Symantec IGA

Hi community, the "Delete Pending Status" is one option in my environment to block delete accounts on endpoints.

I have global users correlated with endpoints accounts with that state.  I need to delete that accounts from the global user.

Manually I can lis the users and identify the users that I need to remove, but I need a solution in a big scenario with 100 users with accounts associated with that state.

"Need to remove Accounts with state = Delete Pending from Provisioning Directory"

Any Idea?

Is anyone able to assist this question further?

Thank you

you could probably use an etautil command to do it, but I'd open up an issue with support to look into it further with you.

Opened an issue with Support.

The problem to use etautil is that it is not automatic (maybe with scheduler from windows, but it is not a solution)

The real problem is that accounts in delete pending state remains linked with the user, and in a scenario of suspend-resume, the Delete Pending accounts changes to active.  That is a security problem to solve asap

Enviado desde mi iPhone

El 19/6/2015, a las 12:49, Chris_Thomas <communityadmin@communities-mail.ca.com> escribió:

 

 

CA Communities

 

How to Remove "Delete Pending Accounts" from Provisioning Directory

reply from Christopher Ryan THOMAS in CA Security - View the full discussion

 

you could probably use an etautil command to do it, but I'd open up an issue with support to look into it further with you.

 

Reply to this message by replying to this email, or go to the message on CA Communities

Start a new discussion in CA Security by email or at CA Communities

Following CA Security in these streams: Connections Stream, Inbox

Following How to Remove "Delete Pending Accounts" from Provisioning Directory in these streams: Inbox

You are receiving this email because you are a member of the CA Communities.

 

If you'd like to change your email preferences, click here. If you want your communities account to be deactivated (opt out), please send an email to CustomerPrograms@ca.com.

Hi

This is actually working as designed.

When you put an account in deletepending mode, a suspend/resume action would remove the deletepending and activate the account again.

(I think this was something that was changed back in the etrust admin days)

I suggest that you also open up an idea where you ask for a change so it is not possible to do this without removing some attribute data. I mean, the account is supposed to be deleted and it should be a bit more difficult to "undelete" it.

There may be ways around it.

There are two places where you can do a suspend/resume. This would be in the provisioning manager and in the IM GUI.

Now a days most people uses IM GUI and here you could add validation code to the modify user task to not allow a global user to be enabled if any accounts are in pending delete state.

Or put in an event listener.

I do assume that there is a reason why you use pending delete and actual deletion of accounts will not be done.

So you could write an etautil script that remove the inclusion between the global user and the account and link the account to [Default User] instead.

Cheers, Atle

Hi Atle, i made some test and a suspend task on a global user with delete pending accounts assigned is not removing the delete pending status

But the resume is removing that status and the account is active again

We cannot delete the account on the endpoint and it must remain suspended. On Provisioning it can remains on the Provisioning Directory, but not linked to the user.  I think a change on the provisiong must be done.

If the customer not remove manually or by etautil script the delete pending account can be activated again without notice and it can be by my perspective a security problem.

A delete pending account must be an untouchable account "by default".

Enviado desde mi iPhone

El 25/6/2015, a las 7:11, Atle <communityadmin@communities-mail.ca.com> escribió:

 

 

CA Communities

 

How to Remove "Delete Pending Accounts" from Provisioning Directory

reply from ATLE SOGN in CA Security - View the full discussion

 

Hi

 

 

 

This is actually working as designed.

 

When you put an account in deletepending mode, a suspend/resume action would remove the deletepending and activate the account again.

 

(I think this was something that was changed back in the etrust admin days)

 

I suggest that you also open up an idea where you ask for a change so it is not possible to do this without removing some attribute data. I mean, the account is supposed to be deleted and it should be a bit more difficult to "undelete" it.

 

 

 

There may be ways around it.

 

There are two places where you can do a suspend/resume. This would be in the provisioning manager and in the IM GUI.

 

Now a days most people uses IM GUI and here you could add validation code to the modify user task to not allow a global user to be enabled if any accounts are in pending delete state.

 

Or put in an event listener.

 

 

 

I do assume that there is a reason why you use pending delete and actual deletion of accounts will not be done.

 

So you could write an etautil script that remove the inclusion between the global user and the account and link the account to  instead.

 

 

 

Cheers, Atle

 

Reply to this message by replying to this email, or go to the message on CA Communities

Start a new discussion in CA Security by email or at CA Communities

Following CA Security in these streams: Connections Stream, Inbox

Following How to Remove "Delete Pending Accounts" from Provisioning Directory in these streams: Inbox

You are receiving this email because you are a member of the CA Communities.

 

If you'd like to change your email preferences, click here. If you want your communities account to be deactivated (opt out), please send an email to CustomerPrograms@ca.com.

 

Additionally, if you wish to opt out of all unsolicited commercial communications from CA Technologies, click here.

Hi mmarin

The original design for delete pending value was so the account could be deleted by other means than provisioning server.

As far as I remember, the only way to get the account active again was to use etautil or similar and change this attribute.

But somewhere along the way this was changed due to a client request.

I agree that the current behavior is not according to the original design. I have asked internally to have this changed, but no luck.

I also notice there is an Idea open (Automatic re-enabling an account in DELETE PENDING status) where the Idea is to make it even more simple to re-enable delete pending accounts.

And it has already gotten a few votes.

Cheers, Atle

Thank you for your answer Atle, what can I do to obtain the original design behavior? And an enhancement request or Idea will take time to solution.  Manual task (scripts) are a partial solution but when there is a security risk involved maybe a fast solution can be provided.

I have an issue openned to support this problem.

Best regards,

Mauricio

Enviado desde mi iPhone

El 29/6/2015, a las 1:50, Atle <communityadmin@communities-mail.ca.com> escribió:

 

CA

Hello Mauricio,

the original design should be voted to be considered.

I have been looking for more information regarding this topic.

Below, an example of the delete inclusion syntax with etautil

** this will remove a Lotus account from a global user.

Using syntax format (delete childbasedn childclass childnamingattribute=value in parentbasedn

parentclass parentnamingattribute=value [relationship=rel])

etautil -d <DOMAIN> -u etaadmin -p yourpassword delete

'eTLNDOrganizationName=<NameOfOU>,eTLNDDirectoryName=<NameOfDiretorioNotesNoAdmin>

,eTNamespaceName=Lotus Domino Server' eTLNDAccount

eTLNDAccountName='The UserName' in 'eTGlobalUserContainerName=Global

Users,eTNamespaceName=CommonObje cts' eTGlobalUser

eTGlobalUserName='TheGlobalUserNameConnectedToTheUserName' eTRelationship=USERACCOUNT

NOTE :

Keep in mind that running the etautil commands to delete the global users

from the Provisioning Server will generate inbound notifications that will

be sent to the IM Server to trigger Provisioning Delete User tasks. If you

don't want the Provisioning Delete User task to actually delete the IM corp

user (in a corp!=prov IME) then make sure that the task is configured with

Action=View (which is the default action value for that task).

I am sending this and additional information on the CA Support case-.

best regards

Gustavo Azolas

Hi All,

etautil -d im -u XXXX -p *** delete 'eTADSOrgUnitName=Users,eTADSDirectoryName=ISSDigitateAD,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='521872' in 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='521872' eTRelationship=USERACCOUNT

To exclude user from GU, script gets completed but account is still tagged with GU.

Below is script for lotus endpoint:

etautil -d im -u *** -p *** delete 'eTLNDOrganizationalUnitName=del,eTLNDOrganizationName=TCS,eTLNDDirectoryName=TCSDomino,eTNamespaceName=Lotus Domino Server' eTLNDAccount eTLNDAccountName='Malik Amit' in 'eTGlobalUserContainerName=GlobalUsers,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='521872' eTRelationship=USERACCOUNT