Question & Answer
Question
How do I remove users from LDAP while limiting impact to Content Platform Engine workflow system?
Cause
Process server in Content Platform Engine caches users from LDAP by storing user information into the workflow system database as environment records. If you remove users from LDAP before reassigning the work items or security definitions associated with those users, the following behaviors might be encountered:
These are just a few examples, and there may be others.
The following is an example of an error that is logged to the Content Platform Engine workflow system server logs (pesvr_system.log) when a user is deleted from LDAP and the environment record in the workflow system still exists.
2014/08/07 10:39:43.524-0700 VWUserSync PESecondary2 DB=CLD6_TOS_DBCONN [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP
Another example, where the VWTime thread in the Content Platform Engine server is repeatedly logging an error regarding a deleted user, as it is trying to process a deadline timeout of a work item, and that work item is associated with an IBM Case Manager Case and Task object.
2014/07/02 20:40:09.535+0100 VWTime1 PEPrimary1 DB=TargetOS Reg#2 [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP.
2014/07/02 20:40:09.603+0100 VWTime1 PEPrimary1 DB=TargetOS Reg#2 [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP.
2014/07/02 20:40:09.670+0100 VWTime1 PEPrimary1 DB=TargetOS Reg#2 [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP.
- Orphaned work items
- Work items end up going to the malfunction submap
- Work items unable to proceed forward
- Timer work items do not process
- Administrators unable to administer security on queues or rosters
These are just a few examples, and there may be others.
The following is an example of an error that is logged to the Content Platform Engine workflow system server logs (pesvr_system.log) when a user is deleted from LDAP and the environment record in the workflow system still exists.
2014/08/07 10:39:43.524-0700 VWUserSync PESecondary2 DB=CLD6_TOS_DBCONN [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP
Another example, where the VWTime thread in the Content Platform Engine server is repeatedly logging an error regarding a deleted user, as it is trying to process a deadline timeout of a work item, and that work item is associated with an IBM Case Manager Case and Task object.
2014/07/02 20:40:09.535+0100 VWTime1 PEPrimary1 DB=TargetOS Reg#2 [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP.
2014/07/02 20:40:09.603+0100 VWTime1 PEPrimary1 DB=TargetOS Reg#2 [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP.
2014/07/02 20:40:09.670+0100 VWTime1 PEPrimary1 DB=TargetOS Reg#2 [Warning] Suspect user peuser1 is deleted from LDAP. Can't find either his shortname nor secondary key(s) in LDAP.
Answer
The preferred approach to avoid any user issues with the Process server and users that are no longer needed in LDAP is to:
Normally, the Process server correctly handles users and groups that are deleted from LDAP. However, there are rare cases where an error could occur. For example, where the user was associated to an object in the Process server which was not cleaned up or reassigned correctly. Here is what a customer can do to quickly remedy errors in the Process server logs associated with deleted LDAP users:
If you cannot or do not want the same user short name to exist in LDAP, you can
After disabling the user, here is a list of items to perform and check in order to avoid problems or potential error conditions in the Process Server before removing the user from LDAP
For Workplace or Workplace XT, configuring a proxy (Out of Office) user is done via User Preferences for the user to be deleted:
Using Workplace - User Preferences - Tasks settings
This is no different in IBM Content Navigator, as stated in the following documentation, in the 'Setting email notification for workflow events' section.
Tips for working in IBM Content Navigator
Ensure all of the work associated with the user has been re-assigned to another user
Or ensure all of the work associated with the user has been completed from the system
Ensure the user is not the last user to have accessed a work item that is associated with a deadline or timer
If user's literal name is within a workflow definition or IBM Case Manager solution XPDL file, this will need to be retransferred or redeployed after removing the user's name.
Check workflow definitions and IBM Case Manager solution XPDL for workflow groups that contain the user, the user will need to be removed from the workflow group
Information on how to take precautions against deleting LDAP users has been provided in prior releases of the software via the following technote. The current technote does not replace the prior technote, but helps to provide additional details and covers additional scenarios.
What are the precautions and consequences when deleting permanent user records from the FileNet® Process Engine database?
- Disable the user in LDAP or changing the password of the user so that the user will no longer be able to authenticate. This will keep the account in the LDAP directory, so that Process Server can still access the account.
Normally, the Process server correctly handles users and groups that are deleted from LDAP. However, there are rare cases where an error could occur. For example, where the user was associated to an object in the Process server which was not cleaned up or reassigned correctly. Here is what a customer can do to quickly remedy errors in the Process server logs associated with deleted LDAP users:
- Create a new user in LDAP that contains the same short name attribute of the user that was deleted. In doing so, no further fix up is necessary, and all existing work associate with this user in the Process server will continue to function.
If you cannot or do not want the same user short name to exist in LDAP, you can
- Create a new user with a new short name attribute in LDAP
- In the Process server, fix the environment record of deleted user's short name by assigning it with the shortname the new user that was created (vwtool > env > fixup > single)
After disabling the user, here is a list of items to perform and check in order to avoid problems or potential error conditions in the Process Server before removing the user from LDAP
- Configure a proxy user, Out Of Office, for the user to be deleted
- Ensure all of the work associated with the user has been re-assigned to another user
- Or ensure all of the work associated with the user has been completed from the system
- Ensure the user is not the last user to have accessed a work item that is associated with a deadline or timer
- Remove user from any Security definition on the following
- Queues
- Roster
- Event Logs
- Application Spaces
- Role Membership
- Check workflow definitions and IBM Case Manager solution XPDL for workflow groups that contain the user, the user will need to be removed from the workflow group.
- Note: If user's literal name is within a workflow definition or IBM Case Manager solution XPDL file, this will need to be retransferred or redeployed after removing the user's name.
Here are the details on how to complete the tasks indicated above:
Configure a proxy user, Out Of Office, for the user to be deleted
Configure a proxy user, Out Of Office, for the user to be deleted
For Workplace or Workplace XT, configuring a proxy (Out of Office) user is done via User Preferences for the user to be deleted:
Using Workplace - User Preferences - Tasks settings
This is no different in IBM Content Navigator, as stated in the following documentation, in the 'Setting email notification for workflow events' section.
Tips for working in IBM Content Navigator
Ensure all of the work associated with the user has been re-assigned to another user
Or ensure all of the work associated with the user has been completed from the system
Ensure the user is not the last user to have accessed a work item that is associated with a deadline or timer
- 1) Run vwtool
2) env > view > persistent > [user account's short name]
3) Save the information for the user's ID from the output
- <vwtool:1>env
View/ Inconsistency/ Cache/ Remove environment records (CR=v,i,c,r): v
Cached or persistent environment records (CR=c, p): p
Name, '*' for all env records: P8CEAdmin
Name: p8ceadmin
Realm: dc=domain,dc=org,dc=com
DisplayName:P8CEAdmin
DN: cn=p8ceadmin,ou=p8users,dc=domain,dc=org,dc=com
Id: 50
SID: S-1-5-21-1111111111-111111111-1111111111-1111
WebAppl: 0
4) still in vwtool, run config
5) Save the physical database table names of all of the work queues, ensure to exclude all of the queues with the CL ID <= 0.
Work Queue Table Physical Table Cl
Name Name Name ID
---------- ----- -------------- ---
CCDM_CustomerServiceAgent CCDM_CustomerServiceAgent VWQueue1_233 10
Conductor Conductor VWQueue1_224 -7
CPXF_CTRCO CPXF_CTRCO VWQueue1_277 45
CE_Operations CE_Operations VWQueue1_206 1
CPXF_TOM CPXF_TOM VWQueue1_278 50
CPXF_CO CPXF_CO VWQueue1_279 51
CPNT_GeneralRole CPNT_GeneralRole VWQueue1_252 30
CCS_GeneralRole CCS_GeneralRole VWQueue1_248 24
WSRequest(0) WSRequest(0) VWQueue1_207 -9
SOL_testRole SOL_testRole VWQueue1_225 7
Tracker(0) Tracker(0) VWQueue1_224 0
InstructionSheetInterpreter(0) InstructionSheetInterpreter(0) VWQueue1_209 -5
6) Here is the query that needs to be run against each of the queue tables in the workflow database in order to determine if the user is still associated with existing running work items:
select F_WobNum, F_LockUser, F_BoundUser, F_LastUser, F_TimeOut from [Table_Name]
Filter the results by adding a 'Where' clause to the query to eliminate unwanted results.- a) F_LockUser = [id of user]
b) F_BoundUser = [id of user]
c) F_LastUser = [id of user] AND F_TimeOut > 0
For example:
select F_WobNum, F_LockUser, F_BoundUser, F_LastUser, F_TimeOut from VWQueue1_233 where F_LockUser = 50;
Note: The above instructions on querying the workflow database are read-only operation. In no circumstances should the database rows be locked or modified directly using database SQL statements, as this is not supported.
7) Once the F_WobNum of work objects in question has been found, use Process Administrator to search for the work items using the F_WobNum values, and perform the following depending on the query:- a) For F_LockUser, unlock the work item in Process Administrator
b) For F_BoundUser, reassign the work to another user
c) For F_LastUser, lock and unlock the work item in Process using a different user. As this field is primarily used for IBM Case Manager, you need to ensure that the new user that is locking and unlocking the work item needs to be in the same Role as the user that is being deleted.
8) Repeat steps 5-7 for each table identified in step 4. - <vwtool:1>env
- 1) Load Process Configuration Console from ACCE or Workplace XT
2) Connect to the appropriate region
3) Right click the connection point node, and select 'Export to XML file'. Make sure to check 'Include User Information' and select 'Export all components'.
4) Search the resulting region XML file for the user's short name
5) Identify which queue, roster, event log, application space, role the user is tied to and take the corrective action to remove the user from the object by using Process Configuration Console
If user's literal name is within a workflow definition or IBM Case Manager solution XPDL file, this will need to be retransferred or redeployed after removing the user's name.
Check workflow definitions and IBM Case Manager solution XPDL for workflow groups that contain the user, the user will need to be removed from the workflow group
- 1) Run vwtool
2) dump > file > xml > all (*) > latest workspace > authored > no flatten > .pep extension
3) Search all of the pep files to determine if the user name is used as a literal.
4) With this information, locate the workflow definition in Content Engine, based on the name, and modify the workflow definition using Process Designer to remove the literal name.
5) If the workflow definition is part of a solution XPDL, open the solution using Process Designer and remove the literal name.
6) After making the appropriate changes, retransfer the workflow or redeploy the solution XPDL
Note: The above procedure only looks at the latest workspace in Process server. Previous versions of the work classes (in older workspaces) may also reference these literal user names.
Information on how to take precautions against deleting LDAP users has been provided in prior releases of the software via the following technote. The current technote does not replace the prior technote, but helps to provide additional details and covers additional scenarios.
What are the precautions and consequences when deleting permanent user records from the FileNet® Process Engine database?
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Component":"Process Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.5.x;5.2.x","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
06 January 2020
UID
swg21678829