Is there anyway in CA IDM 12.6sp5 - to automatically dissociate users from a provisioning role so you can delete the role?
I have automated deleting Oracle/SQL endpoints & account templates using SOAP messages.. but if the provisioning role was ever assigned to a user - you will not be able to delete it until you dissociate all the users.
You can do it very easily using CA directory tools like dxmodify and dxsearch. You can look into CA directory documentation for more information. It is like standard ldap operations.
First search all the users using dxsearch on provisioning directory on port 20394 that has eTRoleDN=your provisioning role and return their dn.
Write the output to a ldif file.
Manipulate the ldif file to have format like this:
Dn: eTGlobaluser format dn of the user
eTRoleDN: your provisioning role in eT format
Once your ldif file is prepared then you can run dxmodify on provisioning directory on port 20394 to remove provisioning from all the users.
Once this is done you can easily delete the provisioning role from provisioning role.
Or a simple etautil "masschange" against the GUs to remove your role as following:
etautil -u <yourAdminID> -p <yourAdminIDPass> masschange 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<yourFilter> to -eTRoleDN='eTRoleName=<yourRoleName>,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=<yourDomain>'
Note: There will not be any sync process involved since you do not specify eTSyncDelete=1
e.g.: (Windows scripting)
SET ETAHOME="C:\Program Files (x86)\CA\Identity Manager\Provisioning Server"
%ETAHOME%\bin\etautil -u superadmin -p secret masschange 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=* to -eTRoleDN='eTRoleName=MyADRole,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im'