Remove role or user from position

Similar Messages

• Unlink and remove role = delete user???

  Hi All,
  We are using Sun IDM 7.1.1.21 and have run into this problem. I believe it's a product bug because it doesn't make any sense. We have users in an AD resource, and they are linked to that resource in IDM using a role. If, for some reason, the user is deleted from AD, and re-setup we have to "re-link" the user because the "accountGUID" attribute has the wrong GUID for the user and IDM doesn't like that. We are doing this using Recon. When recon runs, and catches this user, the situation comes back as "Confirmed", which is fine, we are using a per account workflow to handle the changes. We then compare the GUIDs of the objects in the workflow, if they are different, we would unlink the IDM account and relink it to the new GUID. We are setting the following options on the unlink.
  <set name='options.unlinkTargets'>
  <list>
  <s>AD</s>
  </list>
  </set>
  <set name='options.deleteAccounts'>
  <s>false</s>
  </set>
  and we remove the role, becuase if we do not, nothing happens. When the user object is checked in, it gets deleted from the resource. I'm sure this is happening becuase the accountID DOES exist (when the user is re-setup on the back-end the same DN is given to the user). Obviously this result is undesireable. So now I have 2 questions.
  1. Am I doing this wrong?
  2. Why would IDM delete an account when deleteAccounts and unlinkTargets are explicitly set on the checkin?

  OK. I figured out where the problem was. Renaming the accountGUID without removing the role only caused a "rename account to same name" error. I was not setting the correct options when removing the role. I needed to set:
  <set name='options.noDelete'>
  <s>true</s>
  </set>
  <set name='options.deleteUser'>
  <s>false</s>
  </set>
  This did the trick. The roles were removed and the user unlinked without any harm done to the resource account. I was then able to re-add the roles and relink to the existing resource account without a problem.
  Thanks.

• In 10.6, I could remove old YM users from my archive. In 10.7 and 10.8 I cannot find a YM user log. How do I remove yahoo messenger users from my archive?

  In OS 10.6, I could locate the log for my yahoo messenger in the Library under Application Support/Logs/_________________ and delete messages AND users from my archive. With OS 10.7 and OS 10.8, I am only able to delete conversations one at a time and unable to delete old users at all.  I am also unable to find out where new conversations are stored. Can anyone help?  Thanks.

  It is likely they're still stored in the same location.  However, in Lion and above, Apple has hidden the Library folder by default.
  To find it, hold down the option key and select the "Go" menu item, and Library will appear as an option in that list.  You can then select it and from there navigate to Application Support/Logs/XXX to delete stuff.

• Removing non-essential users from Oracle

  I'm trying to clean up my Oracle installation by removing tablespaces, users and roles that we don't need. The following users all have their accounts expired/locked. Are any of these essential and shouldn't be removed?
  ANONYMOUS
  CTXSYS
  HR
  MDSYS
  ODM
  ODM_MTR
  OE
  OLAPSYS
  ORDPLUGINS
  ORDSYS
  OUTLN
  PM
  QS
  QS_ADM
  QS_CB
  QS_CBADM
  QS_CS
  QS_ES
  QS_OS
  QS_WS
  SCOTT
  SH
  WKPROXY
  WKSYS
  WMSYS
  XDB
  Cheers,
  Warren

  This looks like an Oracle Applications (i.e., Financials and Manufacturing) database or one with only some modules installed. To be safe, you should repost this to a forum dedicated to Oracle Apps.
  If it really is an Oracle Applications database, then don't remove OE, HR, or any other schema that is an Oracle Applications schema. Never remove OUTLN even if you aren't using outlines. If stored outliens aren't used, then you aren't wasting space. So removing it is a waste of time plus it inhibits you from using stored outlines if you need them but forgot that you removed it.

• What's the best way to remove inactive iChat users from jabberd2.db?

  I'm about to run Autobuddy for users on my iChat server. However, there are several users that are no longer around and I don't want their records showing up in everyone's buddy list.
  What's the safest/best way to remove them?
  My plan is to use sqlite3 on the command line and use SQL to remove the entries from the "active" table, but I don't know what impact that may have on the rest of the database.
  Any thoughts or suggestions?

  Never mind...
  Thought I had looked through enough threads.  Found the following just after posting my question:
  /usr/bin/jabber_autobuddy -d [email protected]
  Works like a charm.

• Automating removal of Discovered Users from ACS

  I use ACS 4.1 on a Windows server that looks up unknown users in Active Directory. Users in AD are in various groups and ACS has these groups mapped to the ACS groups so that users are granted appropriate access to their needs. This has worked well.
  I am now seeing that users are are removed from one AD group and added to another group do not have this change reflected in the ACS system. This is because ACS only looks at the AD group for *unknown users*. The user who has moved AD groups was an unknown user, but, upon first logon, that user became a discovered user. From that point forward, only credentials are checked, not group membership.
  On the User Setup section in ACS, there is a button to *Remove Dynamic Users*.
  I would love to know the following:
  1. Is there a way to have ACS check the current group assignment in AD for *Discovered Users*?
  2. If not, is there a way to automate the *Remove Dyanmic Users* fucntion? I have used CSUtil in the past but it seems a little cumbersome for this feature in that I had to dump out the users, reformat the output, and then push the deletion back through. I don't recall it making distinctions of known versus discovered users. It just had users names in ACS groups.
  Any insights would be greatly appreciated!

  Right, I mention that in my original post. But it requires me to go in and do it. Not the automated process I am looking for.
  The other approach I mentioned is to script around the CSUTIL command. While it meets part of the automation requirement, it is not very robust and does not do exactly what I am looking for. It also becomes another complex script that I would have to support.
  Thank you.

• Add LDAP role to user from java

  This is what I have which get's called when the LDAP account is created, but for some reason this gives me the error:
  try {
  tcLookupOperationsIntf lookup = (tcLookupOperationsIntf) tcUtilityFactory.getUtility(provider, "Thor.API.Operations.tcLookupOperationsIntf");
  tcFormInstanceOperationsIntf f = (tcFormInstanceOperationsIntf) tcUtilityFactory.getUtility(provider, "Thor.API.Operations.tcFormInstanceOperationsIntf");
  tcResultSet result = lookup.getLookupValues("Lookup.iPlanet.TitleGroups");
  String groupDN = null;
  for (int i = 0; i < result.getRowCount(); i++) {
  result.goToRow(i);
  if (result.getStringValue("Lookup Definition.Lookup Code Information.Code Key").equalsIgnoreCase(title)) {
  groupDN = result.getStringValue("Lookup Definition.Lookup Code Information.Decode");
  break;
  if (groupDN != null) {
  Map attrChildData = new HashMap();
  attrChildData.put("UD_IPNT_GRP_GROUP_NAME", groupDN);
  f.addProcessFormChildData(Long.valueOf(childKey), Long.parseLong(pKey), attrChildData);
  } catch (Exception e) {
  e.printStackTrace();
  I think I have the child key messed up. What is the correct way to get the child key of the IPNT group form?

  You'll want to get it from the process instance key. Here is an old post of mine that should help you out: Re: Create Access Policy with OIM API: can't fill child form
  -Kevin

• Looking for Help with Active Directory Script to Remove a User from msExchDelegateListLink

  I'm struggling to put together an Active Directory Powershell script that will remove a specific user from the msExchDelegateListLink.
  It looks like Set-AdUser would do the trick. I would want to remove a user in the format of
  {CN=Wood\, Sandy,OU=Networking,OU=IT,DC=my,DC=domain,DC=com}
  Has anyone succeeded in doing this before?
  Orange County District Attorney

  I use this:
  $user = '<user name>'
  $userDN = Get-ADUser $user | select -ExpandProperty DistinguishedName
  $delegates = Get-ADUser $user -Properties msExchDelegateListBL |
  select -ExpandProperty msExchDelegateListBL
  foreach ($delegate in $delegates)
  Set-ADUser $delegate -Remove @{msExchDelegateListLink = "$UserDN"}
  Never quite got around to putting it into a function.
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Removing admin user from planning application

  Hi,
  i have a small question that possibly u can answer easily.
  in workflow process when users click "change status", at promote and approve "admin" user comes up with in combo-box.
  we are sharing shared services with another project team so i dont wanna show "admin" to my users in that list cos i have "plnadmin" as application owner.
  by the way "admin" was deprovisioned from planning applications on HSS such that he cannot log-in to planning application. (user doesnot exists for this application message.)
  but he still exists in workflow process combo-boxes and "Administration->Application Settings->Assign application Owner" combo-box.
  how can i remove him ?
  thx,
  Version: 11.1.1.2

  Hi,
  In theory it should remove the admin user if they have been deprovisioned and the application owner assigned to another user. I did a quick check on 11.1.1.3 and it removed the admin user from the workflow and tables.
  Maybe it has not removed the user because a workflow was already in progress even though it worked for me.
  There are probably a number of ways to try and removing the user e.g. try restart planning service and log into the application to see if it syncs up with shared services (it should do if the property SYNC_USER_ON_LOGON is set to true, which is default for planning)
  Try stopping the workflow process and run a refresh, or go to access permissions for a member and click migrate identities to see if it clears the table.
  Final stage would be to manually remove from the repository tables.
  (sorry if I have not covered all areas, I sure somebody will give you different ideas or repeat what I say)
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Removing the user from standard task group

  Experts,
  I need to remove the one user from the standard task "Display MC Document (outbound w/o IDoc)". Since it is a standard task I'm not able to make any changes.
  I hope I need to change in the agent which is assigned to this task. But donno how to find the agents assigned to this task.
  Please help me in resolving this.
  Thanks,
  Naveen

  Hi Naveen,
  If that user assigned as the 'Possible agent' of the task then you can remove the user easily.
  In the workflow template, go that activity. Under the Task ID there is a option called 'Agents' and click that icon to open. In the new screen, the possible agents of this task will be displayed.
  Select the desired user and delete it.
  Thanks,
  Viji.

• Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting

  Hello.  Can anyone help please
  In our exchange 2010 environment we have users who are granted send on behalf to access.  Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
  option using the EMC.  Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line.  This wrks because it is doing what Exchange EMC does which is rewrites
  the -GrantSendOnBehalfTo option in it new entirety.  
  The problem occurs because I need to remove these en-mass from approx 700 plus accounts.  
  I have tried to modify one user in order to get the script to work but it doesn't.
  This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
  Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
   was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
  13-08/Gaynor Collins-Punter isn't the expected type.
      + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : F6498844
      + PSComputerName        : ex02-0029.xx.xxxxxxx.xxx.xx
  Am running the script from my local PC
  This is the script I have used.
  # Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
  Foreach($mailbox in $mailboxes)
  for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
  $address=$mailbox.GrantSendOnBehalfTo[$i]
  $addressString=$address.addressString
  If($addressString -like "*disabled*")
  $mailbox.GrantSendOnBehalfTo.removeat($i)
  $info >> "C:\Scripts\grantsendonbehalfto.csv"
  $mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
  }If you requiere any more info please let me know.

  #1 - I recommend posting in xchange forum fo rhow to do this
  #2 - Wen an account is disabled most on the information in the object is hidden.  YOu would need to undelete to use the object.
  #3 - Get list as text and validaye al values are not deleted accounts.  Remove deleted and save back.
  ¯\_(ツ)_/¯

• Problem deleting user from Unity Connection 8.5.1 - BulkUserDelete

  We are having issue deleting a user from Unity Connection 8.5.1
  We tried the command line to remove the user, no go. We also installed the CUC Clean Inconsistency 1.2 and that to did not remove it.
  We then tried BulkUserDelete tool and the initiial search in BulkUserDelete see's the problem user (alias) but on the next screen where you select the users, on that step the BulkUserDelete no longer see's the problem user.
  Anyone know of other way to remove a problem user from CUC?

  Thanks, Rob. I appreciate you taking the time to reply. I feel much more confident about the whole procedure now.
  I've read many of your replies to others on this same issue so I'm pretty certain you know what you're talking about. One of the documents I read that made me doubt what TAC said is the document by Saurabh - I've read it through several times already and found it very helpful. Thanks for linking to it.
  There's a scheduled back up of UC performed every night (all options are checked). Should I still do a COBRAS backup too or is that unnecessary?
  Once the upgrade file installation is complete, do I need to do anything else? From what I've read, this is similar to running a Windows (or Mac) operating system update/patch - start the upgrade file, wait for it to run and once it's complete, reboot the system and continue as usual (assuming everything went OK). Is that right?
  Thanks again!
  Lisa

• Remove role from user

  HI how do i remove a role from a user when he id terminated or disabled.
  I am assigning a role in the following way during creation with the help of a rule
  <setvar name='newuser.waveset.roles'>
  <filterdup>
  <appendAll>
  <ref>accounts[Lighthouse].roles</ref>
  <s>General-Provision-Role</s>
  <rule name='Get Location Role'>
  <argument name='LocationCode' value='$(newuser.global.LocationCode)'/>
  </rule>
  </appendAll>
  </filterdup>
  </setvar>
  How do I remove this role when termination of user.

  We looking for a way to automate the removing of a user (US) or role (AG) from a position (S).
  There is a report called RHGRENZ2 which can be used to delimit specific OM infotypes (like IT1001- Relationships) specifying the end-date and Position ID (Object Type S and Object ID= Position) manually. In your case, I believe IT1001's Relationship A008 and B007 have to be delimited in order to remove a user (US) or role (AG) from a position (S) but this report cannot be run for specific relationship types of IT1001 (atleast I did never find an option to filter based on relationship types).
  You can try using report RHRHDL00 to delete IT1001 relationships from PP Database but you should consider the consequences of such deletions and restrict the selection based in infotypes and relationship types carefully.
  Alternatively, you can also build a LSMW script to automate the process of mass delimit/deletion of IT1001's relationship types using transaction PP02 (PP01 is not compatible to BDC/background processing)
  Thanks
  Sandipan

• Deassignment of users from roles

  Hi,
  We have a couple of users in our system who are assigned to some standard SAP roles.
  These roles are themselves not composite roles , but form a part of some composite roles.
  Now when I try to deassign the "blue" users from these roles, it's not possible.
  How do I go about it?
  Please help.
  Thanks,
  Saba.

  Hi,
  Both ways its not possible.
  When I remove the user from the role, it comes back after user comparison:((
  & the role refuses to get deleted from the user.
  Also, both appear in blue.
  Plsss. help..
  Thanks,
  Saba.

• How we can remove  one authorization object from multiplt roles

  How we can remove one authorization object from multiplt roles

  > Correct me if I am wrong !!
  O.K., Here I go
  > But if the object is maintained in SU24 and if you use Expert mode for generation of the role then again those objects may be pulled.(make sure you never use expert mode once you delete the objects)
  Actually using expert mode and choosing 'edit old status' is the only way to avoid objects being 'pulled in' after menu changes.
  > As jurjen said, you may download the tables and instead of deleting the object from the excel sheet, change the value of the object in column "DELETED" = X, by doing this only the objects get inactivated(but remain in PFCG).
  I am not speaking of downloading tables but about downloading roles from PFCG. This will not get you a spreadsheet but a flat textfile. If you whish to set the object status to deleted you'll have to swap the space on position 207, right behind the 'U, S, G' flag,  with an 'X' for all corresponding lines.
  Jurjen