View Only

TECH TIP: Remove Roles from Users (harScrubUserRoles)

  • 1.  TECH TIP: Remove Roles from Users (harScrubUserRoles)

    Posted Dec 02, 2015 12:17 PM

    In regards to managing users, the husrmgr commandline utility does not have the feature

    to remove (delete) groups (roles) from a user. I have created a couple of perl scripts that

    is designed to accomplish this.


    For example, I have had a customer that had a few thousand users that he wished to cleanup

    specific groups (roles) from those users. The customer did not want to delete the groups but to

    only clean his users roles by removing some specific groups from the user.


    The first script 'harListUserRoles.pl' creates a .dat list of the users and all the roles assigned to the users

    ordered by the role names. After the list is created, then the Harvest admin edits the list and removes

    any lines that he/she wishes for the roles to remain in affect.


    The second perl script 'harScrubUserRoles.pl' is run that uses the previous edited .dat list to scrub those

    roles from the users. This perl script has two modes of operation 'TEST' and 'SCRUB' flags that are provided

    as input parameter. The test mode will not actually scrub any roles, it produces a log file to show that it

    performed on a per list line basis (this would be something like a dry run). The scrub mode actually

    performs the roles removal and produces a log file that you can verify against with the edited list.


    Caution: Do not take the scrub script lightly because it WILL update the database.

    Normally the groups (roles) are manually removed via the administrator GUI in order to create an audit

    log entry, if the audit log entry is not required or not a concern and the number of users volume to be

    worked on is quite large then these scripts should work for you.


    They have been tested in r12.5 and r12.6 database schema levels.


    If these scripts can fit your role scrubbing requirements and the lack of the audit records are not a concern,

    then to obtain these scripts for free you simply need to open an issue with Harvest L1 support requesting

    access to these scripts.



    To use these scripts will require the PERL runtime and SQLPLUS. You must have the capability to use sqlplus

    to connect to the Harvest Oracle database using the Harvest schema owner credentials. These scripts can be run

    on a client windows machine as long as the above requirements are met.


    Disclaimer: These perl scripts are defined as 'field developed utilities' therefore they are provided as is with no

    approved support. The user should use these scripts with caution.