CA Service Management

We are using LDAPImporter to pull users from AD into Service Catalog.  Two users were reassigned with the role of 'Service Delivery Administrator' and were given this role by using add-spadmin-user.  After the scheduled run of LDAPImporter, the roles for these two users is changed back to the default of 'Catalog User'.  Based on the documentation below, I have even tried adding the role thru the UI, but it still goes back to the default after the run.  Is there a parameter I have overlooked?

CatalogUser.DefaultRole=role
Specifies the CA Service Catalog role that users are assigned when they are imported for the first time.
Once the users are imported for the first time, their role assignment is the same. Only when you use the CA Service Catalog UI to change the role assignment, does this value also change. This restriction applies even if you change the value of this parameter and import the users again. This restriction helps maintain the ability of users to log in to CA Service Catalog.

Thanks!

Good Morning Michele.
 
Initial research for this, shows be the below.
Please check on this and let me know your findings.
 
Description of the problem situation:
As seen in the SC Integration guide for the 'CatalogUser.DefaultRole=role':
Specifies the CA Service Catalog role that users are assigned when they are imported for the first time.
Once users are imported for the first time, their role assignment does not change, unless you use the CA Service Catalog UI to change it.
This restriction applies even if you change the value of this parameter and re-import the users.
This restriction helps maintain the ability of users to log in to CA Service Catalog.
 
The resolution text:
After consulting the Engineering Team, this appears not to be true.
And the documentation should be changed acordingly.
 
When you reset the value in the .properties file, ldapimporter will change the role for each user it find in the AD.
To (re)set the role for only some specific users, you can limit the number of users, depending on the line from the ldap.properties file (the *** between **):
LDAP.ImportType=User
and
LDAP.User.Filter= (sAMAccountName=*****)
 
Thanks and kind regards, Louis van Amelsfort.

Thanks for your help!

So if I understand this correctly, all users being imported (first time or not) will receive the default value specified in the properties file.  It also looks like you can include/exclude users by specifying some sort of pattern on the filter.

If that is correct, then limiting is probably not going to work in our environment.  So, can I execute a script after the import completes that will run add-spadmin-user for the two users who need the admin authority?  If so, how do you code the command 'ant add-spadmin-user' to include the two input parameters (userid and confirmation)?

Thanks!

Michele

Good Morning Michele.
 
You could decide to create two different ldapimporter.properties files.
C:\Program Files\CA\Service Catalog\ldapimporter_<server>_ALL.properties
C:\Program Files\CA\Service Catalog\ldapimporter_<server>_SPADMIN.properties
 
With settings:
LDAP.ImportType=User
LDAP.User.Filter= (sAMAccountName=*)
and
LDAP.ImportType=User
LDAP.User.Filter= (sAMAccountName=*userid1*)
LDAP.User.Filter= (&(l=New York)(directReports=*))
   
And then run the ldapimporter like this:
LDAPImporter.bat ...\LDAPImporter_<server>_ALL.properties ...\LDAPImporter_<server>_SPADMIN.properties
 
Another option could be to create a group (spadmingroup) in AD with the spadmin-users in there.
And then set the ldapimporter_<server>_SPADMIN.properties file with:
LDAP.ImportType=Group
LDAP.Group.Name=spadmingroup
 
Thanks and kind regards, Louis.

Louis,

        I went with the option to use multiple property files and that seems to be working just fine.

Thanks for your help!

Michele