Layer 7 Identity Management

Expand all | Collapse all

Delete a particular provisioning role by etautil

Jump to Best Answer
  • 1.  Delete a particular provisioning role by etautil

    Posted 06-12-2017 02:40 PM

    Hello All,

     

    Users in provisioning store are assigned roles associated with multiple endpoints. Is it possible by etautil to achieve following scenarios: -

     

    1. Remove all the AD roles and delete AD account and leave all other roles untouched.

    2. Remove all the roles assigned to user which start with some particular syntax say "F_App"

     

    Is is possible to achieve the above scenarios? Any help here would be highly appreciated.

     

    Thanks,
    Shashank



  • 2.  Re: Delete a particular provisioning role by etautil

     
    Posted 06-13-2017 03:00 AM

    Hi Shashank,

     

    To remove a particular Provisioning Role from Global User, use following control statement. Hope this will delete the AD account as well:

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<globalusername> to -eTRoleDN='<rolename>,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=IDENTITY_MANAGER'

     

    To remove certain provisioning roles with pattern, may be following should work:

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<globalusername> to -eTRoleDN='F_App*,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=IDENTITY_MANAGER'

     

     

    Regards,

    Sumeet

     



  • 3.  Re: Delete a particular provisioning role by etautil

    Posted 06-14-2017 09:21 AM

    The second command listed with trying to use a wildcard in the Role name is not valid.

     

    Be careful when using etautil command as you need to be case-sensitive and not include extra white-spaces in the Role DN value. Also "IDENTITY_MANAGER" may not be the proper value in the Role DN to use.

     

    If you want accounts to be deleted you need to also include eTSyncDelete='1' in the command.



  • 4.  Re: Delete a particular provisioning role by etautil

     
    Posted 06-14-2017 09:53 AM

    You are correct. I think "IDENTITY_MANAGER" should be replaced with "im" or whatever is the domain name at provisioning side.

     

    I think following should work for deleting the accounts after removal of Provisioning Role:

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<globalusername> to eTSyncDelete=1;

     

    Regards,

    Sumeet

     



  • 5.  Re: Delete a particular provisioning role by etautil
    Best Answer

    Posted 06-14-2017 10:01 AM

    You would want to include the eTSyncDelete='1' in the original command as that would be the equivalent of choosing to Sync during the role modification had it been done via the Provisioning Manager such as:

     

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=<globalusername> to -eTRoleDN='<rolename>,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncDelete='1';

     

    Running a separate secondary command would be the equivalent of of right-clicking on a global user in the Provisioning Manager and doing a Sync User With Roles to Delete Extra Accounts and would cause any accounts not prescribed by a role/template to be deleted.



  • 6.  Re: Delete a particular provisioning role by etautil

     
    Posted 06-14-2017 10:17 AM

    All right, that make sense. Thanks Kenny.



  • 7.  Re: Delete a particular provisioning role by etautil

    Posted 08-07-2017 12:30 PM

    Hi KennyV

     

      Can we remove the account from user but not from endpoint through "etautil".

      Please help me on these

     



  • 8.  Re: Delete a particular provisioning role by etautil

    Posted 08-07-2017 12:41 PM

    The etautil command to add an inclusion would have the format of:

     

    etautil -u USER -p PWD -DYN add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='MY_GU_1' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_1' relationship=USERACCOUNT;

     

    The etautil command to remove an inclusion would have the format of:

     

    etautil -u USER -p PWD -DYN delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='MY_GU_1' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_1' relationship=USERACCOUNT;

     

    Things to note:

    1) Running the add inclusion command against an account that is already associated would associate the account to the new user which would automatically remove the old association so no need to do a delete and an add in this case

    2) You can feed etautil with an input file so that there is a single bind to the Provisioning Server followed by the commands

     

    So you would run the command:

     

    etautil.exe -u USER -p PWD -f input.txt

     

    where input.txt could have one command per line such as:

     

    delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default User]' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_1' relationship=USERACCOUNT;

    delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default User]' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_2' relationship=USERACCOUNT;

    delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default User]' in 'eTADSOrgUnitName=MY_AD_OU,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='MY_AD_ACCOUNT_3' relationship=USERACCOUNT;



  • 9.  Re: Delete a particular provisioning role by etautil

    Posted 08-07-2017 04:54 PM

    Thank You KennyV