The LoginUser object

The Privileged Access Service creates a single LoginUser object for each user session for a user-password web application. The object is an instance of the LoginUser class, and is a read/write object.

The LoginUser object’s properties describe the user as he or she is presented to the web application. The following table describes those properties.

Property name	Description
`LoginUser.Username`	The username used to log the current user on to the web application. The Privileged Access Service determines the username for this user session depending on the “Map to User Accounts” setting in the Application Settings tab.
`LoginUser.FirstName`	The first name of the user presented in the SAML assertion to the web application. Note the following special cases for parsing this attribute for users in directory services that do not have the `FirstName` attribute, such as Delinea Directory: `FirstName` attribute is parsed from the first string of `DisplayName` if `DisplayName` is a single string, the same string is used for the `FirstName` and `LastName` attributes if `DisplayName` is null, `FirstName` and `LastName` return as null. SAML apps that require non-empty values will fail to launch in this case.
`LoginUser.LastName`	The last name of the user presented in the SAML assertion to the web application. Note the following special cases for parsing this attribute for users in directory services that do not have the `LastName` attribute, such as Delinea Directory: The `LastName` attribute is parsed from the last string of `DisplayName`. Any additional strings between the first string and the last string are ignored. If `DisplayName` is a single string, the same string is used for the `FirstName` and `LastName` attributes. If `DisplayName` is null, `FirstName` and `LastName` return as null. SAML apps that require non-empty values will fail to launch in this case.
`LoginUser.Password`	The password used to log the current user on to the web application. The Privileged Access Service determines the password for this user session depending on the “Map to User Accounts” setting in the Application Settings tab. This property is synonymous with the global variable `LoginPassword`.
`LoginUser.GroupNames`	An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account). A user is an effective member of a group if he is either a direct member of the group or is a direct member of a group that is in turn a member of the group. This property returns the same value as `LoginUser.EffectiveGroupNames`.
`LoginUser.EffectiveGroupNames`	An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account). A user is an effective member of a group if he is either a direct member of the group or is a direct member of a group that is in turn a member of the group. This property returns the same value as `LoginUser.GroupNames`.
`LoginUser.GroupDNs`	An array of distinguished names of groups in which the user is an effective member. This property returns the same value as `LoginUser.EffectiveGroupDNs`.
`LoginUser.EffectiveGroupDNs`	An array of distinguished names of groups in which the user is an effective member. This property returns the same value as `LoginUser.GroupDNs`.

The LoginUser object has a single method that a script may call:

Method name	Description
`LoginUser.Get(ADkey)`	This method returns any one of the current user’s Active Directory attributes. It takes as its argument a string that specifies the key of the attribute to retrieve. An example: `LoginUser.Get(“mail”)` returns the user’s email address as stored in the user’s Active Directory account.