Removing a logon alias for users belonging to an external identity source group in the RSA Authentication Manager Bulk Admin(AMBA)
4 years ago
Originally Published: 2021-06-01
Article Number
000064732
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4 Patch 13 or later
O/S Version: Suse Linux Enterprise Server (SLES) 12 SP3 or later
Product Name: Authentication Manager Bulk Administration
Product Description: AMBA
Issue

This article explains how to automate removing a logon alias from a group in external identity sources in the Authentication Manager database as there is not any way available prior to AM8.4 Patch 13.
Note that you can use AMBA to remove a user from a group with the DUG (Delete User from Group) command, but this command does not apply to external identity sources. Authentication Manager cannot remove an Active Directory user from an Active Directory group.

Resolution
This resolution assumes that the administrator is familiar with scripting using the Authentication Manager Bulk Administration (AMBA) software and the RSA Authentication Manager 8.4 patch 13 or later is installed.
AM8.4 Patch 13 updated the CAU (Change or Add User) command with a new RemoveGrpDefLogin option to remove a logon alias from an external identity source group.
See a KB article 000036248 for details on how to automate adding a logon alias for users.

Here is an example of using Authentication Manager Bulk Administration (AMBA) to remove a logon alias from an external identity source group user. You can use the RemoveGrpDefLogin option for the CAU command to remove a logon alias from any group.

1/ Open an SSH session to the Authentication Manager primary or connect directly to the console.
2/ Login as the rsaamin user.
3/ In the AMBA directory(/opt/rsa/am/utils/AMBA), create a file named RemLDAPAlias.csv. The contents of RemLDAPAlias.csv are as follows: 
Action,DefLogin,GrpName,GrpDefLogin,IdentitySource,RemoveGrpDefLogin
CAU,testuser,LogonAliases,testalias,AD-TEST,true
NOTE: CAU stands for Change or Add User. Refer to the AMBA documentation for more details.
DefLogin: SAMAccountName
GrpName: AD Group Name
GrpDefLogin: Alias Name
IdentitySource: LDAP Name
RemoveGrpDefLogin: True

4/ Save and close the file when done.
5/ Navigate to /opt/rsa/am/utils directory.
6/ At the command line, run the following: 
./rsautil AMBulkAdmin -i AMBA/RemLDAPAlias.csv -o AMBA/RemAliasLDAPUser.log --verbose -a <enter user ID of a superadmin> -P <enter the super admin password>
Prior to run the command is:
AMBA CAU command to remove LDAP Alias

The log output should be similar to the below: 
rsaadmin@ehud:/opt/rsa/am/utils> more AMBA/RemAliasLDAPUser.log
BOJ : 2021-05-26 16:15:22 - 8.5.0.3.0 (1419588) - Input = AMBA/RemLDAPAlias.csv
Info : -Output Log File Opened
Info : -Looking up the License Details
Info : -Validating the Enterprise License Check
Info : -Key : CoreLevel, Value : Authentication Manager Enterprise
Info : -Validating the AM Enterprise License Values for [ Enterprise License: coreLevelValue =Authentication Manager Enterprise, expirationDate = null ]
Info : -A Valid Authentication Manager Enterprise License found, skipping the AMBA License Validation.
Info : -Info : License : - License Number: LID000012345X - Issued To : RSA SECURITY - Issued On : Mon Mar 30 09:51:04 AEDT 2015
Info : Line 1 -Header Line
Info : -Entering changeOrAddUser
Info : -Default subdomain value set to :: true
Info : -Entering CommandUtils.updatePrincipal
Info : -CommandUtils.updatePrincipal - Key = GrpDefLogin - Value = testalias
Info : -CommandUtils.updatePrincipal - Key = Action - Value = CAU
Info : -CommandUtils.updatePrincipal - Key = GrpName - Value = LogonAliases
Info : -CommandUtils.updatePrincipal - Key = DefLogin - Value = testuser
Info : -CommandUtils.updatePrincipal - Key = Linenumber - Value = 2
Info : -CommandUtils.updatePrincipal - Key = RemoveGrpDefLogin - Value = true
Info : -CommandUtils.updatePrincipal - Key = IdentitySource - Value = AD-TEST
Info : -CommandUtils.updatePrincipal:
Info : -Leaving CommandUtils.updatePrincipal
Info : -Just entered linkUserWithGroup(...)
Info : -linkUserWithGroup(...) - via defLogin: testuser
Info : -Default subdomain value set to :: true
Info : -linkUserWithGroup(...) - Just before new LinkGroupPrincipalsCommand
Info : -linkUserWithGroup(...) - Search User IS for group name
Info : -linkUserWithGroup(...) - ISName: Internal Database
Info : -linkUserWithGroup(...) - ISName: AD-TEST
Info : -Just entered getGroupGUID(...) for: LogonAliases
Info : -Leaving getGroupGUID(...) for: LogonAliases - groupGUID: ims.1accec024e07760a4ceb482ddb8be397
Info : -Inside isPrincipalLinkedWithGroup(....)
Info : -Principal linked to the group (groupname,isLinked) :: LogonAliases, true
Success: 2021-05-26 16:15:23 : Line 2 - linked user to the Group -testuser,LogonAliases
Success: 2021-05-26 16:15:23 : Line 2 - addUserAuthnSettings -testuser, LogonAliases, testalias
Success: 2021-05-26 16:15:23 : Line 2 - changeOrAddUser -testuser,
Info : -Leaving changeOrAddUser.
Info : Line 3 -Empty Line; Ignored
Info : -Closing input file
Info : -Closing rejected actions file
Info : -Closing unsupported actions file
Info : -Log File Closed
Info : -Exit code: 0
EOJ : 2021-05-26 16:15:23 - Terminating




 

Related Articles

Trending Articles

Don't see what you're looking for?