Question: Is there an LDAP query that can be used to identify if a specific role exists in any role assignments?
Answer: Suppose that given a role, and if there is any role assignment for it, it can be done relatively simple:
1. First, the dn for the object must be found, and can be done using the following query:
"(&(objectClass=msds-aztask)(cn=<role name>))"
2. Next, use the following query to find the role assignments for the role:
"(&(objectClass=msds-azrole)(msds-tasksForAzRole=<role dn>))"
This should return all the role assignment(s) for the given role. - i.e., response of 0 entries means there is no role assignment given to this role.
Question: Is there a way to find out if any specified "command name" exists in a role ?
Answer: Suppose that when looking at the Access Manager console, in the Authorization node, Unix Rights Definition, Commands, there is a right name "abc". Here is the query:
-b <zone dn> "(&(objectClass=msds-AzTask)(msds-operationsForAzTask=cn=pc-abc*))"
This returns a list (if present) roles that contains this DzCmd.
Note the CN prefix of "pc-" for unix command rights.
Note also the "* at the end as wild card characters matching the rest of the DzCmd DN.