set_role_field
Use the set_role_field
command to set the value for a specified field in the currently selected role stored in memory. The set_role_field
does not set a field value stored in Active Directory for this role.
If you change any fields, you must save the role using the save_role command for your changes to take effect in Active Directory. If you select another role or end the ADEdit session before saving the currently selected role, your changes will be lost.
You can only use the set_role_field
command if the currently selected zone is a classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
set_role_field field value
Abbreviation
srf
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument | Type | Description |
field |
string |
Required. Specifies the name of the field that you want to set. |
value |
|
Required. Specifies the value to assign to the specified field. In most cases, you can assign an empty string or null value (0) to unset a field value, depending on the data type of the field. |
The data type required depends on the field
you are setting. The possible values are:
- allowLocalUser: Set the value to true to allow local users to be assigned to the role, or false if local users should not be assigned to the role. This field is not applicable in classic zones. The valid values are
1
,y
,yes
, ortrue
to enable or0
,n
,no
, orfalse
to disable. All other values throw an exception. - AlwaysPermitLogin: Set the value to true to enable “rescue rights” for users assigned to the role, or false if “rescue rights” should not be applied to the role. This field is not applicable in classic zones. The valid values are
1
,y
,yes
, ortrue
to enable or0
,n
,no
, orfalse
to disable. All other values throw an exception. - auditLevel: Set the value to one of the following to specify whether auditing is not requested, requested but not required, or required:
AuditIfPossible
AuditNotRequested
AuditRequired
This field is not applicable in classic zones.
- customAttr: Sets custom text strings for the role. This field is only applicable for hierarchical zones.
-
description: Set the value to a text string that describes the role.
-
sysrights: Set the value to specify the system rights granted to the role. This value is an integer that represents a combination of binary flags, one for each right. This field is not applicable in classic zones.
-
timebox: Set the value to indicate the hours in the week when the role is enabled. This value is a 42-digit hexadecimal number. When represented in binary, each bit represents an hour of the week as described in the appendix Timebox value format
-
visible: Returns true or false depending on whether “User is visible” right is configured for the role. You cannot get this field value if the selected zone is a classic zone.
Setting the system rights field value for a role
You can specify the sysrights
field to define the system rights that you want to grant to the currently selected role. This field value is an integer that represents a combination of binary flags, with one flag for each of the following system rights:
1—Password login and non password (SSO) login are allowed.
2—Non password (SSO) login is allowed.
4—Account disabled in Active Directory can be used by sudo, cron, etc.
8—Log in with non-restricted shell.
16—Audit not requested/required.
32—Audit required.
64—Always permit to login.
128—Remote login access is allowed for Windows computers.
256—Console login access is allowed for Windows computers.
512—Require multi-factor authentication through the Centrify connector to log on.
1024—PowerShell remote access is allowed
These values are added together to define the sysrights
field value. For example, a sysrights
value of 6 indicates that the role is configured to allow single sign-on login and to ignore disabled accounts (2+4). A value of 11 indicates that most common UNIX system rights are enabled (1+2+8). A value of 384 indicates that most common Windows system rights are enabled (128+256).
Return value
This command returns nothing if it runs successfully.
Examples
The following example sets the system rights for the current role to allow SSO login (2) and to provide a full shell (8):
set_role_field sysrights 10
The following example sets the current role to require auditing:
set_role_field auditLevel AuditRequired
Note that the sysrights
field is a bit field, so you can add and remove bits for the field instead of setting the integer value directly. For example to add the system rights for single sign-on and full shell to existing system rights, you might use commands similar to this:
set sr [get_role_field sysrights]
set_role_field sysrights [expr { $sr | 10 }]
Related commands
Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select roles:
- get_roles returns a Tcl list of roles in the current zone.
- list_roles lists to
stdout
the roles in the current zone. - new_role creates a new role and stores it in memory.
- select_role retrieves a role from Active Directory and stores it in memory.
After you have a role stored in memory, you can use the following commands to work with that role:
- add_command_to_role adds a UNIX command to the current role.
- add_pamapp_to_role adds a PAM application right to the current role.
- delete_role deletes the selected role from Active Directory and from memory.
- get_role_apps returns a Tcl list of the PAM applications associated with the currently selected role.
- get_role_commands returns a Tcl list of the UNIX commands associated with the current role.
- get_role_field reads a field value from the currently selected role.
- list_role_rights returns a list of all UNIX commands and PAM application rights associated with the current role.
- remove_command_from_role removes a UNIX command from the current role.
- remove_pamapp_from_role removes a PAM application from the current role.
- save_role saves the selected role with its current settings to Active Directory.