search cancel

Add/Remove Roles and Groups using Bulk Loader

book

Article ID: 111765

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction



We would like to know how to add/remove the admin roles using bulk loader of users.
Example: Several users have 4 admin roles and we need to remove only 1 admin role, keeping other 3 admin roles.

Can this be accomplished with the Bulk Loader?

Environment

All versions of Identity Suite (Identity Manager)

Resolution

The Bulk Loader requests only support modification of attributes on the IM admin task's Profile tab, meaning you can't add or remove Roles (or groups) in bulk directly using the Bulk Loader.
What you could do is use the Bulk Loader to modify a user attribute that then triggers a PX or Identity policy in IM to add or remove the role (or group) based on that attribute modification.

Bulk Loader cannot remove an existing Role or Group, to achieve the results of removing a Role or group, the bulk load will have to modify an attribute that triggers a Task within IDM which calls a TASK to remove the Role from the users.

Additional Information

Here is an example of a basic CSV file and PX Policy showing Admin Role Add/Remove

Create a CSV input file with records which uses screen logical attributes |role_action| and |role_name| for example:

action,%USER_ID%,|role_action|,|role_name|
modify,testuser1,add,AdminRole1
modify,testuser2,remove,AdminRole2

Create a PX Policy of type=SubmittedTask executing on Task Completion of say Modify User task which uses screen logical attributes |role_action| and |role_name| for example:

Data Element Name: |role_action|
Category: Attributes
Type: User Attribute
Function: Get
Attribute Name: |role_action|

Data Element Name: |role_name|
Category: Attributes
Type: User Attribute
Function: Get
Attribute Name: |role_name|

Action Rule Name: Add Admin Role
Priority: 0
Condition: |role_action| Equals add
Add Action Name: add admin role
Category: Roles
Type: Set Admin Role
Function: Add
Admin Role Name: {'|role_name|'}

Action Rule Name: Remove Admin Role
Priority: 1
Condition: |role_action| Equals remove
Add Action Name: remove admin role
Category: Roles
Type: Set Admin Role
Function: Remove
Admin Role Name: {'|role_name|'}

Now you have to also edit the task being used in the PX Policy, for example Modify User task, so that on the Profile tab you enable the checkbox 
for "Always generate event even when no attributes have changed" since the submitted task has no changes until after the PX Policy executes.