- 11 Posts
- 480 Views
Deletion of Profiles when using LDAP
I opened up a case with Oracle asking if there is a way to delete old profiles when using LDAP. Their response was that they don't recommend deleting old profiles. The issue I have with that response is we can have Brandon Smith in the Active Directory leave and we delete his AD profile, then in a couple months Brad Smith joins we give him the BSMITH user profile in AD but it becomes an issue mirroring up to JDE because we were not able to clear the original BSMITH that belonged to Brandon Smith.
Has there been a BUG or Enhancement Request pertaining to this?
@Ron MacNeil We're looking to implement this solution. I've tested by making my custom P0092 and commenting out the line you said. Works good so far, especially for those usernames that have been deleted from Active Directory. I'm curious though - you said you've been running this setup since 2012? I assume you've been LDAP enabled and on 9.1 for this to function. Did you go to 9.2 at all and run the same solution? Also, why do you think Oracle disabled the delete in the ER to begin with for LDAP users? Seems counterproductive.
@Bharath Bellamkonda @Matthew Stronczek it sounds like the cleanest way is to stop services, change the LDAP ini, start services, do the deletions as we used to before we utilized LDAP, stop services, change back the LDAP ini, and then start services. Only issue with this is we would have to do it off hours when no one would be on the system.
Thank you both for your input, I will follow up with my manager.
@Daniel Toler There are multiple considerations to direct SQL. You have security role membership, favorites (other UDOs if your company allows it), submitted jobs and potentially other related security/access items that are taken care of automatically during account deletion that would have to be cleaned up as well.
@Daniel Toler -- We also have LDAP enabled but we never delete the user profiles we disable in P98OWSEC and expire roles in P95921 and delete AD account in Microsoft AD directory so that user cannot sign in .
However if you have serious business reason to delete E1 Profiles ..Use this trick
1)Stop E1 services
2)Disable LDAP in INI
4)Delete all the profiles you want to delete using P0092
5)Stop E1 services
6)Revert back INI settings
Disclaimer- This should work if its a one time activity ..Not a great trick if you plan to do for each employee exit
@Matthew Stronczek Thank you! Has anyone attempted to just SQL the security tables to clear the inactive users?
We have LDAP enabled and the same need to delete accounts. We have a thick client with LDAP disabled. We use that thick client to delete our JDE accounts. There is a bug for the LDAP account deletion, 25462657, but note that it has been out there since Jan 2017.
It's a little silly that that was Oracle's response. We've created a custom App from P0092 and disabled a single line. In: "/ Work With User / Role Profiles [FIND BROWSE ] / GRID grid / Row is Entered" disable this line: "Disable Control(HC &Delete)".
Now with this custom App you will be able to manually delete the user's profile. We've been using this since 2012 with no issue.
We are using LDAP. A coworker did some research so inactive users can be, well, deactivated. Here is a link that may help you. Due to time, my coworker has not pursued it.
We started using the employee first and last initials with their employee number for their AD profile as we have run across multiple employees with the same first and last name as well as first initial and last name.
We don't use JDE so I'm not sure how the user profiles are set up there; However, in PeopleSoft, there is an EMPLID on the user profile. When someone leaves and is later rehired, we normally clear their EMPLID from the old profile. In AD the EMPLID is entered on the account (in your example BSMITH) and that allows the association to be made again between AD and the user profile in PeopleSoft. Of course, for the most part, for rehires (at least if they are being hired for a different position) our process is also that a new account is created for the employee in AD with a new user profile name (for example, BSMITH1).
I know they're two different applications, but thought I'd mention this just in case it's at all helpful for you.