Question: Is there an LDAP query that can be used to identify if a specific role exists in any role assignments?

Answer: Suppose that given a role, and if there is any role assignment for it, it can be done relatively simple:


1. First, the dn for the object must be found, and can be done using the following query:
 

"(&(objectClass=msds-aztask)(cn=<role name>))"

2. Next, use the following query to find the role assignments for the role:
 

"(&(objectClass=msds-azrole)(msds-tasksForAzRole=<role dn>))" 

This should return all the role assignment(s) for the given role. - i.e., response of 0 entries means there is no role assignment given to this role.




Question: Is there a way to find out if any specified "command name" exists in a role ?

Answer: Suppose that when looking at the Access Manager console, in the Authorization node, Unix Rights Definition, Commands, there is a right name "abc". Here is the query:
 

-b <zone dn> "(&(objectClass=msds-AzTask)(msds-operationsForAzTask=cn=pc-abc*))"

 

This returns a list (if present) roles that contains this DzCmd.

Note the CN prefix of "pc-" for unix command rights.

Note also the "* at the end as wild card characters matching the rest of the DzCmd DN.