Hornbill SQL User Import Utility - Does not appear to strip user account roles from an account

[Adam Toms]

Hello all,

We use the Hornbill SQL User Import utility version v2.2.6 to create our Hornbill User accounts.

When a user has left, the account is set to archived, but it retains the security roles and retains user account type.

We have confirmed that the account we are using has the User Import role, which allows managing, creating and updating of users. We would anticipate that when the user account is set to archived the account would revert to basic and user roles stripped as an update.

But the user import utility is not doing this. Are we missing something, or is this by design?

If it is by design, would it be possible to request this as an enhancement?

Many Thanks

Adam

 

[Adam Toms]

Hello all,

Does anyone have ideas, re the post above?

Many Thanks

Adam

[SamS]

Hi @Adam Toms,

The tool currently does not handle the removal of roles - it makes a statement within the documentation that it does incremental adds & updates.

For roles this is a little complicated: IF we compare current roles to those provided in the import to make a decision which roles to drop, then we might be dropping too many roles. A lot of customers will set initial (baseline) roles via an import and then elevate inidividuals on a need-to basis. Within this set-up all those manually modified would require a manual modification after every run of the script. Running a second script which allocates  (but not removes) roles after running of the first script (which set the baseline), then that would work - indeed it does for many customers setting up their analysts - but it would, again, make manual elevations moot.

So, selectively removing roles might be a possibility, it would require a list of which people you would need which roles removed. I am thinking this is not an easy list to set up - and it would be easier to manuall remove the roles.

I can see a functionality to be added which removes all roles from archived users - I'll put that at the bottom of the list.

All that being said, however, archived users should NOT be able to log in/use Hornbill - their permissions are moot. IF you can prove otherwise (i.e. if an archived account is still active), then please let us know and we will treat this as a priority bug.

[Adam Toms]

Thanks @SamS for your response and the information provided.

We would like to pursue this as a feature request, which removes all roles from archived users. 

Many Thanks

Adam

 

 

[Adam Toms]

Hi @SamS, In addition to the above post, we'd like to request this as a feature request where the roles can be removed from Active users. This is more important for us. But it would also be nice to have the ability to do this on archived users, but active users are the bigger concern. Many Thanks.

[SamS]

Hi @Adam Toms,

I will add "removal of all roles for listed users"-functionality just below "removal of all roles of archived users" on the list. I might create a separate utility for it - to keep it at arms length from data preserving functionality.

I will not implement a "remove all roles for all users"-functionality - only because no one would be able to log in to undo the damage. Yeah, this is going to be a separate utility - so it cannot be accidentally confused/triggered with the data import.

[SamS]

Hi @Adam Toms,

Please find a late (or very early) Xmas present: https://github.com/hornbill/goHUserRoleRemover