Cleaning up old RBE Entitlements
I recently started working on an IdM system that had apparently used RBE based entitlements at one point in history. They've been using RBPM for many many years, but the old RBE entitlements were never revoked off the older users. There are quite a few of them (a couple thousand). I was going to just build an LDIF to remove them, but before I do, does anyone see any danger in doing that? I can't think of any since nothing reacts to RBE based entitlements in this system now, but I thought I'd check. Thoughts?
The way some people do it, which is also the most work. Is to build a Role/Resource model which does exactly the same as what is in place (maybe even using the same entitlements), and then when you're sure everything works, you assign all users to the new roles - if nothing changes then you're in luck and can then clean up the old stuff.
This is no easy undertaking.
I think that is basically what was done here. Someone built all the role and resources to match what RBE was doing, using the same entitlements. But they never removed the RBE assigned ones.
So for example, you'll see AD User Account entitlement on a user assigned by both UA and RBE. Now say UA revokes the UserAccount. The problem is the RBE one still grants it, so using the out-of-the-box AD driver, you can see a revoke followed immediately by an add based on the RBE entitlement.
Since I posted this, I did move forward with building an LDIF to remove the RBE assigned entitlements and, as long as the UA ones are there, this seems to be a safe thing to do.
The one caution I'd give you is that this will create events (remove DirXML-EntitlementRef values) on the drivers. Depending on how you're policies are written, the event of that remove could cause some other policies to fire that do other activities.
GCA Technology Services
Thanks for all the tips. From my testing so far I'm pretty sure it's not going to be a problem. It looks like all the RBE assigned entitlements were mostly User and Group assignments in the AD driver and I've already verified proper behavior there (the UA assigned ones maintain the user's account and memberships). Although disabling the AD driver during the removal isn't a bad idea regardless.