Layer 7 Identity Management

Expand all | Collapse all

Remove All AD roles from User

Jump to Best Answer
  • 1.  Remove All AD roles from User

    Posted 08-13-2018 07:53 AM

    Hello,

     

    We have implemented number of roles for different endpoints in our delivery. Now , we have script in place which is able to remove all the roles(all the endpoint roles) from the user.

     

    Is it possible to remove just all the AD roles and leave rest of the roles(for other endpoints) using etautility ?

     

    Any suggestions here would be highly appreciated.

     

    Thanks,

    Shashank



  • 2.  Re: Remove All AD roles from User

    Posted 08-14-2018 08:43 AM

    Hello Shashank, 

     

    Can you describe the way that your script functions or possibly post the code? That would help me determine if it could be adjusted to only remove AD roles instead of all roles. 

     

    Thank you, 

    Jennifer



  • 3.  Re: Remove All AD roles from User
    Best Answer

    Posted 08-14-2018 09:33 AM

    Provisioning Roles are just a grouping of Account Templates. You might have Provisioning Roles that contain only "AD" Account Templates, but there is no distinction as "AD" Provisioning Roles. If you have some naming convention for your Provisioning Roles so that you know which ones are the ones you consider to be "AD" Provisioning Roles then you can specify those explicit Provisioning Role names in your etautil command being used to remove the Provisioning Role.

     

    You can feed an input file of commands to etautil by doing:
    etautil -u USER -p PWD -f input.txt

     

    where input.txt contains one command per line and each line ends with a semi-colon.

     

    Here are some example commands (note that the eTRoleDN value is case-sensitive):

     

    To add a new Global User without any provisioning role:
    add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='newuser' eTUserID='newuser' eTPassword='newpassword';

     

    To add a new Global User with a single provisioning role but not sync user with roles:
    add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='newuser' eTUserID='newuser' eTPassword='newpassword' eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im';

     

    To add a new Global User with a single provisioning role and sync user with roles:
    add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='newuser' eTUserID='newuser' eTPassword='newpassword' eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncUsers='1';

     

    To add a new Global User with a two provisioning role but not sync user with roles:
    add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='newuser' eTUserID='newuser' eTPassword='newpassword' eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTRoleDN='eTRoleName=rolew,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im';

     

    To add a new Global User with a two provisioning role and sync user with roles:
    add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='newuser' eTUserID='newuser' eTPassword='newpassword' eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTRoleDN='eTRoleName=rolew,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncUsers='1';

     

    To update an existing Global User with an additional provisioning role but not sync user with roles:
    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='existinguser' to +eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im';

     

    To update an existing Global User with an additional provisioning role and sync user with roles:
    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='existinguser' to +eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncUser='1';

     

    To update an existing Global User and remove a provisioning role but not sync user with roles:
    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='existinguser' to -eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im';

     

    To update an existing Global User and remove a provisioning role and sync user with roles:
    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='existinguser' to -eTRoleDN='eTRoleName=role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncDelete='1';