Accounts from previous LDAP still have access even after pointing EEM to a new LDAP

book

Article ID: 212114

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

We made an LDAP change in the EEM configuration to reference a new AD host. After the change we have some accounts which initially existed in the previous AD but do not exist in the new AD (this was expected). We are not able to pull up these accounts in the EEM because they do not exist in the new AD. However, the users are still able to make job changes/modifications etc using these accounts. Please advise on this. Is this due to the account information/policy assignments being stored in the EEM database?

Environment

Release : 11.3.6

Component : WORKLOAD CONTROL CENTER

Component : EEM 

Resolution

When you point EEM to LDAP and then update a user's details, adjusting their application group membership, that does create an entry in the EEM DB for the user eventhough they are an LDAP user.  Later, even if/when you adjust your EEM LDAP settings such that you may be pointing to a different LDAP those user's details remain in the DB and any policies you would have defined for them or their group membership would also still be active/available.

If you are wanting to remove/disable those users / memberships the best method would be to export the users to an xml file via the EEM UI, make the adjustments to the xml file needed 
and then import it back in via safex

something like:

<?xml version='1.0' encoding='UTF-8' standalone='no'?>
<Safex>
<Attach label="WorkloadAutomationAE"/>
<Modify>
<User folder="/" name="mydomain\\lisa4">
<GroupMembership mode='delete'>WorkloadAutomationAEWebService</GroupMembership>
</User>
</Modify>
</Safex>

or

<?xml version='1.0' encoding='UTF-8' standalone='no'?>
<Safex>
<Attach label="WorkloadAutomationAE"/>
<Remove>
<User folder="/" name="mydomain\\lisa4">
</User>
</Remove>
</Safex>

For more safex details see:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/programming/safex-command-line-reference.html