Find User Role Membership
Find users associated with roles. The command uses the PV_USER_ROLE_MEMBERSHIP public view to find data. Any filters passed should apply to this public view.
GET https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership
Request
Parameters
| findUserRoleMembership | |
| format | properties - (Default) Returns the response as key=value pairs. When multiple objects are returned, values are comma-delimited: key=value1,value2,value3.json - Returns the response as JSON.csv - Returns the response as comma-separated values.tsv - Returns the response as tab-separated values.xml - Returns the response as XML. |
| delimiter | The delimiter to use between values for csv and properties formats |
| returnColumns | The names of the columns to return. |
| returnMaxRows | The maximum number of objects to return |
| distinct | true, false Returns only distinct values, equivalent to the distinct keyword in SQL. |
| sortByColumns | The results will be sorted based on the columns listed using comma as the delimiter if multiple columns are specified. Refer to Columns table below. |
| sortDirection | Determines sorting order. asc for ascending, desc for descending. If not specified, the natural order returned by the database is used. |
| includeHeaderRow | true, false Include column headers when the return format is csv or tsv. (Default) true |
| ignoreCase | true, false Returns case-insensitive search results for specified filter parameters. (Default) false |
Filter Parameters
Any column listed in the Columns table can be passed as a filter parameter to narrow results. Filters are matched against the PV_USER_ROLE_MEMBERSHIP public view.
Query logic
| Scenario | Behavior |
|---|---|
Two different parameters: is_direct=False&role_id=6764 | AND. Returns memberships that are indirect and belong to role 6764. |
Same parameter repeated: role_id=6764&role_id=9999 | OR within that field. Returns memberships for role 6764 or role 9999. |
Mixed: is_direct=False&role_id=6764&role_id=9999 | (is_direct is False) AND (role_id is 6764 or 9999) |
A single API call cannot return memberships where is_direct=False OR entitled_derived_from_type=explicit. OR logic between different filter parameters is not supported.
Workaround: Make separate requests for each filter condition. Merge and deduplicate the results client-side.
Columns
| user_id | [Primary Key] [Foreign Key referencing USERS.ID] Entitled user ID |
| role_id | [Primary Key] [Foreign Key referencing ROLE.ID] Referenced role ID |
| is_direct | True, False Whether this entitlement was directly granted. Stored with a capital first letter. |
| entitled_derived_from_type | The object type of the immediate parent in the hierarchy through which this member got the role |
| entitlement_derived_from_type | The object type of the immediate parent in the hierarchy through which this role got the entitlement |
| entitled_path | The account hierarchical path through which this member got the role |
| entitlement_path | The entitlement hierarchical path through which this role got the entitlement |
Headers
Bearer token | |
| Accept | application/json |
| Content-Type | application/json |
Response
Parameters
The API returns the requested columns specified by returnColumns as output. If returnColumns is unspecified then all columns listed will be returned.
Examples
All columns
Omit returnColumns to return every field for each membership record.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "json",
"returnMaxRows": "5"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "json",
returnMaxRows: "5"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False",
"entitled_derived_from_type": "explicit",
"entitlement_derived_from_type": "explicit",
"entitled_path": "",
"entitlement_path": ""
}
]
}
Specific columns
Use returnColumns to limit the response to the fields you need. This keeps the payload small and the mapping work simple. The example returns four columns covering the most common reporting needs.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5&returnColumns=user_id,role_id,is_direct,entitled_derived_from_type" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "json",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct,entitled_derived_from_type"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "json",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct,entitled_derived_from_type"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
- 412 Invalid column
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False",
"entitled_derived_from_type": "explicit"
}
]
}
<html>
<head><title>Error</title></head>
<body>The parameter returncolumns contains an invalid column - `invalid_col`.
Query String=cmd=findUserRoleMembership&format=json&returnMaxRows=2&returnColumns=user_id,invalid_col</body>
</html>
Filter by a single value
Pass any column name as a query parameter to filter results. Only memberships that match the value are returned. The is_direct field stores values with a capital first letter (True or False), so the filter value must match that casing when ignoreCase is not set. The example returns memberships where is_direct is False.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&is_direct=False" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "json",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct",
"is_direct": "False"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "json",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct",
is_direct: "False"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False"
}
]
}
Filter with OR logic
Repeat the same parameter with different values to match any of them. The example returns memberships for role_id 6764 or 9999. Records matching either value are returned in the response.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&role_id=6764&role_id=9999" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = [
("cmd", "findUserRoleMembership"),
("format", "json"),
("returnMaxRows", "5"),
("returnColumns", "user_id,role_id,is_direct"),
("role_id", "6764"),
("role_id", "9999")
]
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
const params = new URLSearchParams();
params.append('cmd', 'findUserRoleMembership');
params.append('format', 'json');
params.append('returnMaxRows', '5');
params.append('returnColumns', 'user_id,role_id,is_direct');
params.append('role_id', '6764');
params.append('role_id', '9999');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params,
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False"
}
]
}
Case-insensitive filter
Filters are case-sensitive by default. Set ignoreCase=true to match regardless of case. The example passes is_direct=false in lowercase and still returns records where the stored value is False.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&is_direct=false&ignoreCase=true" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "json",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct",
"is_direct": "false",
"ignoreCase": "true"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "json",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct",
is_direct: "false",
ignoreCase: "true"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False"
}
]
}
Sort ascending
Use sortByColumns with a column name and sortDirection=asc to sort results from lowest to highest. The example sorts by role_id.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&sortByColumns=role_id&sortDirection=asc" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "json",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct",
"sortByColumns": "role_id",
"sortDirection": "asc"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "json",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct",
sortByColumns: "role_id",
sortDirection: "asc"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False"
}
]
}
Sort descending
Set sortDirection=desc to reverse the order.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=json&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&sortByColumns=role_id&sortDirection=desc" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "json",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct",
"sortByColumns": "role_id",
"sortDirection": "desc"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.json())
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "json",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct",
sortByColumns: "role_id",
sortDirection: "desc"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
{
"findUserRoleMembership": [
{
"user_id": "-3",
"role_id": "6764",
"is_direct": "False"
}
]
}
CSV with custom delimiter
Set format=csv for a comma-separated response. Use delimiter to change the separator character.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=csv&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&delimiter=~" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "csv",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct",
"delimiter": "~"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.text)
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "csv",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct",
delimiter: "~"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
user_id~role_id~is_direct
-3~6764~False
CSV without header row
Set includeHeaderRow=false when your downstream system expects raw data rows without a header.
Request
- Curl
- Python
- Node.js
curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserRoleMembership&format=csv&returnMaxRows=5&returnColumns=user_id,role_id,is_direct&includeHeaderRow=false" \
-H "Authorization: Bearer <token>"
import requests
url = "https://instance.securid.com/aveksa/command.submit"
params = {
"cmd": "findUserRoleMembership",
"format": "csv",
"returnMaxRows": "5",
"returnColumns": "user_id,role_id,is_direct",
"includeHeaderRow": "false"
}
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, params=params, headers=headers)
print(response.text)
const axios = require('axios');
axios.get("https://instance.securid.com/aveksa/command.submit", {
params: {
cmd: "findUserRoleMembership",
format: "csv",
returnMaxRows: "5",
returnColumns: "user_id,role_id,is_direct",
includeHeaderRow: "false"
},
headers: { Authorization: "Bearer <token>" }
}).then(r => console.log(r.data));
Response
- 200
-3,6764,False
Error responses
A 401 is returned when the token is missing, invalid, or expired. A 412 is returned when returnColumns includes a column name that does not exist in the PV_USER_ROLE_MEMBERSHIP public view.
- 401 Invalid token
- 412 Invalid column
<html>
<head><title>Error</title></head>
<body>The token is not valid for the command 'findUserRoleMembership'. Token is invalid or expired</body>
</html>
<html>
<head><title>Error</title></head>
<body>The parameter returncolumns contains an invalid column - `invalid_col`.
Query String=cmd=findUserRoleMembership&format=json&returnMaxRows=2&returnColumns=user_id,invalid_col</body>
</html>
Verified with RSA Governance & Lifecycle version 8.0.0.188886 P10_HF01.