bt-cli 0.4.36__tar.gz → 0.4.38__tar.gz

{bt_cli-0.4.36/src/bt_cli/data → bt_cli-0.4.38/.claude}/skills/epml/SKILL.md

@@ -132,13 +132,22 @@ bt epml rbp tmdategrps tmdates replace <tmdategrp_id> --file tmdates.json
 
 # Roles + assignments
 bt epml rbp roles list
-bt epml rbp roles create --name "Helpdesk Role"
+bt epml rbp roles create --name "Helpdesk Role" --action A \
+  --description "..." --comment "..." --tag "AdminAccess" \
+  --risk 6 --rpt 1 \
+  --iolog '/iologs/%date%/%uniqueid%.iolog' \
+  --banner-text "Helpdesk Role"             # builds standard ###-framed banner
+# or --message "raw multi-line message"
+# or --banner                               # banner with %rbprole% template
+bt epml rbp roles update <id> --tag NewTag --risk 9 --rpt 1     # in-place edit
 bt epml rbp roles duplicate <role_id>
-bt epml rbp roles cmdgrps   add    <role_id> --ids 1,2
+bt epml rbp roles cmdgrps   add <role_id> --ids 1,2          # cmdgrps & tmdategrps: just IDs
+bt epml rbp roles tmdategrps add <role_id> --ids 1
+bt epml rbp roles hostgrps  add <role_id> --ids 1 --kind B   # B = both Submit and Run-as
+bt epml rbp roles usergrps  add <role_id> --ids 4 --kind S   # S = Submit (who requests)
+bt epml rbp roles usergrps  add <role_id> --ids 3 --kind R   # R = Run-as (whose identity)
 bt epml rbp roles cmdgrps   remove <role_id> <cmdgrp_id>
 bt epml rbp roles hostgrps  list   <role_id>
-bt epml rbp roles usergrps  add    <role_id> --ids 5
-bt epml rbp roles tmdategrps add   <role_id> --ids 1
 
 # Entitlement report ('who can do what')
 bt epml rbp entitlement run
@@ -200,6 +209,9 @@ bt epml quick tests-then-deploy --suite <suite_id>      # commits if pass; rollb
 - **`POST /usergrps/multiple`** (bulk create): body is `{"usergroups": [...]}` — undocumented wrapper key.
 - **POST on child collections is additive**, not replacing. Calling `commands add` twice with the same command will get you a duplicate.
 - **Children share the parent's `id`** in GET responses — the listed `id` field is the cmdgrp/hostgrp/usergrp ID, not unique per child. The actual identifier is the `cmd`/`host`/`user` text.
+- **Role assignments take a single object per request, not an array**. The CLI loops under the hood; the wire body is e.g. `{"cmds": 35}`, `{"hosts": 1, "type": "S"}`, `{"users": 4, "type": "R"}`, `{"tmdates": 1}`.
+- **Hostgrp / usergrp assignments require a `type` field** (`S` = Submit / who requests, `R` = Run-as / whose identity the command runs under). Without `type` the request 400s with "RBP role type not in: [S,R]". CLI: `--kind S|R|B` on `roles hostgrps add` and `roles usergrps add`. `B` (default) creates both an S row and an R row for the same id — appropriate when the same group plays both roles. For "Admin requests, runs as root", do `--ids 4 --kind S` and `--ids 3 --kind R` separately.
+- **Roles need `rpt: 1`** to appear in `bt epml rbp entitlement run`. The role still functions for policy evaluation either way, but only `rpt=1` roles are surfaced in the report. Not yet exposed by the CLI — file-level edit via export/import is the workaround.
 
 ## Known gaps (TODO)
 

{bt_cli-0.4.36 → bt_cli-0.4.38}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.36**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.38**
 
 ## Setup
 

{bt_cli-0.4.36 → bt_cli-0.4.38}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.36
+Version: 0.4.38
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.36 → bt_cli-0.4.38}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.36"
+version = "0.4.38"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.36 → bt_cli-0.4.38}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.36"
+__version__ = "0.4.38"

{bt_cli-0.4.36 → bt_cli-0.4.38}/src/bt_cli/data/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.36**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.38**
 
 ## Setup
 

{bt_cli-0.4.36/.claude → bt_cli-0.4.38/src/bt_cli/data}/skills/epml/SKILL.md

@@ -132,13 +132,22 @@ bt epml rbp tmdategrps tmdates replace <tmdategrp_id> --file tmdates.json
 
 # Roles + assignments
 bt epml rbp roles list
-bt epml rbp roles create --name "Helpdesk Role"
+bt epml rbp roles create --name "Helpdesk Role" --action A \
+  --description "..." --comment "..." --tag "AdminAccess" \
+  --risk 6 --rpt 1 \
+  --iolog '/iologs/%date%/%uniqueid%.iolog' \
+  --banner-text "Helpdesk Role"             # builds standard ###-framed banner
+# or --message "raw multi-line message"
+# or --banner                               # banner with %rbprole% template
+bt epml rbp roles update <id> --tag NewTag --risk 9 --rpt 1     # in-place edit
 bt epml rbp roles duplicate <role_id>
-bt epml rbp roles cmdgrps   add    <role_id> --ids 1,2
+bt epml rbp roles cmdgrps   add <role_id> --ids 1,2          # cmdgrps & tmdategrps: just IDs
+bt epml rbp roles tmdategrps add <role_id> --ids 1
+bt epml rbp roles hostgrps  add <role_id> --ids 1 --kind B   # B = both Submit and Run-as
+bt epml rbp roles usergrps  add <role_id> --ids 4 --kind S   # S = Submit (who requests)
+bt epml rbp roles usergrps  add <role_id> --ids 3 --kind R   # R = Run-as (whose identity)
 bt epml rbp roles cmdgrps   remove <role_id> <cmdgrp_id>
 bt epml rbp roles hostgrps  list   <role_id>
-bt epml rbp roles usergrps  add    <role_id> --ids 5
-bt epml rbp roles tmdategrps add   <role_id> --ids 1
 
 # Entitlement report ('who can do what')
 bt epml rbp entitlement run
@@ -200,6 +209,9 @@ bt epml quick tests-then-deploy --suite <suite_id>      # commits if pass; rollb
 - **`POST /usergrps/multiple`** (bulk create): body is `{"usergroups": [...]}` — undocumented wrapper key.
 - **POST on child collections is additive**, not replacing. Calling `commands add` twice with the same command will get you a duplicate.
 - **Children share the parent's `id`** in GET responses — the listed `id` field is the cmdgrp/hostgrp/usergrp ID, not unique per child. The actual identifier is the `cmd`/`host`/`user` text.
+- **Role assignments take a single object per request, not an array**. The CLI loops under the hood; the wire body is e.g. `{"cmds": 35}`, `{"hosts": 1, "type": "S"}`, `{"users": 4, "type": "R"}`, `{"tmdates": 1}`.
+- **Hostgrp / usergrp assignments require a `type` field** (`S` = Submit / who requests, `R` = Run-as / whose identity the command runs under). Without `type` the request 400s with "RBP role type not in: [S,R]". CLI: `--kind S|R|B` on `roles hostgrps add` and `roles usergrps add`. `B` (default) creates both an S row and an R row for the same id — appropriate when the same group plays both roles. For "Admin requests, runs as root", do `--ids 4 --kind S` and `--ids 3 --kind R` separately.
+- **Roles need `rpt: 1`** to appear in `bt epml rbp entitlement run`. The role still functions for policy evaluation either way, but only `rpt=1` roles are surfaced in the report. Not yet exposed by the CLI — file-level edit via export/import is the workaround.
 
 ## Known gaps (TODO)
 

{bt_cli-0.4.36 → bt_cli-0.4.38}/src/bt_cli/epml/client/base.py

@@ -476,6 +476,29 @@ class EPMLClient:
         body.setdefault("action", "A")
         return self.post(f"/api/pbul/{h}/rbp/roles", json=body)
 
+    def update_role(self, role_id: int, partial: Dict[str, Any], host_id: Optional[int] = None) -> Any:
+        """Update an existing role (read-modify-write).
+
+        The API's create/update endpoint OVERWRITES on `id` match — fields not
+        in the body get zeroed/cleared. To make an update feel like a partial
+        modification, this helper fetches the current role, merges in your
+        changes, and posts the merged record. Avoids accidentally clobbering
+        `action`, `name`, `iolog`, etc. when you only meant to change `tag`.
+
+        Caveat: the v1 API has no GET-single-role, so we list and filter.
+        """
+        h = self.host(host_id)
+        roles = self.list_roles(host_id=host_id) or []
+        current = next((r for r in roles if r.get("id") == role_id), None)
+        if current is None:
+            raise ValueError(f"role id {role_id} not found")
+        # role child relations (rolecmds/roleusers/etc.) get filtered out so we
+        # don't accidentally rewrite assignments — those have their own endpoints.
+        merged = {k: v for k, v in current.items() if not k.startswith("role")}
+        merged.update(partial)
+        merged["id"] = role_id
+        return self.post(f"/api/pbul/{h}/rbp/roles", json=merged)
+
     def delete_roles(self, ids: List[int], host_id: Optional[int] = None) -> None:
         h = self.host(host_id)
         for rid in ids:
@@ -489,9 +512,13 @@ class EPMLClient:
         h = self.host(host_id)
         return self.get(f"/api/pbul/{h}/rbp/roles/{role_id}/cmdgrps")
 
-    def add_role_cmdgrps(self, role_id: int, cmdgrp_ids: List[int], host_id: Optional[int] = None) -> Any:
+    def add_role_cmdgrps(self, role_id: int, cmdgrp_ids: List[int], host_id: Optional[int] = None) -> List[Any]:
+        """Add cmdgrps to a role. The API accepts ONE assignment per request
+        as a bare object (`{cmds: <id>}`) — not an array. Loop here.
+        """
         h = self.host(host_id)
-        return self.post(f"/api/pbul/{h}/rbp/roles/{role_id}/cmdgrps", json=cmdgrp_ids)
+        path = f"/api/pbul/{h}/rbp/roles/{role_id}/cmdgrps"
+        return [self.post(path, json={"cmds": cid}) for cid in cmdgrp_ids]
 
     def remove_role_cmdgrp(self, role_id: int, cmdgrp_id: int, host_id: Optional[int] = None) -> None:
         h = self.host(host_id)
@@ -501,9 +528,31 @@ class EPMLClient:
         h = self.host(host_id)
         return self.get(f"/api/pbul/{h}/rbp/roles/{role_id}/hostgrps")
 
-    def add_role_hostgrps(self, role_id: int, hostgrp_ids: List[int], host_id: Optional[int] = None) -> Any:
+    def add_role_hostgrps(
+        self,
+        role_id: int,
+        hostgrp_ids: List[int],
+        kind: str = "B",
+        host_id: Optional[int] = None,
+    ) -> List[Any]:
+        """Add hostgrps to a role. Each assignment carries a `type`:
+          S = Submit (where the request comes from)
+          R = Run-as (where the command actually runs)
+
+        For a typical "users on these hosts can run on these same hosts" rule,
+        you usually want BOTH — pass `kind="B"` (default) and the client posts
+        twice, once with type S and once with type R.
+        """
         h = self.host(host_id)
-        return self.post(f"/api/pbul/{h}/rbp/roles/{role_id}/hostgrps", json=hostgrp_ids)
+        path = f"/api/pbul/{h}/rbp/roles/{role_id}/hostgrps"
+        types = ("S", "R") if kind.upper() == "B" else (kind.upper(),)
+        if not all(t in ("S", "R") for t in types):
+            raise ValueError(f"hostgrp kind must be S, R, or B (both); got {kind!r}")
+        results = []
+        for hid in hostgrp_ids:
+            for t in types:
+                results.append(self.post(path, json={"hosts": hid, "type": t}))
+        return results
 
     def remove_role_hostgrp(self, role_id: int, hostgrp_id: int, host_id: Optional[int] = None) -> None:
         h = self.host(host_id)
@@ -513,9 +562,27 @@ class EPMLClient:
         h = self.host(host_id)
         return self.get(f"/api/pbul/{h}/rbp/roles/{role_id}/usergrps")
 
-    def add_role_usergrps(self, role_id: int, usergrp_ids: List[int], host_id: Optional[int] = None) -> Any:
+    def add_role_usergrps(
+        self,
+        role_id: int,
+        usergrp_ids: List[int],
+        kind: str = "B",
+        host_id: Optional[int] = None,
+    ) -> List[Any]:
+        """Add usergrps to a role. Same S/R/B `type` semantics as hostgrps.
+          S = Submit user (who requests)
+          R = Run-as user (whose identity the command runs under)
+        """
         h = self.host(host_id)
-        return self.post(f"/api/pbul/{h}/rbp/roles/{role_id}/usergrps", json=usergrp_ids)
+        path = f"/api/pbul/{h}/rbp/roles/{role_id}/usergrps"
+        types = ("S", "R") if kind.upper() == "B" else (kind.upper(),)
+        if not all(t in ("S", "R") for t in types):
+            raise ValueError(f"usergrp kind must be S, R, or B (both); got {kind!r}")
+        results = []
+        for uid in usergrp_ids:
+            for t in types:
+                results.append(self.post(path, json={"users": uid, "type": t}))
+        return results
 
     def remove_role_usergrp(self, role_id: int, usergrp_id: int, host_id: Optional[int] = None) -> None:
         h = self.host(host_id)
@@ -525,9 +592,11 @@ class EPMLClient:
         h = self.host(host_id)
         return self.get(f"/api/pbul/{h}/rbp/roles/{role_id}/tmdategrps")
 
-    def add_role_tmdategrps(self, role_id: int, tmdategrp_ids: List[int], host_id: Optional[int] = None) -> Any:
+    def add_role_tmdategrps(self, role_id: int, tmdategrp_ids: List[int], host_id: Optional[int] = None) -> List[Any]:
+        """Add tmdategrps to a role. Single object per request, key is `tmdates`."""
         h = self.host(host_id)
-        return self.post(f"/api/pbul/{h}/rbp/roles/{role_id}/tmdategrps", json=tmdategrp_ids)
+        path = f"/api/pbul/{h}/rbp/roles/{role_id}/tmdategrps"
+        return [self.post(path, json={"tmdates": tid}) for tid in tmdategrp_ids]
 
     def remove_role_tmdategrp(self, role_id: int, tmdategrp_id: int, host_id: Optional[int] = None) -> None:
         h = self.host(host_id)

bt_cli-0.4.38/src/bt_cli/epml/commands/rbp_roles.py

@@ -0,0 +1,342 @@
+"""RBP roles + role/group assignments (`/api/pbul/{hostid}/rbp/roles`)."""
+
+from typing import Optional
+
+import httpx
+import typer
+
+from bt_cli.core.output import OutputFormat, print_api_error, print_json, print_table
+
+app = typer.Typer(no_args_is_help=True, help="RBP roles")
+
+
+def _host_opt():
+    return typer.Option(None, "--host", "-H", help="PMUL host id (default: BT_EPML_DEFAULT_HOST)")
+
+
+_BAR = "#" * 60
+
+
+def _build_banner(title: Optional[str] = None) -> str:
+    """Build a banner-style policy message.
+
+    Server substitutes `%rbprole%` and `%event%` at session time. Pass a
+    title string to replace the role-name line with literal text.
+    """
+    title_line = f" Policy:           {title}\r\n" if title else " Policy:           %rbprole%\r\n"
+    return (
+        "\r\n"
+        + _BAR + "\r\n"
+        + title_line
+        + " Status:           %event%\r\n"
+        + " Session Recorded: Yes\r\n"
+        + _BAR + "\r\n"
+    )
+
+
+def _resolve_message(message: Optional[str], banner: bool, banner_text: Optional[str]) -> Optional[str]:
+    """Pick the final message: explicit --message wins; else build a banner if asked."""
+    if message is not None:
+        return message
+    if banner_text is not None:
+        return _build_banner(banner_text)
+    if banner:
+        return _build_banner()
+    return None  # leave message unset
+
+
+@app.command("list")
+def list_roles(
+    host: Optional[int] = _host_opt(),
+    output: OutputFormat = typer.Option(OutputFormat.TABLE, "--output", "-o"),
+):
+    """List roles."""
+    from bt_cli.epml.client import get_client
+    try:
+        with get_client() as c:
+            data = c.list_roles(host_id=host)
+        if output == OutputFormat.JSON:
+            print_json(data)
+        else:
+            rows = data if isinstance(data, list) else (data.get("data", []) if isinstance(data, dict) else [])
+            print_table(rows, [
+                ("ID", "id"),
+                ("Name", "name"),
+                ("Description", "description"),
+                ("Disabled", "disabled"),
+                ("Type", "type"),
+            ], title="Roles")
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "list roles"); raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "list roles"); raise typer.Exit(1)
+
+
+@app.command("create")
+def create_role(
+    name: str = typer.Option(..., "--name", "-n"),
+    description: str = typer.Option("", "--description", "-d"),
+    comment: Optional[str] = typer.Option(None, "--comment", "-c", help="Internal comment (defaults to description if omitted)"),
+    tag: Optional[str] = typer.Option(None, "--tag", help="Free-form tag for filtering/reporting"),
+    risk: Optional[int] = typer.Option(None, "--risk", "-r", help="Risk score 0-9 (Postgres-style example uses 6)"),
+    rpt: Optional[int] = typer.Option(None, "--rpt", help="Entitlement reporting: 1 to surface in `entitlement run`, 0 to hide"),
+    action: str = typer.Option("A", "--action", "-a", help="Role verdict: A=Allow, R=Reject"),
+    iolog: Optional[str] = typer.Option(
+        None, "--iolog",
+        help="I/O log path template (e.g. /iologs/%date%/%uniqueid%.iolog). Omit to disable.",
+    ),
+    message: Optional[str] = typer.Option(None, "--message", "-m", help="Raw message shown to the requesting user (multi-line OK; verbatim)"),
+    banner: bool = typer.Option(False, "--banner", help="Use a standard ###-framed banner with %rbprole% and %event% template variables"),
+    banner_text: Optional[str] = typer.Option(None, "--banner-text", help="Like --banner but use the given title text instead of %rbprole% substitution"),
+    disabled: bool = typer.Option(False, "--disabled", help="Create the role disabled"),
+    host: Optional[int] = _host_opt(),
+):
+    """Create a role.
+
+    The API requires `action` to be exactly `A` (Allow) or `R` (Reject) —
+    not 'Allow'/'Reject'. Defaults to A.
+
+    `iolog` accepts the appliance's path template syntax — typical value is
+    `/iologs/%date%/%uniqueid%.iolog`. Omit to disable I/O logging on this role.
+
+    Three ways to set the user-visible message (in priority order):
+      --message "raw text"            verbatim
+      --banner-text "Custom Title"    builds the standard banner with this title
+      --banner                        builds the standard banner using %rbprole%
+
+    The standard banner format mirrors the appliance's existing roles:
+      ##############################
+       Policy:           <title or %rbprole%>
+       Status:           %event%
+       Session Recorded: Yes
+      ##############################
+    """
+    from bt_cli.epml.client import get_client
+    if action not in ("A", "R"):
+        typer.echo(f"--action must be 'A' or 'R', got {action!r}", err=True)
+        raise typer.Exit(2)
+
+    body = {"name": name, "description": description, "action": action, "disabled": disabled}
+    if comment is not None:
+        body["comment"] = comment
+    elif description:
+        body["comment"] = description  # mirror description into comment (matches existing roles)
+    if tag is not None:
+        body["tag"] = tag
+    if risk is not None:
+        body["risk"] = risk
+    if rpt is not None:
+        body["rpt"] = rpt
+    if iolog is not None:
+        body["iolog"] = iolog
+
+    final_message = _resolve_message(message, banner, banner_text)
+    if final_message is not None:
+        body["message"] = final_message
+
+    try:
+        with get_client() as c:
+            result = c.create_role(body, host_id=host)
+        print_json(result)
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "create role"); raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "create role"); raise typer.Exit(1)
+
+
+@app.command("update")
+def update_role(
+    role_id: int = typer.Argument(..., help="Role ID to update"),
+    name: Optional[str] = typer.Option(None, "--name", "-n", help="Rename the role"),
+    description: Optional[str] = typer.Option(None, "--description", "-d"),
+    comment: Optional[str] = typer.Option(None, "--comment", "-c"),
+    tag: Optional[str] = typer.Option(None, "--tag"),
+    risk: Optional[int] = typer.Option(None, "--risk", "-r"),
+    rpt: Optional[int] = typer.Option(None, "--rpt"),
+    action: Optional[str] = typer.Option(None, "--action", "-a", help="A=Allow / R=Reject"),
+    iolog: Optional[str] = typer.Option(None, "--iolog", help="I/O log template; pass '' to disable"),
+    message: Optional[str] = typer.Option(None, "--message", "-m"),
+    banner: bool = typer.Option(False, "--banner"),
+    banner_text: Optional[str] = typer.Option(None, "--banner-text"),
+    disabled: Optional[bool] = typer.Option(None, "--disabled/--enabled"),
+    host: Optional[int] = _host_opt(),
+):
+    """Update a role's metadata in place. Only fields you pass are modified.
+
+    Examples:
+      bt epml rbp roles update 126 --tag "RootAccess" --risk 9 --rpt 1
+      bt epml rbp roles update 126 --banner-text "Root Shell Access"
+      bt epml rbp roles update 126 --message "Custom session header..."
+    """
+    from bt_cli.epml.client import get_client
+    if action is not None and action not in ("A", "R"):
+        typer.echo(f"--action must be 'A' or 'R', got {action!r}", err=True)
+        raise typer.Exit(2)
+
+    body: dict = {}
+    for key, val in (
+        ("name", name), ("description", description), ("comment", comment),
+        ("tag", tag), ("risk", risk), ("rpt", rpt), ("action", action),
+        ("iolog", iolog), ("disabled", disabled),
+    ):
+        if val is not None:
+            body[key] = val
+
+    final_message = _resolve_message(message, banner, banner_text)
+    if final_message is not None:
+        body["message"] = final_message
+
+    if not body:
+        typer.echo("Nothing to update — pass at least one field flag.", err=True)
+        raise typer.Exit(2)
+
+    try:
+        with get_client() as c:
+            result = c.update_role(role_id, body, host_id=host)
+        print_json(result)
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "update role"); raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "update role"); raise typer.Exit(1)
+
+
+@app.command("delete")
+def delete_role(
+    ids: str = typer.Argument(..., help="Comma-separated role IDs"),
+    host: Optional[int] = _host_opt(),
+):
+    """Delete one or more roles by ID."""
+    from bt_cli.epml.client import get_client
+    try:
+        id_list = [int(x.strip()) for x in ids.split(",") if x.strip()]
+        with get_client() as c:
+            c.delete_roles(id_list, host_id=host)
+        typer.echo(f"Deleted {len(id_list)} role(s)")
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "delete role"); raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "delete role"); raise typer.Exit(1)
+
+
+@app.command("duplicate")
+def duplicate_role(
+    role_id: int = typer.Argument(..., help="Role ID to duplicate"),
+    host: Optional[int] = _host_opt(),
+):
+    """Duplicate a role."""
+    from bt_cli.epml.client import get_client
+    try:
+        with get_client() as c:
+            result = c.duplicate_role(role_id, host_id=host)
+        print_json(result)
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "duplicate role"); raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "duplicate role"); raise typer.Exit(1)
+
+
+# ---- assignments: cmdgrps / hostgrps / usergrps / tmdategrps ----
+
+def _make_assignment_app(label: str, list_fn: str, add_fn: str, remove_fn: str, has_kind: bool = False):
+    """Build a sub-typer for managing one role-child resource type.
+
+    has_kind: if True, expose --kind S|R|B (Submit / Run-as / Both). Used for
+    hostgrps and usergrps where each assignment carries a type. Cmdgrps and
+    tmdategrps don't take a kind.
+    """
+    sub = typer.Typer(no_args_is_help=True, help=f"Manage {label} on a role")
+
+    @sub.command("list")
+    def _list(
+        role_id: int = typer.Argument(..., help="Role ID"),
+        host: Optional[int] = _host_opt(),
+        output: OutputFormat = typer.Option(OutputFormat.JSON, "--output", "-o"),
+    ):
+        f"""List {label} assigned to a role."""
+        from bt_cli.epml.client import get_client
+        try:
+            with get_client() as c:
+                data = getattr(c, list_fn)(role_id, host_id=host)
+            if output == OutputFormat.JSON:
+                print_json(data)
+            else:
+                rows = data if isinstance(data, list) else (data.get("data", []) if isinstance(data, dict) else [])
+                # Best-effort table: include `type` column when present
+                if rows and isinstance(rows[0], dict) and "type" in rows[0]:
+                    cols = [(k.upper(), k) for k in rows[0].keys()]
+                else:
+                    cols = [("ID", "id"), ("Name", "name")]
+                print_table(rows, cols, title=f"{label} on role {role_id}")
+        except httpx.HTTPStatusError as e:
+            print_api_error(e, f"list role {label}"); raise typer.Exit(1)
+        except Exception as e:
+            print_api_error(e, f"list role {label}"); raise typer.Exit(1)
+
+    if has_kind:
+        @sub.command("add")
+        def _add(
+            role_id: int = typer.Argument(..., help="Role ID"),
+            ids: str = typer.Option(..., "--ids", help=f"Comma-separated {label} IDs to add"),
+            kind: str = typer.Option(
+                "B", "--kind", "-k",
+                help="Assignment type: S=Submit, R=Run-as, B=Both (creates two assignments per id)",
+            ),
+            host: Optional[int] = _host_opt(),
+        ):
+            f"""Add {label} to a role."""
+            from bt_cli.epml.client import get_client
+            if kind.upper() not in ("S", "R", "B"):
+                typer.echo(f"--kind must be S, R, or B; got {kind!r}", err=True)
+                raise typer.Exit(2)
+            try:
+                id_list = [int(x.strip()) for x in ids.split(",") if x.strip()]
+                with get_client() as c:
+                    result = getattr(c, add_fn)(role_id, id_list, kind=kind.upper(), host_id=host)
+                print_json(result)
+            except httpx.HTTPStatusError as e:
+                print_api_error(e, f"add role {label}"); raise typer.Exit(1)
+            except Exception as e:
+                print_api_error(e, f"add role {label}"); raise typer.Exit(1)
+    else:
+        @sub.command("add")
+        def _add(
+            role_id: int = typer.Argument(..., help="Role ID"),
+            ids: str = typer.Option(..., "--ids", help=f"Comma-separated {label} IDs to add"),
+            host: Optional[int] = _host_opt(),
+        ):
+            f"""Add {label} to a role."""
+            from bt_cli.epml.client import get_client
+            try:
+                id_list = [int(x.strip()) for x in ids.split(",") if x.strip()]
+                with get_client() as c:
+                    result = getattr(c, add_fn)(role_id, id_list, host_id=host)
+                print_json(result)
+            except httpx.HTTPStatusError as e:
+                print_api_error(e, f"add role {label}"); raise typer.Exit(1)
+            except Exception as e:
+                print_api_error(e, f"add role {label}"); raise typer.Exit(1)
+
+    @sub.command("remove")
+    def _remove(
+        role_id: int = typer.Argument(..., help="Role ID"),
+        item_id: int = typer.Argument(..., help=f"{label} ID to remove"),
+        host: Optional[int] = _host_opt(),
+    ):
+        f"""Remove a {label} from a role."""
+        from bt_cli.epml.client import get_client
+        try:
+            with get_client() as c:
+                getattr(c, remove_fn)(role_id, item_id, host_id=host)
+            typer.echo(f"Removed {label} {item_id} from role {role_id}")
+        except httpx.HTTPStatusError as e:
+            print_api_error(e, f"remove role {label}"); raise typer.Exit(1)
+        except Exception as e:
+            print_api_error(e, f"remove role {label}"); raise typer.Exit(1)
+
+    return sub
+
+
+app.add_typer(_make_assignment_app("cmdgrps", "list_role_cmdgrps", "add_role_cmdgrps", "remove_role_cmdgrp"), name="cmdgrps")
+app.add_typer(_make_assignment_app("hostgrps", "list_role_hostgrps", "add_role_hostgrps", "remove_role_hostgrp", has_kind=True), name="hostgrps")
+app.add_typer(_make_assignment_app("usergrps", "list_role_usergrps", "add_role_usergrps", "remove_role_usergrp", has_kind=True), name="usergrps")
+app.add_typer(_make_assignment_app("tmdategrps", "list_role_tmdategrps", "add_role_tmdategrps", "remove_role_tmdategrp"), name="tmdategrps")