×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Server Automation Command Line Interface 8.7 RBACRole

RBACRole - syncUsersWithAd

RBACRole - syncUsersWithAd

Description :

This command synchronizes users of the specified role with an external Active Directory server.

Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.  The server used must be on the domain being contacted and is either a domain controller or a domain machine that is accessed via Automation Principals.

The userAttributeFlag argument provides the ability to customize which attribute is used for the user name. For the entire list of options, see the Microsoft Windows command 'dsget user'.  The userAttributeFlag '-upn' would be the most common for User Principal Name.

The operation argument provides the following options for deleting/disabling/pruning users from RBAC and from the role.

  • [pruneMissingUsers | -r] removes roles from users that are not found in the source
  • [disableMissingUsers | -e] disables users in RBAC if they are not found in the source
  • [disableAndPruneMissingUsers | -er | -re] performs both of the above operations
  • [deleteMissingUsers | -u] deletes users from RBAC if they are not found in the source

The operation argument is optional -- you can leave it blank ( as in ""). If you leave it blank, the synchronization process adds new users to the role and does not affect existing users.

Return type : DBKey

Command Input :

Variable Name

Variable Type

Description

roleName

String

Name of the role.

domainServerStringName of an existing domain server.
Name of an existing domain server.
Important: Ensure that the domain server has an RSCD agent installed and that it is added to the BMC Server Automation (BSA) environment (see Adding a server to the system). If the domain server is not managed by BSA, the syncUsersWithAd fails to execute.
groupDnStringDistinguished name of group to synchronize the role against.
userAttributeFlagStringUser attribute flag.
operationStringOperation to be performed.
suffixString

Suffix to be added to user names.

Example

The following example synchronizes users of role ADRole with the Domain server DOMAINMACHINE. These users have the isSynchronizable property set to true. The group "CN=UniversalGroup,OU=qa,DC=bmc,DC=com" is used to source the users for the role. The flag used for the internal dsget command to retrieve the username is -upn. The operation pruneMissingUsers specifies that users not found in the Active Directory source should get removed from the role. The suffix "@bmc.com" specifies that we will add that string to the end of each username.

Script

blcli RBACRole syncUsersWithAd ADRole DOMAINMACHINE "CN=UniversalGroup,OU=qa,DC=bmc,DC=com" -upn -r ""@bmc.com"
Was this page helpful? Yes No Submitting... Thank you
Last modified by Moiz Nalwalla on Nov 03, 2017

Comments

Log in or register to comment.

RBACRole - syncUsersWithNameSuffix
RBACUser
© Copyright 2008 - 2017 BMC Software, Inc. © Copyright 1996 - 2017 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.