Mass Deleting Users in LSF 9

Ellen, do you want to keep the RMIDs the same, and just override the SSOP / OSID?

No, I don't want to keep the same RMID. Background: Our old network ID standard was firstname-lastname. Our new one is employee number. In LSF 9, my plan was to create RMIDs based on the employee number with the SSOP ID tied to the old standard (for those that had not yet been converted). This will keep me from creating new RMIDs as each user gets their network ID renamed to the new standard. All I would need to do is to change the SSOP ID.

However, all the user migration took place before I got a chance to layout my plans. And the person who did the migration really messed up the user records. Almost all of them were setup incorrectly.

So I'd basically like to start over with the majority of the users.

Are you live? In other words, do these users have jobs, etc. that need to be retained?

Not yet live which is why I want to do this now before we begin having history tied to the RMIDs

I can think of a few different ways (in increasing order of difficulty):
1. ProcessFlow Integrator includes the capability to delete users. If your organization doesn't own it, they should.
2. Code up a script that loops thru a file and executes ssoconfig commands for each user.
3. Create an ldif export from the LDAP repository, edit out the users you want to remove (making sure you leave the lawson, pfuser, etc.), delete the LDAP repository and then recreate it. If you're not very familiar with LDAP and Lawson's implementation, this will be a painful and time-consuming approach.

At a minimum, MAKE SURE YOU BACK UP THE LDAP REPOSITORY FIRST!

We don't have Integrator and none of us are very familiar with LDAP yet - even our LDAP administrator!! I'll see if my developers can consider a script - guess in the meantime, I'll start manually deleting them. I just wanted to make sure that I hadn't missed a Lawson delivered command that would do it. Guess this will be my next Enhancement Request.

May God bless you this Christmas season for your willingness and generosity to share your skills and knowledge. Merry Christmas.

Hello,

I am looking to do the same thing, as far as deleting users go. We also have a bunch of employees that need access to ESS and we add or delte them as they are hired or terminated.

Did you arrive at a good solution?

Thanks :-)

There is a few utility commands in the Lawson Administration: Resources and Security (Deleting Security Data from the LDAP Repository Using the lsdelete Utility). I'm not sure if this is one of the 'tools' that the manual specifically states not to use:

"Do not use LDAP data tools to make changes to your Lawson data."

This command removes profiles, security classes, element groups, roles.

I wrote a script that emulates deletion of the users via LSA. It's only 3 Portal web calls per user to be deleted, and they're easy to capture with fiddler.

Note that Lawson has a limit of 1000 users deleted per Lawson instance before restarting the instance. It's a strange limit, and it's hardcoded in some of the Java code. Still - if you divide a user list into 900 users per file, and restart environment after each one, you will be Ok.

I suggest using that mechanism instead of direct LDAP modifications as it goes through Lawson routines.

Thanks.

Alex.

I, there is a new -u flag in loadusers in 9.0.1.4 to delete users.

I was just told by GSC that as of 9.0.0.7 there is a -u flag on laodusers to remove users from LDAP/ADAM only. This is JUST what I was looking for.

How would I create the xml file to use to mass delete these? Is there a way to dump out all users from ldap in proper xml format, remove those not to be deleted and then run the loadusers with the -u option?

It would be nice if the xml file could just contain the rmid of the users to be deleted and not have to include all items that are generally on the upload file for each user..

It only needs to include the IDs, not the details.

Cool thanks all, i am going to try this when we get time. I'll let you know how it comes out.

This assistance is greatly appreciated, I'm struggling to find good documentation on this new feature.

This will remove all items from ldap/adam for the users right?

Is this what I'm looking at for the xml file for the delete loaduser option??

Get the LATEST version of the Lawson LSF9 "Resources & Security" documentation (the 9.0.1.4 version of the documentation has some examples of using loadusers to delete users). You will have to dig for the documentation. The one under the "Document Library" in the Lawson KB is out-dated--you have to go through the Product Downloads to LSF9 to the Documentation link to get to the latest one.

So I got the loadusers command to work with the -u option to remove the users and their identities from ldap (1700 users removed). See solution below for those on lsf 9.0.0.7 and greater.

I am having trouble getting my business users out, due to default domain, so I'm fighting with that issue now. We've not yet done the ldap bind. I'll just manually delete my 74 business users for now...

my command: loadusers -f delusers5.xml -p LAWAPP8 -d UMC -u

book example: loadusers -f filename -p defaultProdLine -d defaultDomain -u -g username

my file: (the empty tags for roles/identities/groups may not be needed)

wow..so my xml file is not showing in the post..here is another attempt..I took out the <> tag identifiers to see if this will show in the post.

?xml version="1.0" encoding="ISO-8859-1" ?
XML
ROLEDATA
/ROLEDATA
GROUPDATA
/GROUPDATA
USERDATA
USER ID = "AlishaB"/
USER ID = "MohammedB"/
/USERDATA
IDENTITIES
/IDENTITIES
/XML

Beverly,

Please clarify if using the -u switch in loaduser utility gets rid of the user profile in LSA too, or just in LDAP/ADAM.

Also, were you ever able to find documentation on use of the utility in the 9.0.1.4 guide or the 9.0.0.7 guide? Thank you!!

The Lawson Administration: Resources and Security document covers the Loadusers -u functionality. It's on page 164.

I don't think it removes the user from Lawson Security though, so it seems there would be a proper sequence to follow. Can anyone confirm this?

Cindy,

Thank you for your post. Sorry for the confusion on my last post. I know that the -f switch simply referes the job to look to the designated file for input. I am familiar with using this switch with the loadusers utility to load users. That is how we add most of our new users. I had thought that one of the previous posts stated there was simply a different switch to be used to delete users as opossed to loading them.

However, based on your post, in order to use the same utility to delete users, is it as simple as updating the xml file with blank elements, except for the user id element as you've shown?

Thank you for any additional guidance you might provide.

it is the -u at the end that you have to use when you are 'deleting' vs adding users. you have to have the rmid filled in also..but know that the 'rmid'..is the sso identity id and not the id that is showing for the person on the rm record between the first & last name...in my case they usually will match, but not always

if you are not using lsf9 security but still using laua security, does this take care of that clean up too and also the /etc/passwd entry too?

I do not fully understand the question here. (/etc/passwd entry??). We are on laua and not lsf9 security. I've not deleted users in a while, but for emss users, they are simple and done as mentioned with the load users. If you have a business user that has a laua security class other than the mass emss class...then I think it would be best to go in and take out their security class..even though they should not be able to log onto portal once the rm record is removed...but they could still get into LID technically. Also when removing someone's laua security class...know that it is tricky when you want to remove laua security class..because if someone is w/o a class..they automatically get the security of Mr. Default...so I usually create a security class called DISABLE that has pretty much no access and give that to people I want disabled...sounds crazy I know..but felt the need to share.