We're trying to set up BSA to sync RBAC roles with AD groups. I have it set up and working, but I was curious how other people handle this or if I have something set up incorrectly.
The issue I have is when you have a user in multiple roles and you remove the user from one of the roles. You can't set the setLdapSyncOptions to delete the user, because the sync doesn't know that user is also a member of other roles so you have to set it to just unassign the user from the role. That part is fine, except when a user is terminated from the company or moves to a job that doesn't require BSA at all. The sync will remove them from all the BSA roles, which is good, but the user account will still be on BSA (with no roles assigned).
Is there a way to report on users that have no assigned roles and then delete them? Am I missing something with my understanding of how the AD sync process works? How do customers that do the AD/RBAC sync handle this? Leaving them out there isn't the end of the world, I guess, but I would like to clean them up if possible.
the 'other' roles the user is in are non-ad sync enabled roles ?
you may be able to get the report in bdssa.
or dump all the roles then use RBACUser.getAllUserNamesByRole for each role and diff that w/ RBACUser.listAllUsers