Symantec IGA

 View Only
  • 1.  Modifying Action Rules of Policy Express

    Posted Nov 21, 2017 05:22 AM

    Hello Folks,

     

    I am trying to create a Policy Express where users will be deleted having "Address = London".

     

    I am not able to invoke the "Delete User" task from the "Action Rules" associated with the Policy Express.

     

    Can you please let me know, how I can  achieve the same?

     

     

    Thanks & BR
    Sandipan



  • 2.  Re: Modifying Action Rules of Policy Express
    Best Answer

    Posted Nov 21, 2017 09:10 AM

    Hello Sandipan,

     

    Honestly, I think the best route to go would be using a etautil command:

     

    etautil -d domain  -u admin -p c*** masschange 'eTGlobalUserContainerName=Global  Users,eTNamespaceName=CommonObjects' eTGlobalUser  Address=London  to  DeleteUserAndAccounts=1

     

    This etautil command would delete the user and the associated accounts with it.

     

    If you want to user a policy express, it would need to trigger on an event and I don't see any categories that would match this.

     

    Or you can use a csv file and do a bulk delete of all accounts and users known. This can be first found by getting all users with attribute address=london and then putting it in a csv file.

     

    Regards,

    Andrew Nguyen



  • 3.  Re: Modifying Action Rules of Policy Express

    Broadcom Employee
    Posted Nov 21, 2017 09:17 AM

    Hi Sandipan, In addition to what Andrew has already indicated, do you know that you can also use Bulk Tasks (under System menu) in CA Identity Manager to delete users that match specific criteria? Below sample bulk task configuration:

     

     

    If, for whatever reason, you still need to trigger this through policy xpress, I would perform the following steps:

     

    1. Get the IM users that meet your conditions by using LDAP source in Policy Xpress Data Sources. See below the screenshot of my LDAP query configuration for my IM user store instance (As you can see from the test that I ran on this LDAP query I am getting back the following result "banry01^fozen01^krahe01^talel01^thaed01"

     

     

    2. Iterate each entry (Policy xPress, Data tab, System, List Iterator). This will split the multiple UIDs returned by the LDAP query into individual user uid entries.

     

     

     

    3. Execute TEWS (web services) for delete user as I have explained to you in another post: Delete User Admin Task using Policy Express    . Make sure you have web services enabled for your Delete User task. your filter becomes something like this (where {'IterateUsers'} is the name of the variable where you are putting list Iterator results from step 2 above)

     

    <ns1:Filter index="0">
    <ns1:Field>%USER_ID%</ns1:Field>

    <ns1:Op>EQUALS</ns1:Op>

    <ns1:Value>{'IterateUsers'}</ns1:Value>
    </ns1:Filter>

     

     

    I hope this helps

    KR
    Russi