Symantec IGA

Hi All,

I have to delete inclusion between ad account and global user for around 2K users, And add AD account inclusion to some other global user(Again 2k).

Is there a way to achieve same.

For single user I can do this using provisioning manager, REMOVE ACCOUNT FROM USER.

Do anyone have ETAUTIL script for same or any other suggestion

Thanks in advance!!!

Regards

Amit Malik

8826512555 

Hi Amit Malik,

Creating an Inclusion Object is documented in the Provisioning Manager help topics.
The DELETE statement to remove an inclusion object follows the same syntax:

etautil [-n] [-d domain]
[-u user [-p password]]
delete
base dn class name=keyname
in parent base dn
parent class name=keyname
[relationship=rel]

Here is a sample script, I successfully tested this morning in my lab:

SET ETAHOME="C:\Program Files (x86)\CA\Identity Manager\Provisioning Server"
%ETAHOME%\bin\etautil -u superadmin -p secret
delete 'eTADSContainerName=Users,eTADSDirectoryName=imr126ads,eTNamespaceName=ActiveDirectory,dc=im' eTADSAccount eTADSAccountName='phil guihard04' in
'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im' eTGlobalUser eTGlobalUserName='guiph04' eTRelationship=USERACCOUNT

Also eTADSAccountName='phil guihard04' can be generic as eTADSAccountName='*'.

Based on such a unit batch request you can build a script to loop on your global users list and to remove each of those inclusions.

Regards,

Philippe.

Thanks Philippe,

I created a bat file for all employees containing etautil scripts and executed same in provisioning server.

It worked fine.

etautil -d idv -u  -p XXXX delete 'eTADSOrgUnitName=StoreUsers,eTADSDirectoryName=Store AD,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName=C1999915 in 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=1999915 eTRelationship=USERACCOUNT

etautil -d idv -u  -p XXXX add 'eTADSOrgUnitName=StoreUsers,eTADSDirectoryName=Store AD,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName=1999915 in 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName=1999915 eTRelationship=USERACCOUNT

I will now try to achieve same as you have mentioned, WIll update you.

Thanks For sharing.

Regards,

Amit

Hi Amit,

I tried doing the same but my script is going in hung state. I am trying to remove the relationship with SAP.

There is no error log also coming in etatrans.

Regards,

Mainak

I have used a similar command but the intended deletion of user account association is not happening.

etautil -d im -u etaadmin -p secret delete 'eTSAPAccountContainerName=Accounts,eTSAPDirectoryName=SAP BW Test,eTNamespaceName=SAP R3,dc=im' eTSAPAccount 'eTSAPAccountName=ASAPKARUP' in 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im' eTGlobalUser eTGlobalUserName='a80111105666' eTRelationship=USERACCOUNT

There is no error in the log and this command is not even exiting. Its in a hung state for quite long time. None of the other etautil commands take this much time.

The log is giving below output,

20181229:152935:TID=ffdb70:Search :E703:----:S: ============================================================
20181229:152935:TID=ffdb70:Search :E703:----:S: External Search (eTDSAContainerName=DSAs) Requested by User etaanon - TenantNotSe
20181229:152935:TID=ffdb70:Search :E703:----:S:+t
20181229:152935:TID=ffdb70:Search :E703:----:P: base-dn: eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects
20181229:152935:TID=ffdb70:Search :E703:----:P: scope : ONE-LEVEL
20181229:152935:TID=ffdb70:Search :E703:----:P: filter : (objectClass=*)
20181229:152935:TID=ffdb70:Search :E703:----:P: attrs : <ALL>
20181229:152935:TID=ffdb70:Search :E703:----:I: AUTH CHECK: [Authenticated access to eTDSAContainer objects in scope eTDSAContain
20181229:152935:TID=ffdb70:Search :E703:----:I:+erName=DSAs,eTNamespaceName=CommonObjects] => GRANTED
20181229:152935:TID=ffdb70:Search :D704:E703:S: DB Search (eTDSAContainerName=DSAs) Requested by User etaanon - TenantNotSet
20181229:152935:TID=ffdb70:Search :D704:E703:P: URL: ldaps://ca-prov-srv:20391
20181229:152935:TID=ffdb70:Search :D704:E703:P: base-dn: eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im
20181229:152935:TID=ffdb70:Search :D704:E703:P: scope : ONE-LEVEL
20181229:152935:TID=ffdb70:Search :D704:E703:P: filter : (objectClass=*)
20181229:152935:TID=ffdb70:Search :D704:E703:P: attrs : <ALL>
20181229:152935:TID=ffdb70:Search :D704:E703:F: SUCCESS: DB Search (eTDSAContainerName=DSAs), entry-count: 1, attributes: objectC
20181229:152935:TID=ffdb70:Search :D704:E703:F:+lass,eTDSAName,eTDSADbTlsPort,eTDSADbHost,eTDSADbSuffix,eTCreateUserid,eTDSAHost,
20181229:152935:TID=ffdb70:Search :D704:E703:F:+eTCreateUserName,eTDSADbPort,eTDSATlsPort,eTDSASuffix,eTDSAPort
20181229:152935:TID=ffdb70:Search :E703:----:I: FINAL SEARCH FILTER:
20181229:152935:TID=ffdb70:Search :E703:----:I: (objectClass=*)
20181229:152935:TID=ffdb70:Search :E703:----:F: SUCCESS: External Search (eTDSAContainerName=DSAs), entry-count: 1, attributes: o
20181229:152935:TID=ffdb70:Search :E703:----:F:+bjectClass,eTDSAName,eTDSADbTlsPort,eTDSADbHost,eTDSADbSuffix,eTCreateUserid,eTDS
20181229:152935:TID=ffdb70:Search :E703:----:F:+AHost,eTCreateUserName,eTDSADbPort,eTDSATlsPort,eTDSASuffix,eTDSAPort
20181229:152935:TID=7fcb70:Unbind :E705:----:S: ============================================================
20181229:152935:TID=7fcb70:Unbind :E705:----:S: External Unbind (eTGlobalUserName=etaadmin) Requested by User etaanon - TenantNot
20181229:152935:TID=7fcb70:Unbind :E705:----:S:+Set
20181229:152935:TID=7fcb70:Unbind :E705:----:P: dn: eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamesp
20181229:152935:TID=7fcb70:Unbind :E705:----:P:+ aceName=CommonObjects,dc=im
20181229:152935:TID=7fcb70:Unbind :E705:----:F: SUCCESS: External Unbind (eTGlobalUserName=etaadmin)
20181229:152936:TID=cceb70:Bind :E706:----:S: ============================================================
20181229:152936:TID=cceb70:Bind :E706:----:S: External Bind (eTGlobalUserName=etaadmin) Requested by User <anonymous> - TenantN
20181229:152936:TID=cceb70:Bind :E706:----:S:+otSet
20181229:152936:TID=cceb70:Bind :E706:----:P: dn: eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamesp
20181229:152936:TID=cceb70:Bind :E706:----:P:+ aceName=CommonObjects,dc=im
20181229:152936:TID=cceb70:Bind :E706:----:I: PWDPROF-CACHE: Password Profile found in Cache
20181229:152936:TID=cceb70:Bind :E706:----:I: FOUND EXISTING CACHED ITEM
20181229:152936:TID=cceb70:Bind :E706:----:I: eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=
20181229:152936:TID=cceb70:Bind :E706:----:I:+CommonObjects,dc=im
20181229:152936:TID=cceb70:Bind :E706:----:I: USER-PRIV-CACHE STATS { SIZE: 1 of 20, USED 1 for 1, CAN 0 UNINIT 0 }
20181229:152936:TID=cceb70:Bind :E706:----:I: PWDPROF-CACHE: Password Profile found in Cache
20181229:152936:TID=cceb70:Bind :E706:----:F: SUCCESS: External Bind (eTGlobalUserName=etaadmin)

Hi Mainak,

Try below command:

etautil -d im -u etaadmin -p secret delete 'eTSAPAccountContainerName=Accounts,eTSAPDirectoryName=SAP BW Test,eTNamespaceName=SAP R3' eTSAPAccount eTSAPAccountName='ASAPKARUP' in 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='a80111105666' eTRelationship=USERACCOUNT

Kindly share cmd screen shot or output for above command

If the command does not work,

1)stop im_ps service 

2)rename latest etatrans log file

3)delete inclusion manually via provisioning manager

4)Share trans logs here

Thanks,

Amit