PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 8/2/2019 4:36 PM by  Karen Sheridan
Loadusers - Role and Group data
 5 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Karen Sheridan
Private
Private
Veteran Member
(367 points)
Veteran Member
Posts:141


Send Message:

--
8/2/2019 2:55 PM

    We've been on the same LSF/Security version since May 2018.  And, I tested and verified that the loaduser utility would over write the role and group data 6 months ago.  Recently, I noticed that the utility is adding to existing data.  As part of our user disable process, I want to blank out the role and group data.  I set-up an empty role called disabled because the role wouldn't just blank.  but the group would.  Now neither is working.

    Is anyone else doing this?  Tips or tricks?

    TIA,

    Karen

    JimY
    Private
    Private
    Veteran Member
    (1438 points)
    Veteran Member
    Posts:510


    Send Message:

    --
    8/2/2019 3:05 PM
    We don't use loadusers utility. We have an IPA flow that disables users using a Resource Update Node. It sets the isDisabled attribute to YES and the Role attribute to blank which removes all of the roles for a user. On the Landmark site it also removes the roles and disables the Actor. We then do a list base sync so that it shows up in ISS.
    Karen Sheridan
    Private
    Private
    Veteran Member
    (367 points)
    Veteran Member
    Posts:141


    Send Message:

    --
    8/2/2019 3:18 PM

    Jim Y - I would love to do what you are doing.  We've used the loaduser utility since v9 and I just haven't had the time to create the flow/test/etc.  So, I keep limping along with a mostly manual process.  Would you mind sharing your flow?

     

    Thanks,

    Karen

    JimY
    Private
    Private
    Veteran Member
    (1438 points)
    Veteran Member
    Posts:510


    Send Message:

    --
    8/2/2019 3:56 PM

    I have attached the flow.  I had to change the extension to a ".txt" to attach is so you will need to change it back to ".lpd".  I run it on the LTM side.  I have removed any email addresses and also login information.  The List Based Sync is a schedule task, because at the time I created this our version of IPA could not run it.  Let me know if you have any questions.

    Powershell script to kick off sync

    if (test-path D:\Data\SyncFile\Sync_File.xml)
    {
      D:\lawprod\gen\bin\ssoconfig_sync.bat
      move-item "D:\Data\SyncFile\Sync_File.xml" ("D:\Data\SyncFile\Sync_File_{0:yyyyMMdd_hhmmss}.xml" -f (get-date))

    else {echo "File does not exist"}

    Bat file executed by the powershell script.

    Set Environment Variables Here
    D:\lawprod\gen\bin\ssoconfig -S D:\Data\SyncFile\Sync_File.xml

     

    Attachments
    JimY
    Private
    Private
    Veteran Member
    (1438 points)
    Veteran Member
    Posts:510


    Send Message:

    --
    8/2/2019 4:06 PM
    I should add that this runs nightly and goes back 100 days. The Sql query reads the EMPLOYEE table in our LTM Database and looks at the termination date. I do this because they don't always terminate someone until long after they have left, but they set the termination date based on when they last worked. It's not perfect, but works for the most part. It performs an RM Query to see if they are already disabled and doesn't disable them again. On the Sql query you may not have to do the override for the Sql login info if you can use the configurations.
    Karen Sheridan
    Private
    Private
    Veteran Member
    (367 points)
    Veteran Member
    Posts:141


    Send Message:

    --
    8/2/2019 4:36 PM

    Jim,

    Thanks so much.  We have the same issue with terms being back dates months later.

    I appreciate you sharing the flow.

    Karen

     

    You are not authorized to post a reply.