RBACRole - syncUsers_2

RBACRole - syncUsers

Description :

This command synchronizes users of a specified role with an external directory server.

Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.

Restriction: Use this command only if you are syncronizing under 1000 users at a time. If you are synchronizing more than 1000 users, use one of the syncUsers commands listed below. These syncUsers signatures do not have 1000 user maximum restriction:

syncUsers , syncUsers , syncUsers

You can use this command as part of the setup for the Active Directory user synchronization feature. For information about this feature, see the RBAC section of the BMC BladeLogic User Guide (Managing Access).

For ldapConnection, specify a named LDAP connection that you already created by using the Ldap : createConnection command.

For automationPrincipalName, specify the name of an automation principal that you already created by using the Impersonation : createAutomationPrincipal command.

Return type : DBKey

Command Input :

Variable Name

Variable Type




Name of the role on which you want to perform the synchronization operation.



Name of an existing LDAP connection.



Name of an existing automation principal.



Base distinguished name from which to start searching for users.



LDAP filter to query users with.



Name of the LDAP attribute where the username is stored.


The following example synchronizes users of role DemoUS with ActiveDirectory server engw2k8x64sso8.sso.bmc.com. This is simply an additive operation; existing users of the role are kept intact. The query parameters specify how to find the users belonging to the RBAC role DemoUS in the ActiveDirectory server. The synchronization operation never affects reserved users (BLAdmin and RBACAdmin) or any users for whom the isSynchronizable property is set to false.

This example assumes that you have already created an LDAP connection and an automation principal.


RBACRole syncUsers DemoUS SSO DirAdmin CN=Users,DC=sso,DC=bmc,DC=com "(&(objectClass=user)(logonCount=1))" userPrincipalName
Was this page helpful? Yes No Submitting... Thank you