Mass Deleting Users in LSF 9

 32 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Page 1 of 212 > >>
Author
Messages
Ellen Melton
Advanced Member
Posts: 28
Advanced Member
    Has anyone found a way to mass delete users in LSF 9 - kinda the reverse of loadusers?

    Our migration of users from 8.0 to LSF9 was a total mess. I'd like to basically start over for about 90% of our users. I've got the loaduser xml ready but I know it will fail because the existing users are tied to the SSOP identities that I'll be trying to load - hence I need to delete all the existing RMIDs.

    Any methods other than manually doing all 5500 one-by-one??
    John Henley
    Posts: 3353
      Ellen, do you want to keep the RMIDs the same, and just override the SSOP / OSID?
      Thanks for using the LawsonGuru.com forums!
      John
      Ellen Melton
      Advanced Member
      Posts: 28
      Advanced Member
        No, I don't want to keep the same RMID. Background: Our old network ID standard was firstname-lastname. Our new one is employee number. In LSF 9, my plan was to create RMIDs based on the employee number with the SSOP ID tied to the old standard (for those that had not yet been converted). This will keep me from creating new RMIDs as each user gets their network ID renamed to the new standard. All I would need to do is to change the SSOP ID.

        However, all the user migration took place before I got a chance to layout my plans. And the person who did the migration really messed up the user records. Almost all of them were setup incorrectly.

        So I'd basically like to start over with the majority of the users.
        John Henley
        Posts: 3353
          Are you live? In other words, do these users have jobs, etc. that need to be retained?
          Thanks for using the LawsonGuru.com forums!
          John
          Ellen Melton
          Advanced Member
          Posts: 28
          Advanced Member
            Not yet live which is why I want to do this now before we begin having history tied to the RMIDs
            John Henley
            Posts: 3353
              I can think of a few different ways (in increasing order of difficulty):
              1. ProcessFlow Integrator includes the capability to delete users. If your organization doesn't own it, they should.
              2. Code up a script that loops thru a file and executes ssoconfig commands for each user.
              3. Create an ldif export from the LDAP repository, edit out the users you want to remove (making sure you leave the lawson, pfuser, etc.), delete the LDAP repository and then recreate it. If you're not very familiar with LDAP and Lawson's implementation, this will be a painful and time-consuming approach.

              At a minimum, MAKE SURE YOU BACK UP THE LDAP REPOSITORY FIRST!
              Thanks for using the LawsonGuru.com forums!
              John
              Ellen Melton
              Advanced Member
              Posts: 28
              Advanced Member
                We don't have Integrator and none of us are very familiar with LDAP yet - even our LDAP administrator!! I'll see if my developers can consider a script - guess in the meantime, I'll start manually deleting them. I just wanted to make sure that I hadn't missed a Lawson delivered command that would do it. Guess this will be my next Enhancement Request.

                May God bless you this Christmas season for your willingness and generosity to share your skills and knowledge. Merry Christmas.
                cdodrzywolski
                Basic Member
                Posts: 21
                Basic Member
                  Hello,

                  I am looking to do the same thing, as far as deleting users go. We also have a bunch of employees that need access to ESS and we add or delte them as they are hired or terminated.

                  Did you arrive at a good solution?

                  Thanks :-)
                  beverly godwin
                  Veteran Member
                  Posts: 143
                  Veteran Member
                    There is a few utility commands in the Lawson Administration: Resources and Security (Deleting Security Data from the LDAP Repository Using the lsdelete Utility). I'm not sure if this is one of the 'tools' that the manual specifically states not to use:

                    "Do not use LDAP data tools to make changes to your Lawson data."

                    This command removes profiles, security classes, element groups, roles.
                    Alex Tsekhansky
                    Veteran Member
                    Posts: 92
                    Veteran Member
                      I wrote a script that emulates deletion of the users via LSA. It's only 3 Portal web calls per user to be deleted, and they're easy to capture with fiddler.

                      Note that Lawson has a limit of 1000 users deleted per Lawson instance before restarting the instance. It's a strange limit, and it's hardcoded in some of the Java code. Still - if you divide a user list into 900 users per file, and restart environment after each one, you will be Ok.

                      I suggest using that mechanism instead of direct LDAP modifications as it goes through Lawson routines.

                      Thanks.

                      Alex.
                      John Henley
                      Posts: 3353
                        I, there is a new -u flag in loadusers in 9.0.1.4 to delete users.
                        Thanks for using the LawsonGuru.com forums!
                        John
                        beverly godwin
                        Veteran Member
                        Posts: 143
                        Veteran Member
                          I was just told by GSC that as of 9.0.0.7 there is a -u flag on laodusers to remove users from LDAP/ADAM only. This is JUST what I was looking for.
                          beverly godwin
                          Veteran Member
                          Posts: 143
                          Veteran Member
                            How would I create the xml file to use to mass delete these? Is there a way to dump out all users from ldap in proper xml format, remove those not to be deleted and then run the loadusers with the -u option?

                            It would be nice if the xml file could just contain the rmid of the users to be deleted and not have to include all items that are generally on the upload file for each user..
                            John Henley
                            Posts: 3353
                              It only needs to include the IDs, not the details.


                              Thanks for using the LawsonGuru.com forums!
                              John
                              ChrisO
                              Basic Member
                              Posts: 21
                              Basic Member
                                Cool thanks all, i am going to try this when we get time. I'll let you know how it comes out.
                                beverly godwin
                                Veteran Member
                                Posts: 143
                                Veteran Member
                                  This assistance is greatly appreciated, I'm struggling to find good documentation on this new feature.

                                  This will remove all items from ldap/adam for the users right?

                                  Is this what I'm looking at for the xml file for the delete loaduser option??









                                  John Henley
                                  Posts: 3353
                                    Get the LATEST version of the Lawson LSF9 "Resources & Security" documentation (the 9.0.1.4 version of the documentation has some examples of using loadusers to delete users). You will have to dig for the documentation. The one under the "Document Library" in the Lawson KB is out-dated--you have to go through the Product Downloads to LSF9 to the Documentation link to get to the latest one.
                                    Thanks for using the LawsonGuru.com forums!
                                    John
                                    beverly godwin
                                    Veteran Member
                                    Posts: 143
                                    Veteran Member
                                      So I got the loadusers command to work with the -u option to remove the users and their identities from ldap (1700 users removed). See solution below for those on lsf 9.0.0.7 and greater.

                                      I am having trouble getting my business users out, due to default domain, so I'm fighting with that issue now. We've not yet done the ldap bind. I'll just manually delete my 74 business users for now...

                                      my command: loadusers -f delusers5.xml -p LAWAPP8 -d UMC -u

                                      book example: loadusers -f filename -p defaultProdLine -d defaultDomain -u -g username

                                      my file: (the empty tags for roles/identities/groups may not be needed)













                                      beverly godwin
                                      Veteran Member
                                      Posts: 143
                                      Veteran Member
                                        wow..so my xml file is not showing in the post..here is another attempt..I took out the <> tag identifiers to see if this will show in the post.

                                        ?xml version="1.0" encoding="ISO-8859-1" ?
                                        XML
                                        ROLEDATA
                                        /ROLEDATA
                                        GROUPDATA
                                        /GROUPDATA
                                        USERDATA
                                        USER ID = "AlishaB"/
                                        USER ID = "MohammedB"/
                                        /USERDATA
                                        IDENTITIES
                                        /IDENTITIES
                                        /XML
                                        TBonney
                                        Veteran Member
                                        Posts: 281
                                        Veteran Member
                                          Beverly,

                                          Please clarify if using the -u switch in loaduser utility gets rid of the user profile in LSA too, or just in LDAP/ADAM.

                                          Also, were you ever able to find documentation on use of the utility in the 9.0.1.4 guide or the 9.0.0.7 guide? Thank you!!
                                          CindyW
                                          Veteran Member
                                          Posts: 169
                                          Veteran Member
                                            The Lawson Administration: Resources and Security document covers the Loadusers -u functionality. It's on page 164.

                                            I don't think it removes the user from Lawson Security though, so it seems there would be a proper sequence to follow. Can anyone confirm this?
                                            TBonney
                                            Veteran Member
                                            Posts: 281
                                            Veteran Member
                                              Cindy,

                                              Thank you for your post. Sorry for the confusion on my last post. I know that the -f switch simply referes the job to look to the designated file for input. I am familiar with using this switch with the loadusers utility to load users. That is how we add most of our new users. I had thought that one of the previous posts stated there was simply a different switch to be used to delete users as opossed to loading them.

                                              However, based on your post, in order to use the same utility to delete users, is it as simple as updating the xml file with blank elements, except for the user id element as you've shown?

                                              Thank you for any additional guidance you might provide.
                                              beverly godwin
                                              Veteran Member
                                              Posts: 143
                                              Veteran Member
                                                it is the -u at the end that you have to use when you are 'deleting' vs adding users. you have to have the rmid filled in also..but know that the 'rmid'..is the sso identity id and not the id that is showing for the person on the rm record between the first & last name...in my case they usually will match, but not always
                                                Dean Rochester
                                                Advanced Member
                                                Posts: 32
                                                Advanced Member
                                                  if you are not using lsf9 security but still using laua security, does this take care of that clean up too and also the /etc/passwd entry too?
                                                  beverly godwin
                                                  Veteran Member
                                                  Posts: 143
                                                  Veteran Member
                                                    I do not fully understand the question here. (/etc/passwd entry??). We are on laua and not lsf9 security. I've not deleted users in a while, but for emss users, they are simple and done as mentioned with the load users. If you have a business user that has a laua security class other than the mass emss class...then I think it would be best to go in and take out their security class..even though they should not be able to log onto portal once the rm record is removed...but they could still get into LID technically. Also when removing someone's laua security class...know that it is tricky when you want to remove laua security class..because if someone is w/o a class..they automatically get the security of Mr. Default...so I usually create a security class called DISABLE that has pretty much no access and give that to people I want disabled...sounds crazy I know..but felt the need to share.
                                                    Page 1 of 212 > >>