Lawson ISS – Using an ISS Sync to remove roles assigned to users

, ,

In Lawson ISS, you may come across one or both of the two scenarios below:

  1. I removed a role from a number of users in Lawson System Foundation (LSF) and want to use an Infor Security Services (ISS) sync to remove these same roles from Landmark (LMK).

or

  1. I removed a role from a number of users in Landmark (LMK) and want to use an Infor Security Services (ISS) sync to remove these same roles from Lawson System Foundation (LSF).

 

There is a resolution for both of these scenarios:

A full ISS sync does not have the ability to remove roles from users. However, you can run a list-based sync via an ssoconfig command to remove the roles in the other system.

 

There is a flag that can be included in the list-based sync file that allows for roles to be overwritten in the system that is being updated called the mergeActorRoles flag. When this flag is not included in the xml file to be used, or is set to true, the roles from the source system (the one you are NOT updating) that are not found in the other system will be appended to the roles currently assigned. When this flag is set to false, mergeActorRoles=false, the roles assigned in the system that is being updated will be overwritten to match those in the source system, hence removing roles if necessary.

 

A list-based file template is delivered with each upgrade to ISS, you will use this file as a base for your work. The location of the file is:

 

GENDIR\system\provisioning\metadata\backgroundSyncTemplate.xml

Create a copy of the file and edit the copy, ensure the following are set:

 

defAction is set to update the system where the roles have NOT already been removed options:  update_remote or update_local

mergeActorRoles is set to false

IMPORTANT: The local and remote sections shown in the example below MUST be included since the users already exist in bot LSF and Landmark. These areas would contain each user to be updated.

Example of a completed list-based sync file that will update roles in LMK for existing users test1 and test2 to match roles in LSF:

Once you have the file the way you need it, you need to run the ssoconfig command for the list based sync.

The syntax for that is as follows and there is no ssoconfig password required for this process/command syntax:

 

ssoconfig -S sync_file_with_fullDirectoryPath

 

Example command for Windows customers:  ssoconfig -S D:\LSFPROD\gen\system\provisioning\metadata\FileNameOfBackgroundSyncTemplate.xml

Example command for Unix or IBM i customers: ssoconfig -S /LSFPROD/gen/system/provisioning/metadata/FileNameOfBackgroundSyncTemplate.xml

 

NOTE: In the above examples, if you placed the xml file for this process in another directory, simply replace the full path to the location of your xml file.