Idea ID: 1672189

SMAX - IDM, Deleting Federated users using Managed person API

Status : Delivered
over 2 years ago

Hi,

This is regarding an enhancement related to managing federated users in Suite back office.

As of now, using ManagedPersons API we can create/update the users of all type (DB/LDAP/FEDERATION). However we have recently learnt that the "DELETE"  operation is not possible if the user type is LDAP or FEDERARION. 

MIcrofocus official documentation, says that it is possible, however we found this info to be erraneous through a support ticket, after we found that DELETE is actually not working.

To have a completely automated use case for managing users from AD, this delete operation is very crucial and it is also a common use case.

So, following is what formaly requested in this ER

  1. Create users of all type using Managed Person API (Already existis)
  2. Update users using managed person APIs (part of it exisits now, however changing things like AUTH TYPE is not possible)
  3. DELETE/DISABLE users using Managed Person API (only DB users can be deleted as of now)

Thanks

Harsha

Tags:

  • This idea has been implemented in product release SMAX 2019.02. Check out the release notes for details. Thanks to all of our contributors for helping us continue to improve our products!

  • Great news, this idea has been accepted on our product roadmap. Subscribe to receive updates. (This is not a formal commitment, and subject to change)

  • Hi Harsha

    Indeed you are correct, there are some governance or security questions they need to consider regarding this.

    Getting the ID of the user is very easy, we execute that step before we do the update.

    And on your third point, yes this can be removed at anytime

    Best to consult with MicroFocus on what is the best approach

  • I see 3 issues in using ChangeUserAPI from back office

    1. We are using managedPersonsAPI and hence using a dedicated Integration User. To use the ChangeUserAPI  you have suggested to change auth type, they need to use the “suite-admin” user credentials which is not preferred as they will then have the full suite access…!

    2. We noticed that the “key field” for Change auth type API is “user id”, which is unique to suite administration only. What this means is that, we need to first find out the user id of the user that we would want to delete and then change the auth type. Also this user id is unique to Suite-administration only and not the same as the one inside SMAX’s person record

    3. ChangeUSerAPI is never used as a Public API in the documentation, so there is a risk of it being changed in the future and we are not awae of it...

  • As you mentioned, you have to change a Federated user to a DB User before you can delete it.

    The webservice for BO does allow you to change the Authentication Type, I have tested and done this

    You need to use the following WebService

    https://<FQDN>/bo/rest/entities/user/changeUsersOrg

    If this is supported, I don't know and I would check with MicroFocus if there is any effect by doing it this way