Use the list_role_rights command to return a list of all UNIX commands and PAM application rights set within the currently selected role. If executed in a script, this command outputs its list to stdout so that the output appears in the shell where the script is executed. The command does not return a Tcl list back to the executing script.

The list_role_rights command does not query Active Directory for the role. If you change commands or PAM applications using ADEdit without saving the role to Active Directory, commands and PAM applications you retrieve using list_role_rights won’t match those stored in Active Directory.

You can only use list_role_rights to return role rights for classic4 and hierarchical zones.

Zone type

Classic and hierarchical






This command takes no options.


This command takes no arguments.

Return value

This command returns a list to stdout of the PAM application and UNIX command rights that are defined for the currently selected role.

Each entry lists the name of the application or command right, the attributes of the application or command, and any descriptive text.



This example returns the list of PAM application and UNIX command rights:

dzssh-all/northamerica : dzssh-exec : Command execution
login-all/seattle : * : Predefined global PAM permission. Do not delete.
cron-exec/seattle : cron form(0) dzdo_runas(admin) flags(16) ;

Related commands

Before you use this command, you must have a currently selected role stored in memory. The following commands enable you to view and select a role:

  • get_roles returns a Tcl list of roles in the current zone.
  • list_roles returns a list of all roles in the currently selected zone.
  • new_role creates a new role and stores it in memory.
  • select_role retrieves a role from Active Directory and stores it in memory.

After you have a role stored in memory, you can use the following commands to work with that role: