get_role_field

Use the get_role_field command to return the value for a specified field from the currently selected role stored in memory. The get_role_field command does not query Active Directory for the role. If you change field values using ADEdit without saving the role to Active Directory, the field value you retrieve using get_role_field won’t match the same field value for the role stored in Active Directory.

You can only use the get_role_field command if the currently selected zone is a classic4 or hierarchical zone. The command does not work in other types of zones.

Zone Type

Classic and hierarchical

Syntax

get_role_field field

Abbreviation

grf

Options

This command takes no options.

Arguments

This command takes the following argument:

Argument Type Description
field string Required. Specifies the case-sensitive name of the field whose value to retrieve.

The possible field values are:

  • allowLocalUser: Returns true or false depending on whether local users can be assigned to the role. You cannot get this field value if the selected zone is a classic4 zone.

  • AlwaysPermitLogin: Returns true or false depending on whether “rescue rights” are configured for the role. You cannot get this field value if the selected zone is a classic zone.

  • auditLevel: Returns the auditing level configured for the role. Roles can be configured without auditing (not requested), to audit if possible, or to have auditing required. You cannot get this field value if the selected zone is a classic4 zone.

  • createTime: Returns the time and date this role was created in generalized time format.

  • customAttr: Returns the custom text strings set for the role.

  • description: Returns the text string that describes the role.

  • dn: Returns the role’s distinguished name.

  • modifyTime: Returns the time and date this role was last modified in generalized time format.

  • sysrights: Returns the system rights granted to the role. This value is an integer that represents a combination of binary flags, one for each system right. You cannot get this field value if the selected zone is a classic zone.

    For more information about the value returned for system rights, see the section below, Getting the System Rights Field for a Role.

  • timebox: Returns the hours and days in the week when the role is enabled. This value is a 42-digit hexadecimal number.

    When represented in binary, each bit represents an hour of the week as described in the Timebox Value Format

  • visible: Returns true or false depending on whether “User is visible” right is configured for the role. You cannot get this field value if the selected zone is a classic zone.

Getting the system rights field for a role

You can specify the sysrights field to return information about the system rights that have been granted to the currently selected role. This field value is an integer that represents a combination of binary flags, with one flag for each of the following system rights:

1—Password login and non password (SSO) login are allowed.

2—Non password (SSO) login is allowed.

4—Account disabled in Active Directory can be used by sudo, cron, etc.

8—Log in with non-restricted shell.

16—Audit not requested/required.

32—Audit required.

64—Always permit to login.

128—Remote login access is allowed for Windows computers.

256—Console login access is allowed for Windows computers.

512—Require multi-factor authentication through the Delinea Connector to log on.

1024—PowerShell remote access is allowed

These values are added together to define the sysrights field value. For example, a sysrights value of 6 indicates that the role is configured to allow single sign-on login and to ignore disabled accounts (2+4). A value of 11 indicates that the most common UNIX system rights are enabled (1+2+8). A value of 384 indicates that most common Windows system rights are enabled (128+256).

Return Value

This command returns a field value, which varies in type depending on the data type stored by the field.

Examples

get_role_field timebox

This example returns the content of the timebox field:

00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0

This return value indicates that the role is enabled during all hours of the weekdays, but none of the weekends.

Before you use this command, you must have a currently selected role stored in memory. The following commands enable you to view and select the role to work with:

  • get_roles returns a Tcl list of roles in the current zone.
  • list_roles lists to stdout the roles in the currently selected zone.
  • new_role creates a new role and stores it in memory.
  • select_role retrieves a role from Active Directory and stores it in memory.

After you have a role stored in memory, you can use the following commands to work with that role’s attributes, delete the role, or save information for the role:

  • add_command_to_role adds a UNIX command to the currently selected role.
  • add_pamapp_to_role adds a PAM application to the currently selected role.
  • delete_role deletes the selected role from Active Directory and from memory.
  • get_role_apps returns a Tcl list of the PAM applications associated with the currently selected role.
  • get_role_commands returns a Tcl list of the UNIX commands associated with the currently selected role.
  • list_role_rights returns a list of all UNIX commands and PAM applications associated with the currently selected role.
  • remove_command_from_role removes a UNIX command from the currently selected role.
  • remove_pamapp_from_role removes a PAM application from the currently selected role.
  • save_role saves the selected role with its current settings to Active Directory.
  • set_role_field sets a field value in the currently selected role.