Loadusers - Role and Group data

Author
Messages
Karen Sheridan
Veteran Member
Posts: 141
Veteran Member

    We've been on the same LSF/Security version since May 2018.  And, I tested and verified that the loaduser utility would over write the role and group data 6 months ago.  Recently, I noticed that the utility is adding to existing data.  As part of our user disable process, I want to blank out the role and group data.  I set-up an empty role called disabled because the role wouldn't just blank.  but the group would.  Now neither is working.

    Is anyone else doing this?  Tips or tricks?

    TIA,

    Karen

    JimY
    Veteran Member
    Posts: 510
    Veteran Member
      We don't use loadusers utility. We have an IPA flow that disables users using a Resource Update Node. It sets the isDisabled attribute to YES and the Role attribute to blank which removes all of the roles for a user. On the Landmark site it also removes the roles and disables the Actor. We then do a list base sync so that it shows up in ISS.
      Karen Sheridan
      Veteran Member
      Posts: 141
      Veteran Member

        Jim Y - I would love to do what you are doing.  We've used the loaduser utility since v9 and I just haven't had the time to create the flow/test/etc.  So, I keep limping along with a mostly manual process.  Would you mind sharing your flow?

         

        Thanks,

        Karen

        JimY
        Veteran Member
        Posts: 510
        Veteran Member

          I have attached the flow.  I had to change the extension to a ".txt" to attach is so you will need to change it back to ".lpd".  I run it on the LTM side.  I have removed any email addresses and also login information.  The List Based Sync is a schedule task, because at the time I created this our version of IPA could not run it.  Let me know if you have any questions.

          Powershell script to kick off sync

          if (test-path D:\Data\SyncFile\Sync_File.xml)
          {
            D:\lawprod\gen\bin\ssoconfig_sync.bat
            move-item "D:\Data\SyncFile\Sync_File.xml" ("D:\Data\SyncFile\Sync_File_{0:yyyyMMdd_hhmmss}.xml" -f (get-date))

          else {echo "File does not exist"}

          Bat file executed by the powershell script.

          Set Environment Variables Here
          D:\lawprod\gen\bin\ssoconfig -S D:\Data\SyncFile\Sync_File.xml

           

          Attachments
          JimY
          Veteran Member
          Posts: 510
          Veteran Member
            I should add that this runs nightly and goes back 100 days. The Sql query reads the EMPLOYEE table in our LTM Database and looks at the termination date. I do this because they don't always terminate someone until long after they have left, but they set the termination date based on when they last worked. It's not perfect, but works for the most part. It performs an RM Query to see if they are already disabled and doesn't disable them again. On the Sql query you may not have to do the override for the Sql login info if you can use the configurations.
            Karen Sheridan
            Veteran Member
            Posts: 141
            Veteran Member

              Jim,

              Thanks so much.  We have the same issue with terms being back dates months later.

              I appreciate you sharing the flow.

              Karen

               

              ---