Skip to main content

Find Roles

Find roles in the identity store. The command uses the PV_ROLES public view to find data. Any filters passed should apply to this public view.

GET https://instance.securid.com/aveksa/command.submit?cmd=findRoles

Request

Parameters

findRoles
formatproperties - (Default) Returns the response as key=value pairs. When multiple objects are returned, values are comma-delimited: key=value1,value2,value3.

json - Returns the response as JSON.

csv - Returns the response as comma-separated values.

tsv - Returns the response as tab-separated values.

xml - Returns the response as XML.
delimiterThe delimiter to use between values for csv and properties formats
returnColumns

The names of the columns to return. returnColumns may be a CSV list of multiple column names. The parameter may also be listed multiple times (ie returnColumns=col1,col2&returnColumns=col3,col4)

Refer to Columns table below.
returnMaxRowsThe maximum number of objects to return
distincttrue, false Returns only distinct values, equivalent to the distinct keyword in SQL.
sortByColumns

The results will be sorted based on the columns listed using comma as the delimiter if multiple columns are specified.

Refer to Columns table below.
sortDirectionDetermines sorting order. asc for ascending, desc for descending. If not specified, the natural order returned by the database is used.
includeHeaderRowtrue, false Include column headers when the return format is csv or tsv. (Default) true
ignoreCasetrue, false Returns case-insensitive search results for specified filter parameters. (Default) false

Filter Parameters

Any column listed in the Columns table can be passed as a filter parameter to narrow results. Filters are matched against the PV_ROLES public view.

Query logic

ScenarioBehavior
Two different parameters: type=BR&is_disabled=FalseAND. Returns business roles that are currently active.
Same parameter repeated: type=BR&type=GROR within that field. Returns business roles or global roles.
Mixed: is_disabled=False&type=BR&type=GR(is_disabled is False) AND (type is BR or GR)
OR logic across different parameters is not supported

A single API call cannot return roles where type=BR OR is_disabled=False. OR logic between different filter parameters is not supported.

Workaround: Make separate requests for each filter condition. Merge and deduplicate the results client-side.

Columns

id[Primary Key] Unique role identifier
nameRole name
alt_nameAlternate display name for the role
short_descShort description of the role
long_descLong description of the role
url_refURL reference for more information about the role
typeRole type. BR = Business Role, GR = Global Role, TR = Technical Role
is_disabledTrue, False Whether the role is currently disabled. Stored with a capital first letter.
rdc_id[Foreign Key referencing ROLE_DEFINITION_COLLECTOR.ID] Role collector that owns this role. -1 indicates a manually created role.
roleset_id[Foreign Key referencing ROLESET.ID] Role set this role belongs to
owner_id[Foreign Key referencing USERS.ID] User ID of the role owner
backup_owner_id[Foreign Key referencing USERS.ID] User ID of the backup owner
user_constraintConstraint expression that defines which users are eligible for this role
ent_constraintConstraint expression that defines which entitlements are in scope for this role
membership_typeHow membership is determined. 0 = rules-based
membership_countNumber of users currently holding this role
entitlement_countNumber of entitlements associated with this role
canrequest1, 0 Whether this role is available for access request
violation_countNumber of open SoD violations for this role
exception_countNumber of open exceptions for this role
is_valid_membershipY, N Whether the current membership is within policy constraints
add_statePending add workflow state. 0 = no pending add
remove_statePending remove workflow state. 0 = no pending remove
creation_dateDate and time the role was created
deletion_dateDate and time the role was deleted
last_reviewed_dateDate the role was last reviewed
in_const_rule_idRule ID for the in-constraint check
out_of_const_rule_idRule ID for the out-of-constraint check

Headers

Bearer token
Acceptapplication/json
Content-Typeapplication/json

Response

Parameters

The API returns the requested columns specified by returnColumns as output. If returnColumns is unspecified then all columns listed will be returned.

Examples

All columns

Omit returnColumns to return every field for each role.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"rdc_id": "-1",
"name": "Test Role 3",
"owner_id": "0",
"backup_owner_id": "",
"user_constraint": "",
"is_disabled": "False",
"creation_date": "2025-03-29 18:06:27.0",
"type": "BR",
"ent_constraint": "",
"roleset_id": "38",
"violation_count": "0",
"exception_count": "0",
"alt_name": "Test Role 3",
"short_desc": "",
"long_desc": "",
"url_ref": "",
"membership_count": "1",
"entitlement_count": "0",
"membership_type": "0",
"deletion_date": "",
"add_state": "0",
"remove_state": "0",
"canrequest": "1",
"in_const_rule_id": "",
"out_of_const_rule_id": "",
"is_valid_membership": "Y",
"last_reviewed_date": "2025-03-29 18:14:24.0"
}
]
}

Specific columns

Use returnColumns to limit the response to the fields you need.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5&returnColumns=id,name,type,is_disabled,membership_count,entitlement_count" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"name": "Test Role 3",
"type": "BR",
"is_disabled": "False",
"membership_count": "1",
"entitlement_count": "0"
}
]
}

Filter by a single value

Pass any column name as a query parameter to filter results. The example returns roles where type is BR (Business Role).

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5&returnColumns=id,name,type,is_disabled&type=BR" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"name": "Test Role 3",
"type": "BR",
"is_disabled": "False"
}
]
}

Filter with OR logic

Repeat the same parameter with different values to match any of them. The example returns roles where type is BR or GR.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5&returnColumns=id,name,type&type=BR&type=GR" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"name": "Test Role 3",
"type": "BR"
}
]
}

Case-insensitive filter

Filters are case-sensitive by default. Set ignoreCase=true to match regardless of case. The example passes is_disabled=false in lowercase and still returns roles where the stored value is False (capital F).

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5&returnColumns=id,name,type,is_disabled&is_disabled=false&ignoreCase=true" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"name": "Test Role 3",
"type": "BR",
"is_disabled": "False"
}
]
}

Sort ascending

Use sortByColumns with a column name and sortDirection=asc to sort results. The example sorts by name.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5&returnColumns=id,name,type&sortByColumns=name&sortDirection=asc" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"name": "Test Role 3",
"type": "BR"
}
]
}

Sort descending

Set sortDirection=desc to reverse the order.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=json&returnMaxRows=5&returnColumns=id,name,type&sortByColumns=name&sortDirection=desc" \
-H "Authorization: Bearer <token>"

Response

{
"findRoles": [
{
"id": "6764",
"name": "Test Role 3",
"type": "BR"
}
]
}

CSV with custom delimiter

Set format=csv for a comma-separated response. Use delimiter to change the separator character.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=csv&returnMaxRows=5&returnColumns=id,name,type,is_disabled&delimiter=~" \
-H "Authorization: Bearer <token>"

Response

id~name~type~is_disabled
6764~Test Role 3~BR~False

CSV without header row

Set includeHeaderRow=false when your downstream system expects raw data rows without a header.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findRoles&format=csv&returnMaxRows=5&returnColumns=id,name,type,is_disabled&includeHeaderRow=false" \
-H "Authorization: Bearer <token>"

Response

6764,Test Role 3,BR,False

Error responses

A 401 is returned when the token is missing, invalid, or expired. A 412 is returned when returnColumns includes a column name that does not exist in the PV_ROLES public view.

<html>
<head><title>Error</title></head>
<body>The token is not valid for the command 'findRoles'. Token is invalid or expired</body>
</html>

Verified with RSA Governance & Lifecycle version 8.0.0.188886 P10_HF01.