RBACRole - syncUsers_3
This command synchronizes users of the specified role with an external directory server.
Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.
Restriction: Use this command only if you are syncronizing under 1000 users at a time. If you are synchronizing more than 1000 users, use one of the syncUsers commands listed below. These syncUsers signatures do not have 1000 user maximum restriction:
You can use this command as part of the setup for the Active Directory user synchronization feature. For information about this feature, see the RBAC section of the BMC BladeLogic User Guide (Managing Access).
The operation argument provides the following options for deleting/disabling/pruning users from RBAC and from the role.
- [pruneMissingUsers | -r] removes roles from users that are not found in the source
- [disableMissingUsers | -e] disables users in RBAC if they are not found in the source
- [disableAndPruneMissingUsers | -er | -re] performs both of the above operations
- [deleteMissingUsers | -u] deletes users from RBAC if they are not found in the source
The operation argument is optional -- you can leave it blank. If you leave it blank, the synchronization process adds new users to the role and does not affect existing users.
For ldapConnection, specify a named LDAP connection that you already created by using the Ldap : createConnection command.
For automationPrincipalName, specify the name of an automation principal that you already created by using the Impersonation : createAutomationPrincipal command.
Return type : DBKey
Command Input :
Name of the role.
Operation to be performed.
Name of an existing LDAP connection.
Name of an existing automation principal.
Base distinguished name from which to start searching for users.
Filter to be used as the search criteria.
Attribute containing the user name.
The following example synchronizes users of role LDAPRole with an LDAP connection named SSO. These users have the isSynchronizable property set to true. The operation pruneMissingUsers specifies that users not found in the ActiveDirectory source should get removed from the role. The query parameters specify how to find the users belonging to that role.
blcli RBACRole syncUsers LDAPRole pruneMissingUsers SSO ldapAdmin CN=Users,DC=sso,DC=bmc,DC=com (objectClass=user) userPrincipalName
This example disables any existing users who belong to the role and who have the isSynchronizable property set to true.
RBACRole syncUsers LDAPRole disableMissingUsers SSO DirAdmin CN=Users,DC=sso,DC=bmc,DC=com "(&(objectClass=user)(logonCount=3))" userPrincipalName
This deletes any existing users who belong to the role and who have the isSynchronizable property set to true.
RBACRole syncUsers LDAPRole deleteMissingUsers SSO DirAdmin CN=Users,DC=sso,DC=bmc,DC=com "(&(objectClass=user)(logonCount=10))" userPrincipalName