Loadusers - Role and Group data

 5 Replies
 1 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
Karen Sheridan
Veteran Member Send Private Message
Posts: 142
Veteran Member

We've been on the same LSF/Security version since May 2018.  And, I tested and verified that the loaduser utility would over write the role and group data 6 months ago.  Recently, I noticed that the utility is adding to existing data.  As part of our user disable process, I want to blank out the role and group data.  I set-up an empty role called disabled because the role wouldn't just blank.  but the group would.  Now neither is working.

Is anyone else doing this?  Tips or tricks?

TIA,

Karen

JimY
Veteran Member Send Private Message
Posts: 510
Veteran Member
We don't use loadusers utility. We have an IPA flow that disables users using a Resource Update Node. It sets the isDisabled attribute to YES and the Role attribute to blank which removes all of the roles for a user. On the Landmark site it also removes the roles and disables the Actor. We then do a list base sync so that it shows up in ISS.
Karen Sheridan
Veteran Member Send Private Message
Posts: 142
Veteran Member

Jim Y - I would love to do what you are doing.  We've used the loaduser utility since v9 and I just haven't had the time to create the flow/test/etc.  So, I keep limping along with a mostly manual process.  Would you mind sharing your flow?

 

Thanks,

Karen

JimY
Veteran Member Send Private Message
Posts: 510
Veteran Member

I have attached the flow.  I had to change the extension to a ".txt" to attach is so you will need to change it back to ".lpd".  I run it on the LTM side.  I have removed any email addresses and also login information.  The List Based Sync is a schedule task, because at the time I created this our version of IPA could not run it.  Let me know if you have any questions.

Powershell script to kick off sync

[code]

if (test-path D:\Data\SyncFile\Sync_File.xml) {   D:\lawprod\gen\bin\ssoconfig_sync.bat   move-item "D:\Data\SyncFile\Sync_File.xml" ("D:\Data\SyncFile\Sync_File_{0:yyyyMMdd_hhmmss}.xml" -f (get-date)) }  else {echo "File does not exist"}

[/code]

Bat file executed by the powershell script.

[code]

Set Environment Variables Here D:\lawprod\gen\bin\ssoconfig -S D:\Data\SyncFile\Sync_File.xml

[/code]

 

Attachments
JimY
Veteran Member Send Private Message
Posts: 510
Veteran Member
I should add that this runs nightly and goes back 100 days. The Sql query reads the EMPLOYEE table in our LTM Database and looks at the termination date. I do this because they don't always terminate someone until long after they have left, but they set the termination date based on when they last worked. It's not perfect, but works for the most part. It performs an RM Query to see if they are already disabled and doesn't disable them again. On the Sql query you may not have to do the override for the Sql login info if you can use the configurations.
Karen Sheridan
Veteran Member Send Private Message
Posts: 142
Veteran Member

Jim,

Thanks so much.  We have the same issue with terms being back dates months later.

I appreciate you sharing the flow.

Karen