set_role_field

Use the set_role_field command to set the value for a specified field in the currently selected role stored in memory. The set_role_field does not set a field value stored in Active Directory for this role.

If you change any fields, you must save the role using the save_role command for your changes to take effect in Active Directory. If you select another role or end the ADEdit session before saving the currently selected role, your changes will be lost.

You can only use the set_role_field command if the currently selected zone is a classic4 or hierarchical zone. The command does not work in other types of zones.

Zone type

Classic and hierarchical

Syntax

set_role_field field value

Abbreviation

srf

Options

This command takes no options.

Arguments

This command takes the following arguments:

Argument Type Description

field

string

Required. Specifies the name of the field that you want to set.

value

 

Required. Specifies the value to assign to the specified field.

In most cases, you can assign an empty string or null value (0) to unset a field value, depending on the data type of the field.

The data type required depends on the field you are setting. The possible values are:

  • allowLocalUser: Set the value to true to allow local users to be assigned to the role, or false if local users should not be assigned to the role. This field is not applicable in classic zones. The valid values are 1, y, yes, or true to enable or 0, n, no, or false to disable. All other values throw an exception.
  • AlwaysPermitLogin: Set the value to true to enable “rescue rights” for users assigned to the role, or false if “rescue rights” should not be applied to the role. This field is not applicable in classic zones. The valid values are 1, y, yes, or true to enable or 0, n, no, or false to disable. All other values throw an exception.
  • auditLevel: Set the value to one of the following to specify whether auditing is not requested, requested but not required, or required:

    • AuditIfPossible

    • AuditNotRequested

    • AuditRequired

      This field is not applicable in classic zones.

  • customAttr: Sets custom text strings for the role. This field is only applicable for hierarchical zones.

  • description: Set the value to a text string that describes the role.

  • sysrights: Set the value to specify the system rights granted to the role. This value is an integer that represents a combination of binary flags, one for each right. This field is not applicable in classic zones.

  • timebox: Set the value to indicate the hours in the week when the role is enabled. This value is a 42-digit hexadecimal number. When represented in binary, each bit represents an hour of the week as described in the appendix Timebox value format

  • visible: Returns true or false depending on whether “User is visible” right is configured for the role. You cannot get this field value if the selected zone is a classic zone.

Setting the system rights field value for a role

You can specify the sysrights field to define the system rights that you want to grant to the currently selected role. This field value is an integer that represents a combination of binary flags, with one flag for each of the following system rights:

1—Password login and non password (SSO) login are allowed.

2—Non password (SSO) login is allowed.

4—Account disabled in Active Directory can be used by sudo, cron, etc.

8—Log in with non-restricted shell.

16—Audit not requested/required.

32—Audit required.

64—Always permit to login.

128—Remote login access is allowed for Windows computers.

256—Console login access is allowed for Windows computers.

512—Require multi-factor authentication through the Centrify connector to log on.

1024—PowerShell remote access is allowed

These values are added together to define the sysrights field value. For example, a sysrights value of 6 indicates that the role is configured to allow single sign-on login and to ignore disabled accounts (2+4). A value of 11 indicates that most common UNIX system rights are enabled (1+2+8). A value of 384 indicates that most common Windows system rights are enabled (128+256).

Return value

This command returns nothing if it runs successfully.

Examples

The following example sets the system rights for the current role to allow SSO login (2) and to provide a full shell (8):

set_role_field sysrights 10

The following example sets the current role to require auditing:

set_role_field auditLevel AuditRequired

Note that the sysrights field is a bit field, so you can add and remove bits for the field instead of setting the integer value directly. For example to add the system rights for single sign-on and full shell to existing system rights, you might use commands similar to this:

set sr [get_role_field sysrights]
set_role_field sysrights [expr { $sr | 10 }]

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select roles:

  • get_roles returns a Tcl list of roles in the current zone.
  • list_roles lists to stdout the roles in the current zone.
  • new_role creates a new role and stores it in memory.
  • select_role retrieves a role from Active Directory and stores it in memory.

After you have a role stored in memory, you can use the following commands to work with that role: