Use the get_user_role_assignments command to retrieve all of the role assignments in the current zone for a specified user. This command returns all of the role assignments from the groups to which the user belongs and the role assignments assigned directly to the user account.

The command checks Active Directory for the user you specify, identifies the groups that the user is a member of, then returns all the role assignments for the list of groups the user is a member and that have been specifically assigned to the user account, including any user role assignments made in computer roles for the currently selected zone.


get_user_role_assignments [-visible] [-hostname hostname] user_DN




This command takes the following option:

Option Description


Specifies that you want to return only visible role assignments in the zone. Use this option to return role assignments for the roles that are identified as visible. This option is only applicable in hierarchical zones.


Specifies the computer name to search for role assignments to the user in computer roles. If you set this option, the command checks for computer role assignments in the currently selected zone.


This command takes the following argument:

Argument Type Description



Required. Specifies the user whose role assignments you want to return. You can use this argument to specify the distinguished name (DN) for a user or a group.

Return value

This command returns a list of all role assignments for the specified Active Directory user in the currently selected zone.

Note that the command does not return role assignments for all zones where the user might be assigned a role.


select_zone “cn=northamerica,cn=zones,ou=centrify,dc=pistolas,dc=org”
get_user_role_assignments “cn=amy.adams,cn=users,dc=pistolas,dc=org”

This example returns a list of groups:

{ Login/northamerica} {adm‑} {}

Related Tcl library commands

The following commands perform actions related to this command: