Unable to remove custom userrole
When I try to delete a userrole, I keep getting the error "Unable to delete userrole:abcdMyRole as users exist for role"
Tried to delete using managment api call using curl and got the same error.
UI shows no users exist under that role.
Best Answer
i am able to delete the role after I removed the roleOccupant
dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com
changetype: modify
delete: roleOccupant
roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com
Tried those two steps already. Here is the output.
$ mycurl -X GET http://localhost:8080/v1/o/prod/userroles/abcdMyRole/users
[ ]200
$ mycurl -X DELETE http://localhost:8080/v1/o/prod/userroles/abcdMyRole
{
"code" : "usersandroles.UserRoleDeleteFailedAsUsersExistForRole",
"message" : "Unable to delete userrole:abcdMyRole as users exist for role",
"contexts" : [ ]
}400
I am able to successfully create new custom role and delete it. Further more, I was querying ldap data using ldapsearch and could see a roleoccupant for the role abcdMyRole as follows though UI shows no user exists for that role.
dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com objectClass: organizationalRole
cn: abcdMyRole
roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com
uid=4adffba3-fd01-4e68-a353-e143f3de1ec3 does not correspond to any valid user in the system and does not exist anywhere else. This entry could be holding up the role delete. Looking for right way to cleanup that data.
Another interesting find from ldapsearch is that there are still lots of traces of old custom roles which got deleted long back. So looks like the DELETE operation from UI is not doing a complete cleanup in the ldap DB. This needs to be looked at and fixed.
Understand that this is an old issue. But I am encountering this issue as well. It does not seeem to be consistent.
I am using the Apigee private clound (v 4.18.05). I remove all users asscociated to the role globally. Then, I try to remove the role itself. This only seems to work sometimes (not always). Once I remove the LDAP entries manually, then I can remove the role. Looks like the user removal is not triggering the deletion of the LDAP entries (??).
This is being done via a Nodejs offline script with around 10 to 15 users, using the below management APIs:
DELETE https://api.enterprise.apigee.com/v1/organizations/{org}/userroles/{role_name}
DELETE https://api.enterprise.apigee.com/v1/users/{user_email}
Below is the LDAP and the management API response:
dn: cn=***,ou=userroles,o=***,ou=organizations,dc=apigee,dc=com objectClass: organizationalRole cn: *** roleOccupant: uid=53491c9d-62f0-4e57-ae5f-3dd7e583e475,ou=users,ou=global,dc=apigee,dc=com roleOccupant: uid=832b3bf8-cece-4988-abb4-f1afc3934973,ou=users,ou=global,dc=apigee,dc=com roleOccupant: uid=9f41fee4-4607-4aa4-9888-b337c55e5aba,ou=users,ou=global,dc=apigee,dc=com roleOccupant: uid=012b64e7-9c81-437f-866e-245db87f98ae,ou=users,ou=global,dc=apigee,dc=com roleOccupant: uid=0bf10537-feec-4f60-820f-3bc9752dc71e,ou=users,ou=global,dc=apigee,dc=com
{
"code" : "usersandroles.UserRoleDeleteFailedAsUsersExistForRole",
"message" : "Unable to delete userrole:*** as users exist for role",
"contexts" : [ ]
}
Thanks,
Girish
