list_role_assignments

Use the list_role_assignments command to check Active Directory and return a list of role assignments defined within the currently selected zone. If executed in a script, this command outputs its list to stdout so that the output appears in the shell where the script is executed. The command does not return a Tcl list back to the executing script. Use get_role_assignments to return a Tcl list.

If you do not specify an option, the command returns the current users and groups in the zone with a role assignment using the default sAMAccount@domain format.

You can only use the list_role_assignments command to return role assignments for classic4 and hierarchical zones.

Zone type

Classic and hierarchical

Syntax

list_role_assignments [-upn] [-visible] [-user] [-group] [-invalid]

Abbreviation

lsra

Options

This command takes the following options:

Option Description

-upn

Optional. Returns user names in user principal name (UPN) format rather than the default sAMAccount@domain format.

-visible

Returns a list to stdout of the visible role assignments in the zone. Use this option if you only want to return role assignments for the roles that are identified as visible. This option is only applicable in hierarchical zones.

-user

Returns a list to stdout of the current users in the zone with a role assignment. Use this option if you only want to return valid users with a role assignment.

-group

Returns a list to stdout of the current groups in the zone with a role assignment. Use this option if you only want to return valid groups with a role assignment.

-invalid

Returns a list to stdout of any invalid role assignments in the zone. A role assignment is invalid if it specifies a group or user that no longer exists. Use this option if you only want to return invalid role assignments.

Arguments

This command takes no arguments.

Return value

This command returns a list to stdout of role assignments defined in the currently selected zone. Each entry in the list provides the following information:

  • The user or group to whom the role assignment applies by sAMAccount@domain name or user principal name.
  • The name of the role assigned followed by a slash (/) and the zone where the role is defined.

Examples

>bind pistolas.org
>select_zone “cn=northamerica,cn=zones,ou=centrify,dc=pistolas,dc=org”
>list_role_assignments

This example returns the role assignments for the northamerica zone:

Domain Users@pistolas.org: Window Login/northamerica
adm-sf@pistolas.org: UNIX Login/northamerica
rey@pistolas.org: UNIX Login/northamerica
maya@pistolas.org: SQLAdmin/northamerica

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a role assignment:

After you have a role assignment stored in memory, you can use the following commands to work with that role assignment: