RBACRole - syncUsers_3

RBACRole - syncUsers

Description :

This command synchronizes users of the specified role with an external directory server.

Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.

Restriction: Use this command only if you are syncronizing under 1000 users at a time. If you are synchronizing more than 1000 users, use one of the syncUsers commands listed below. These syncUsers signatures do not have 1000 user maximum restriction:

syncUsers , syncUsers , syncUsers

You can use this command as part of the setup for the Active Directory user synchronization feature. For information about this feature, see the RBAC section of the BMC BladeLogic User Guide (Managing Access).

The operation argument provides the following options for deleting/disabling/pruning users from RBAC and from the role.

  • [pruneMissingUsers | -r] removes roles from users that are not found in the source
  • [disableMissingUsers | -e] disables users in RBAC if they are not found in the source
  • [disableAndPruneMissingUsers | -er | -re] performs both of the above operations
  • [deleteMissingUsers | -u] deletes users from RBAC if they are not found in the source
     The operation argument is optional -- you can leave it blank. If you leave it blank, the synchronization process adds new users to the role and does not affect existing users.

For ldapConnection, specify a named LDAP connection that you already created by using the Ldap : createConnection command.

For automationPrincipalName, specify the name of an automation principal that you already created by using the Impersonation : createAutomationPrincipal command.

Return type : DBKey

Command Input :

Variable Name

Variable Type

Description

roleName

String

Name of the role.

operation

String

Operation to be performed.

ldapConnection

String

Name of an existing LDAP connection.

automationPrincipalName

String

Name of an existing automation principal.

baseDN

String

Base distinguished name from which to start searching for users.

ldapFilter

String

Filter to be used as the search criteria.

ldapAttribute

String

Attribute containing the user name.

Examples :

Example

The following example synchronizes users of role LDAPRole with an LDAP connection named SSO. These users have the isSynchronizable property set to true. The operation pruneMissingUsers specifies that users not found in the ActiveDirectory source should get removed from the role. The query parameters specify how to find the users belonging to that role.

Script

blcli RBACRole syncUsers LDAPRole pruneMissingUsers SSO ldapAdmin CN=Users,DC=sso,DC=bmc,DC=com (objectClass=user) userPrincipalName

Example

This example disables any existing users who belong to the role and who have the isSynchronizable property set to true.

Script

RBACRole syncUsers LDAPRole disableMissingUsers SSO DirAdmin CN=Users,DC=sso,DC=bmc,DC=com "(&(objectClass=user)(logonCount=3))" userPrincipalName

Example

This deletes any existing users who belong to the role and who have the isSynchronizable property set to true.

Script

RBACRole syncUsers LDAPRole deleteMissingUsers SSO DirAdmin CN=Users,DC=sso,DC=bmc,DC=com "(&(objectClass=user)(logonCount=10))" userPrincipalName

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*