list_role_assignments
Use the list_role_assignments command to check Active Directory and return a list of role assignments defined within the currently selected zone. If executed in a script, this command outputs its list to stdout so that the output appears in the shell where the script is executed. The command does not return a Tcl list back to the executing script. Use get_role_assignments to return a Tcl list.
If you do not specify an option, the command returns the current users and groups in the zone with a role assignment using the default sAMAccount@domain format.
You can only use the list_role_assignments command to return role assignments for classic4 and hierarchical zones.
Zone Type
Classic and hierarchical
Syntax
list_role_assignments [-upn] [-visible] [-user] [-group] [-invalid]
Abbreviation
lsra
Options
This command takes the following options:
| Option | Description |
|---|---|
| -upn | Optional. Returns user names in user principal name (UPN) format rather than the default sAMAccount@domain format. |
| -visible | Returns a list to stdout of the visible role assignments in the zone. Use this option if you only want to return role assignments for the roles that are identified as visible. This option is only applicable in hierarchical zones. |
| -user | Returns a list to stdout of the current users in the zone with a role assignment. Use this option if you only want to return valid users with a role assignment. |
| -group | Returns a list to stdout of the current groups in the zone with a role assignment. Use this option if you only want to return valid groups with a role assignment. |
| -invalid | Returns a list to stdout of any invalid role assignments in the zone. A role assignment is invalid if it specifies a group or user that no longer exists. Use this option if you only want to return invalid role assignments. |
Arguments
This command takes no arguments.
Return Value
This command returns a list to stdout of role assignments defined in the currently selected zone. Each entry in the list provides the following information:
- The user or group to whom the role assignment applies by
sAMAccount@domainname or user principal name. - The name of the role assigned followed by a slash (/) and the zone where the role is defined.
Examples
>bind pistolas.org
>select_zone “cn=northamerica,cn=zones,ou=acme,dc=pistolas,dc=org”
>list_role_assignments
This example returns the role assignments for the northamerica zone:
Domain Users@pistolas.org: Window Login/northamerica adm-sf@pistolas.org: UNIX Login/northamerica rey@pistolas.org: UNIX Login/northamerica maya@pistolas.org: SQLAdmin/northamerica
Related Commands
Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a role assignment:
get_role_assignmentsreturns a Tcl list of role assignments in the current zone.new_role_assignmentcreates a new role assignment and stores it in memory.select_role_assignmentretrieves a role assignment from Active Directory and stores it in memory.
After you have a role assignment stored in memory, you can use the following commands to work with that role assignment:
delete_role_assignmentdeletes the selected role assignment from Active Directory and from memory.get_role_assignment_fieldreads a field value from the currently selected role assignment.save_role_assignmentsaves the selected role assignment with its current settings to Active Directory.set_role_assignment_fieldsets a field value in the currently selected role assignment.write_role_assignmentsaves the selected role assignment to a file.
