list_role_assignments

Use the list_role_assignments command to check Active Directory and return a list of role assignments defined within the currently selected zone. If executed in a script, this command outputs its list to stdout so that the output appears in the shell where the script is executed. The command does not return a Tcl list back to the executing script. Use get_role_assignments to return a Tcl list.

If you do not specify an option, the command returns the current users and groups in the zone with a role assignment using the default sAMAccount@domain format.

You can only use the list_role_assignments command to return role assignments for classic4 and hierarchical zones.

Zone type

Classic and hierarchical

Syntax

list_role_assignments [-upn] [-visible] [-user] [-group] [-invalid]

Abbreviation

lsra

Options

This command takes the following options:

Option	Description
-upn	Optional. Returns user names in user principal name (UPN) format rather than the default `sAMAccount@domain` format.
-visible	Returns a list to `stdout` of the visible role assignments in the zone. Use this option if you only want to return role assignments for the roles that are identified as visible. This option is only applicable in hierarchical zones.
-user	Returns a list to `stdout` of the current users in the zone with a role assignment. Use this option if you only want to return valid users with a role assignment.
-group	Returns a list to `stdout` of the current groups in the zone with a role assignment. Use this option if you only want to return valid groups with a role assignment.
-invalid	Returns a list to `stdout` of any invalid role assignments in the zone. A role assignment is invalid if it specifies a group or user that no longer exists. Use this option if you only want to return invalid role assignments.

Arguments

This command takes no arguments.

Return value

This command returns a list to stdout of role assignments defined in the currently selected zone. Each entry in the list provides the following information:

The user or group to whom the role assignment applies by sAMAccount@domain name or user principal name.
The name of the role assigned followed by a slash (/) and the zone where the role is defined.

Examples

>bind pistolas.org

>select_zone “cn=northamerica,cn=zones,ou=acme,dc=pistolas,dc=org”

>list_role_assignments

This example returns the role assignments for the northamerica zone:

Domain Users@pistolas.org: Window Login/northamerica
adm-sf@pistolas.org: UNIX Login/northamerica
rey@pistolas.org: UNIX Login/northamerica
maya@pistolas.org: SQLAdmin/northamerica

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a role assignment:

get_role_assignments returns a Tcl list of role assignments in the current zone.
new_role_assignment creates a new role assignment and stores it in memory.
select_role_assignment retrieves a role assignment from Active Directory and stores it in memory.

After you have a role assignment stored in memory, you can use the following commands to work with that role assignment:

delete_role_assignment deletes the selected role assignment from Active Directory and from memory.
get_role_assignment_field reads a field value from the currently selected role assignment.
save_role_assignment saves the selected role assignment with its current settings to Active Directory.
set_role_assignment_field sets a field value in the currently selected role assignment.
write_role_assignment saves the selected role assignment to a file.