RBACRole - syncUsers
RBACRole - syncUsers
Description :
This command synchronizes users belonging to an external directory group to the specified role. The synchronization configuration is found in the role -- you can set this configuration by using the addLdapGroupMapping command.
Prerequisite: To run this command, the role you used to initiate this BLCLI session must have read and write access to the users in the role you want to sync. Specifically, the BLCLI role must have User.Read, User.Modify, User.ModifyProperties and User.Delete permission for any users already assigned to the role you specify using the roleName argument.
You can use this command as part of the setup for the Active Directory user synchronization feature. For information about this feature, see the RBAC section of the BMC BladeLogic User Guide (Managing-access).
Return type : DBKey
Command Input :
Variable Name | Variable Type | Description |
|---|---|---|
roleName | String | Name of the role. |
Example
The following example synchronizes users of AD group CN=Administrators,CN=Users,DC=us,DC=sso,DC=bmc,DC=com configured on ActiveDirectory server engw2k8x64sso8.sso.bmc.com with the RBAC role DemoUS. It also synchronizes users of any subgroups that belong to the specified AD group. These users have the isSynchronizable property set to true. The setLdapSyncOptions arguments specify that users not found in the ActiveDirectory source should get removed from the role. The query parameters specify how to find the users and groups belonging to that role.
Script
Ldap createQuery Users "" (objectClass=person) userPrincipalName "My user query"
RBACRole addLdapGroupMapping DemoUS SSOUS USDirAdmin Administrators AllUsers
RBACRole setLdapSyncOptions DemoUS false false true
RBACRole syncUsers DemoUS