Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-11255: LDAP Queries to Find Active Role Assignments

Authentication Service ,   Mac & PC Management Service ,  

27 December,18 at 01:07 AM

Question: Is there an LDAP query that can be used to identify if a specific role exists in any role assignments?

Answer: Suppose that given a role, and if there is any role assignment for it, it can be done relatively simple:

1. First, the dn for the object must be found, and can be done using the following query:
"(&(objectClass=msds-aztask)(cn=<role name>))"

2. Next, use the following query to find the role assignments for the role:
"(&(objectClass=msds-azrole)(msds-tasksForAzRole=<role dn>))" 

This should return all the role assignment(s) for the given role. - i.e., response of 0 entries means there is no role assignment given to this role.

Question: Is there a way to find out if any specified "command name" exists in a role ?

Answer: Suppose that when looking at the Access Manager console, in the Authorization node, Unix Rights Definition, Commands, there is a right name "abc". Here is the query:
-b <zone dn> "(&(objectClass=msds-AzTask)(msds-operationsForAzTask=cn=pc-abc*))"

This returns a list (if present) roles that contains this DzCmd.

Note the CN prefix of "pc-" for unix command rights.

Note also the "* at the end as wild card characters matching the rest of the DzCmd DN.