RBACRole - syncUsersWithNameSuffix

RBACRole - syncUsersWithNameSuffix

Description :

This command synchronizes users belonging to an external directory group to the specified role. The synchronization configuration is found in the role -- you can set this configuration by using the addLdapGroupMapping command. The users created will have the specified suffix added to their name.

Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.

You can use this command as part of the setup for the Active Directory user synchronization feature. For information about this feature, see the RBAC section of the BMC BladeLogic User Guide (Managing Access chapter).

Return type : DBKey

Command Input :

Example

The following example synchronizes users of AD group CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com configured on ActiveDirectory server engw2k8x64sso8.sso.bmc.com with the RBAC role DemoUS. The users will have their name created with the suffix @myDomain. It also synchronizes users of any subgroups that belong to the specified AD group. These users have the isSynchronizable property set to true. The setLdapSyncOptions arguments specify that users not found in the ActiveDirectory source should get removed from the role. The query parameters specify how to find the users and groups belonging to that role.

Script

Ldap createQuery Administrators CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com (objectClass=group) member "My group query" 

Ldap createQuery Users "" (objectClass=person) userPrincipalName "My user query" 

RBACRole addLdapGroupMapping DemoUS SSOUS USDirAdmin Administrators AllUsers 

RBACRole setLdapSyncOptions DemoUS false false true 

RBACRole syncUsersWithNameSuffix DemoUS @myDomain