba usb as an alias for the longer ba update-service-broker command name.

{: #admin_secgro}

To work with application security groups (ASGs), you must be a full access administrator for the local or dedicated environment. All users of the environment can list the available ASGs for the organization that is being targeted with the command. However, to create, update, or bind ASGs, you must be an administrator for the {{site.data.keyword.Bluemix_notm}} environment.

ASGs function as virtual firewalls that control outbound traffic from the applications in your {{site.data.keyword.Bluemix_notm}} environment. Each ASG consists of a list of rules that allow specific traffic and communication to and from the outside network. You can bind one or more ASGs to a specific security group set, for example a group set that is used for applying global access, or you can bind to spaces within an organization in your {{site.data.keyword.Bluemix_notm}} environment.

{{site.data.keyword.Bluemix_notm}} is initially set up with all access to the outside network restricted. Two IBM-created security groups, public_networks and dns, enable global access to the outside network when you bind these groups to default Cloud Foundry security group sets. The two security group sets in Cloud Foundry that are used to apply global access are the Default Staging and Default Running group sets. These group sets apply the rules for allowing traffic to all running apps or all staging apps. If you do not want to bind to these two security group sets, you can unbind from the Cloud Foundry group sets, and then bind the security group to a specific space. For more information, see Binding Application Security Groups {: new_window}.

WARNING: Unbinding the Default Staging or Default Running group sets from the two IBM-created security groups, public_networks and dns disables global access to the outside network. Use unbinding with caution and awareness of its potential impact on the running and staging applications in your environment.

Note: The following commands that enable you to work with security groups are based on the Cloud Foundry 1.6 version. For more information, including required and optional fields, see the Cloud Foundry information about Creating Application Security Groups {: new_window}.

{: #clilissecgro}

• To list all security groups, use the following command:

cf ba security-groups

{: codeblock}

Tip: You can also use ba sgs as an alias for the longer ba security-groups command name.

• To display details for a specific security group, use the following command:

cf ba security-groups <security-group>

{: codeblock}

<Security group>

Name of the security group

Tip: You can also use ba sg as an alias for the longer ba security-groups command name with the security-group parameter.

{: #clicreasecgro}

For more information about creating security groups and the rules that define outgoing traffic, see Creating Application Security Groups {: new_window}.

To create a security group, use the following command:

cf ba create-security-group <security-group> <path-to-rules-file>

{: codeblock}

Each security group that you create has the prefix adminconsole_ added to the name to distinguish it from the IBM-created security groups.

<Security group>

Name of your security group

<Path to rules file>

Absolute or relative path to a rules file

Tip: You can also use ba csg as an alias for the longer ba create-security-group command name.

{: #cliupdsecgro}

To update a security group, use the following command:

cf ba update-security-group <security-group> <path-to-rules-file>

{: codeblock}

<Security group>

Name of your security group

<Path to rules file>

Absolute or relative path to a rules file

Tip: You can also use ba usg as an alias for the longer ba update-security-group command name.

{: #clidelsecgro}

To delete a security group, use the following command:

cf ba delete-security-group <security-group>

{: codeblock}

<Security group>

Name of your security group

Tip: You can also use ba dsg as an alias for the longer ba delete-security-group command name.

{: #clibindsecgro}

For more information about binding security groups, see Binding Application Security Groups {: new_window}.

• To bind to the Default Staging security group set, use the following command:

cf ba bind-staging-security-group <security-group>

{: codeblock}

<Security group>

Name of your security group

Tip: You can also use ba bssg as an alias for the longer ba bind-staging-security-group command name.

• To bind to the Default Running security group set, use the following command:

cf ba bind-running-security-group <security-group>

{: codeblock}

<Security group>

Name of your security group

Tip: You can also use ba brsg as an alias for the longer ba bind-running-security-group command name.

• To bind a security group to a space, use the following command:

cf ba bind-security-group <security-group> <org> <space>

{: codeblock}

<Security group>

Name of your security group

<Org>

Name of the organization to bind the security group to

<Space>

Name of the space within the organization to bind the security group to

Tip: You can also use ba bsg as an alias for the longer ba bind-security-group command name.

{: #cliunbindsecgro}

For more information about unbinding security groups, see Unbinding Application Security Groups {: new_window}.

• To unbind from a Default Staging security group set, use the following command:

cf ba unbind-staging-security-group <security-group>

{: codeblock}

<Security group>

Name of your security group

Warning: Unbinding the Default Staging group set from the two IBM-created security groups, public_networks and dns disables global access to the outside network and must be used with caution and understanding of the ramifications it has on all staging applications in your environment.

Tip: You can also use ba ussg as an alias for the longer ba unbind-staging-security-group command name.

• To unbind from a Default Running security group set, use the following command:

cf ba unbind-running-security-group <security-group>

{: codeblock}

<Security group>

Name of your security group

Warning: Unbinding the Default Running group set from the two IBM-created security groups, public_networks and dns disables global access to the outside network and must be used with caution and understanding of the ramifications it has on all running applications in your environment.

Tip: You can also use ba brsg as an alias for the longer ba unbind-running-security-group command name.

• To unbind a security group to a space, use the following command:

cf ba unbind-security-group <security-group> <org> <space>

{: codeblock}

<Security group>

Name of your security group

<Org>

Name of the organization to bind the security group to

<Space>

Name of the space within the organization to bind the security group to

Tip: You can also use ba usg as an alias for the longer ba unbind-staging-security-group command name.

{: #admin_buildpack}

{: #clilistbuildpack}

If you have the apps catalog write permissions, you can list buildpacks. To list all buildpacks or view a specific buildpack, use the following command:

cf ba buildpacks <buildpack_name>

{: codeblock}

<buildpack_name>

An optional parameter to specify a particular buildpack to view.

Tip: You can also use ba lb as an alias for the longer ba buildpacks command name.

{: #clicreupbuildpack}

If you have the apps catalog write permissions, you can create and upload a buildpack. You can upload any compressed file that has a .zip file type. To upload a buildpack, use the following command:

cf ba create-buildpack <buildpack_name> <file_path> <position>

{: codeblock}

<buildpack_name>

The name of the buildpack to upload.

<file_path>

The path to the buildpack compressed file.

<position>

The order in which the buildpacks are checked during buildpack auto-detection.

Tip: You can also use ba cb as an alias for the longer ba create-buildpack command name.

{: #cliupdabuildpack}

If you have the apps catalog write permissions, you can update an existing buildpack. To update a buildpack, use the following command:

cf ba update-buildpack <buildpack_name> <position> <enabled> <locked>

{: codeblock}

<buildpack_name>

The name of the buildpack to update.

<position>

The order in which the buildpacks are checked during buildpack auto-detection.

<enabled>

Indicates whether the buildpack is used for staging.

<locked>

Indicates whether the buildpack is locked to prevent updates.

Tip: You can also use ba ub as an alias for the longer ba update-buildpack command name.

{: #clidelbuildpack}

If you have the apps catalog write permissions, you can delete an existing buildpack. To delete a buildpack, use the following command:

cf ba delete-buildpack <buildpack_name>

{: codeblock}

<buildpack_name>

The name of the buildpack to delete.

Tip: You can also use ba db as an alias for the longer ba delete-buildpack command name.