How to get list of provisioning users that have no provisioning role?

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

Need a way to find all provisioning users that have no assigned provisioning role

How can I get a list of provisioning users that have no provisioning role assigned?

Environment

All Identity Manager

Resolution

Below is a LDAP query that you can run in order to get that information.

For IMPS_HOST, enter the hostname of the Provisioning Server For PWD, enter the password for the 'etaadmin' user.

ldapsearch.exe -LLL -h IMPS_HOST -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w PWD -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -s one "(!(eTRoleDN=*))" eTGlobalUserName

If instead you were trying to run an ldapsearch to find which users have a specific role then the search would instead look like this:

ldapsearch.exe -LLL -h IMPS_HOST -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w PWD -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -s one "(eTRoleDN=eTRoleName=MY_PROV_ROLE,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im)" eTGlobalUserName

Additional Information

Assuming you get the list of users from the previous command you can build an input file to feed into an etautil command such as:

etautil.exe -u USER -p PWD -f input.txt

where input.txt contains one command per line such as:

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='user1' to +eTRoleDN='eTRoleName=myrole,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncUsers='1';

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='user2' to +eTRoleDN='eTRoleName=myrole,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncUsers='1';

If you want to remove the role from the user instead then the commands would look like the following:

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='user1' to -eTRoleDN='eTRoleName=myrole,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncDelete='1';

update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='user2' to -eTRoleDN='eTRoleName=myrole,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTSyncDelete='1';