Admiral
Admiral
469 views

Cleaning up old RBE Entitlements

I recently started working on an IdM system that had apparently used RBE based entitlements at one point in history.  They've been using RBPM for many many years, but the old RBE entitlements were never revoked off the older users.  There are quite a few of them (a couple thousand).  I was going to just build an LDIF to remove them, but before I do, does anyone see any danger in doing that? I can't think of any since nothing reacts to RBE based entitlements in this system now, but I thought I'd check.  Thoughts?

TIA

Matt

 

 

5 Replies
Admiral
Admiral

The way some people do it, which is also the most work. Is to build a Role/Resource model which does exactly the same as what is in place (maybe even using the same entitlements), and then when you're sure everything works, you assign all users to the new roles - if nothing changes then you're in luck and can then clean up the old stuff.

This is no easy undertaking. 

Admiral
Admiral

 

I think that is basically what was done here.  Someone built all the role and resources to match what RBE was doing, using the same entitlements.  But they never removed the RBE assigned ones.

So for example, you'll see AD User Account entitlement on a user assigned by both UA and RBE.  Now say UA revokes the UserAccount.  The problem is the RBE one still grants it, so using the out-of-the-box AD driver, you can see a revoke followed immediately by an add based on the RBE entitlement.

Since I posted this, I did move forward with building an LDIF to remove the RBE assigned entitlements and, as long as the UA ones are there, this seems to be a safe thing to do.

Matt

Vice Admiral
Vice Admiral

The one caution I'd give you is that this will create events (remove DirXML-EntitlementRef values) on the drivers.  Depending on how you're policies are written, the event of that remove could cause some other policies to fire that do other activities.

Robert Ivey
GCA Technology Services
https://www.gca.net
Commodore
Commodore

Be sure no other activities are on your system, disable all drivers remove the old entitlements and enable drivers again. But be sure no old etitlements are still used somewhere. If not you will be fine. Maybe do a migratie over the divers so you are sure your target are all in sync

Michiel Los
Admiral
Admiral

 

Thanks for all the tips.  From my testing so far I'm pretty sure it's not going to be a problem. It looks like all the RBE assigned entitlements were mostly User and Group assignments in the AD driver and I've already verified proper behavior there (the UA assigned ones maintain the user's account and memberships).  Although disabling the AD driver during the removal isn't a bad idea regardless.  

Matt

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.