The LoginUser object

The Privileged Access Service creates a single LoginUser object for each user session for a user-password web application. The object is an instance of the LoginUser class, and is a read/write object.

The LoginUser object’s properties describe the user as he or she is presented to the web application. The following table describes those properties.

Property name

Description

LoginUser.Username

The username used to log the current user on to the web application. The Privileged Access Service determines the username for this user session depending on the “Map to User Accounts” setting in the Application Settings tab.

LoginUser.FirstName

The first name of the user presented in the SAML assertion to the web application. Note the following special cases for parsing this attribute for users in directory services that do not have the FirstName attribute, such as Centrify Directory:

FirstName attribute is parsed from the first string of DisplayName

if DisplayName is a single string, the same string is used for the FirstName and LastName attributes

if DisplayName is null, FirstName and LastName return as null. SAML apps that require non-empty values will fail to launch in this case.

LoginUser.LastName

The last name of the user presented in the SAML assertion to the web application. Note the following special cases for parsing this attribute for users in directory services that do not have the LastName attribute, such as Centrify Directory:

The LastName attribute is parsed from the last string of DisplayName. Any additional strings between the first string and the last string are ignored.

If DisplayName is a single string, the same string is used for the FirstName and LastName attributes.

If DisplayName is null, FirstName and LastName return as null. SAML apps that require non-empty values will fail to launch in this case.

LoginUser.Password

The password used to log the current user on to the web application. The Privileged Access Service determines the password for this user session depending on the “Map to User Accounts” setting in the Application Settings tab. This property is synonymous with the global variable LoginPassword.

LoginUser.GroupNames

An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account). A user is an effective member of a group if he is either a direct member of the group or is a direct member of a group that is in turn a member of the group.

This property returns the same value as LoginUser.EffectiveGroupNames.

LoginUser.EffectiveGroupNames

An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account). A user is an effective member of a group if he is either a direct member of the group or is a direct member of a group that is in turn a member of the group.

This property returns the same value as LoginUser.GroupNames.

LoginUser.GroupDNs

An array of distinguished names of groups in which the user is an effective member.

This property returns the same value as LoginUser.EffectiveGroupDNs.

LoginUser.EffectiveGroupDNs

An array of distinguished names of groups in which the user is an effective member.

This property returns the same value as LoginUser.GroupDNs.

The LoginUser object has a single method that a script may call:

Method name

Description

LoginUser.Get(ADkey)

This method returns any one of the current user’s Active Directory attributes. It takes as its argument a string that specifies the key of the attribute to retrieve. An example: LoginUser.Get(“mail”) returns the user’s email address as stored in the user’s Active Directory account.