Symantec IGA

Expand all | Collapse all

Deleting provisioning roles

Jump to Best Answer
  • 1.  Deleting provisioning roles

    Posted 05-31-2016 01:53 PM

    Is there anyway in CA IDM 12.6sp5 - to automatically dissociate users from a provisioning role so you can delete the role?


    I have automated deleting Oracle/SQL endpoints & account templates using SOAP messages.. but if the provisioning role was ever assigned to a user - you will not be able to delete it until you dissociate all the users.

  • 2.  Re: Deleting provisioning roles

    Broadcom Employee
    Posted 06-01-2016 09:00 PM

    You can do it very easily using CA directory tools like dxmodify and dxsearch. You can look into CA directory documentation for more information. It is like standard ldap operations.

    First search all the users using dxsearch on provisioning directory on port 20394 that has eTRoleDN=your provisioning role and return their dn.

    Write the output to a ldif file.

    Manipulate the ldif file to have format like this:

    Dn: eTGlobaluser format dn of the user

    Changetype: modify

    Delete: eTRoleDN

    eTRoleDN: your provisioning role in eT format 

    Once your ldif file is prepared then you can run dxmodify on provisioning directory on port 20394 to remove provisioning from all the users.

    Once this is done you can easily delete the provisioning role from provisioning role.

  • 3.  Re: Deleting provisioning roles
    Best Answer

    Broadcom Employee
    Posted 06-02-2016 03:23 AM


    Or a simple etautil "masschange" against the GUs to remove your role as following:

    etautil -u <yourAdminID> -p <yourAdminIDPass> masschange 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<yourFilter> to -eTRoleDN='eTRoleName=<yourRoleName>,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=<yourDomain>'


    Note: There will not be any sync process involved since you do not specify eTSyncDelete=1

    e.g.: (Windows scripting)

    SET ETAHOME="C:\Program Files (x86)\CA\Identity Manager\Provisioning Server"

    %ETAHOME%\bin\etautil -u superadmin -p secret masschange 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=* to -eTRoleDN='eTRoleName=MyADRole,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im'