RBACRole - syncUsers_5
RBACRole - syncUsers
Description :
This command synchronizes users belonging to an external directory group to the specified RBACRole role. The command also recursively searches for users of the subgroups that belong to the specified group and sychronizes them as well.
Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.
You can use this command as part of the setup for the Active Directory user synchronization feature. For information about this feature, see the RBAC section of the BMC BladeLogic User Guide (Managing Access).
The operation argument provides the following options for deleting/disabling/pruning users from RBAC and from the role.
- [pruneMissingUsers | -r] removes roles from users that are not found in the source
- [disableMissingUsers | -e] disables users in RBAC if they are not found in the source
- [disableAndPruneMissingUsers | -er | -re] performs both of the above operations
- [deleteMissingUsers | -u] deletes users from RBAC if they are not found in the source
The operation argument is optional -- you can leave it blank. If you leave it blank, the synchronization process adds new users to the role and does not affect existing users.
For ldapConnection, specify a named LDAP connection that you already created by using the Ldap : createConnection command.
For automationPrincipalName, specify the name of an automation principal that you already created by using the Impersonation : createAutomationPrincipal command.
Return type : DBKey
Command Input :
Variable Name | Variable Type | Description |
---|---|---|
roleName | String | Name of the role. |
operation | String | Operation to be performed. |
ldapConnection | String | Name of an existing LDAP connection. |
automationPrincipalName | String | Name of an existing automation principal. |
groupDN | String | Distinguished name of the directory group from which to synchronize users. |
userFilter | String | LDAP filter to query users with. |
userAttribute | String | Name of the LDAP attribute where the username is stored. |
groupFilter | String | LDAP filter to query subgroups with. |
memberAttribute | String | Name of the LDAP attribute where the group members are stored. |
Examples :
Example
The following example synchronizes users of AD group CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com configured on ActiveDirectory server engw2k8x64sso8.sso.bmc.com with the RBAC role DemoUS. It also synchronizes users of any subgroups that belong to the specified AD group. These users have the isSynchronizable property set to true. The operation pruneMissingUsers specifies that users not found in the ActiveDirectory source should get removed from the role. The query parameters specify how to find the users and groups belonging to that role.
Script
RBACRole syncUsers DemoUS pruneMissingUsers SSO DirAdmin CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com (objectClass=user) userPrincipalName (objectClass=group) member
Example
This example disables any existing users who belong to the role and who have the isSynchronizable property set to true.
Script
RBACRole syncUsers DemoUS disableMissingUsers SSO DirAdmin CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com (objectClass=user) userPrincipalName (objectClass=group) member
Example
This deletes any existing users who belong to the role and who have the isSynchronizable property set to true.
Script
RBACRole syncUsers DemoUS deleteMissingUsers SSO DirAdmin CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com (objectClass=user) userPrincipalName (objectClass=group) member
Comments
Log in or register to comment.