Unable to remove custom userrole

Not applicable

When I try to delete a userrole, I keep getting the error "Unable to delete userrole:abcdMyRole as users exist for role"

Tried to delete using managment api call using curl and got the same error.

UI shows no users exist under that role.

Solved Solved
1 5 315
1 ACCEPTED SOLUTION

Not applicable

i am able to delete the role after I removed the roleOccupant

dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com

changetype: modify

delete: roleOccupant

roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com

View solution in original post

5 REPLIES 5

Not applicable

Hello na2379,

This is quite standard feature and should work. I have tested it my cloud org to ensure that there is no glitch on the latest release.

"Delete" button should grey out in case user is associated with it. As button is active that means this role has no user. To separate out any issue during creation of this custom role; could you create another custom role and try to delete it.

For this issue, run following command and share the results:

1. To get list of users:

curl -X GET --header "Authorization: Basic {base64 encoded username:password}" "https://api.enterprise.apigee.com/v1/organizations/{org_name}/userroles/{role_name}/users"

2. delete role

curl -X DELETE --header "Authorization: Basic {base64 encoded username:password}" "https://api.enterprise.apigee.com/v1/organizations/{org_name}/userroles/{role_name}"

Thanks,

Rajesh

Not applicable

Tried those two steps already. Here is the output.

$ mycurl -X GET http://localhost:8080/v1/o/prod/userroles/abcdMyRole/users

[ ]200

$ mycurl -X DELETE http://localhost:8080/v1/o/prod/userroles/abcdMyRole

{

"code" : "usersandroles.UserRoleDeleteFailedAsUsersExistForRole",

"message" : "Unable to delete userrole:abcdMyRole as users exist for role",

"contexts" : [ ]

}400

I am able to successfully create new custom role and delete it. Further more, I was querying ldap data using ldapsearch and could see a roleoccupant for the role abcdMyRole as follows though UI shows no user exists for that role.

dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com objectClass: organizationalRole

cn: abcdMyRole

roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com

uid=4adffba3-fd01-4e68-a353-e143f3de1ec3 does not correspond to any valid user in the system and does not exist anywhere else. This entry could be holding up the role delete. Looking for right way to cleanup that data.

Another interesting find from ldapsearch is that there are still lots of traces of old custom roles which got deleted long back. So looks like the DELETE operation from UI is not doing a complete cleanup in the ldap DB. This needs to be looked at and fixed.

Not applicable

i am able to delete the role after I removed the roleOccupant

dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com

changetype: modify

delete: roleOccupant

roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com

Awesome, Glad that problem got resolved.

Understand that this is an old issue. But I am encountering this issue as well. It does not seeem to be consistent.

I am using the Apigee private clound (v 4.18.05). I remove all users asscociated to the role globally. Then, I try to remove the role itself. This only seems to work sometimes (not always). Once I remove the LDAP entries manually, then I can remove the role. Looks like the user removal is not triggering the deletion of the LDAP entries (??).

This is being done via a Nodejs offline script with around 10 to 15 users, using the below management APIs:

DELETE https://api.enterprise.apigee.com/v1/organizations/{org}/userroles/{role_name} 
DELETE https://api.enterprise.apigee.com/v1/users/{user_email}

Below is the LDAP and the management API response:

dn: cn=***,ou=userroles,o=***,ou=organizations,dc=apigee,dc=com
objectClass: organizationalRole
cn: ***
roleOccupant: uid=53491c9d-62f0-4e57-ae5f-3dd7e583e475,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=832b3bf8-cece-4988-abb4-f1afc3934973,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=9f41fee4-4607-4aa4-9888-b337c55e5aba,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=012b64e7-9c81-437f-866e-245db87f98ae,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=0bf10537-feec-4f60-820f-3bc9752dc71e,ou=users,ou=global,dc=apigee,dc=com
{  
"code" : "usersandroles.UserRoleDeleteFailedAsUsersExistForRole",  
"message" : "Unable to delete userrole:*** as users exist for role",  
"contexts" : [ ]
}

Thanks,

Girish