How to handle people who created content in P8 but are now leaving the company? Just delete them in LDAP and in P8 everything will remain the same?

As we can see in ACCE P8 keeps the samAccountName of a user in order to show the users DisplayName in ICN. What happens, if the samAccountName is no longer available in LDAP? What happens if a samAccountName used in the past is assigned to a new user?

What is best practice to handle this topic? What are other companies doing?

Deleting a user/group in your ldap will have the effect of leaving 'orphaned SIDs' in the security of objects in place of the user/group's access control entries.

It's better to disable the user in ldap, so the CPE can still resolve the user. If that is not possible, you would then probably need to clean up the SID values in those objects.

The knowledge center has a topic on this: https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=solutions-removing-invalid-security-ids

and here is a bit more generic version of the script, so you don't have to enter the specific SID value each time.

importPackage(Packages.com.filenet.api.core);

importPackage(Packages.com.filenet.api.security);

importClass(Packages.com.filenet.api.constants.RefreshMode);

importClass(Packages.com.filenet.api.property.Properties);

function OnCustomProcess (CEObject) {

CEObject.refresh();

var apl = CEObject.get_Permissions();

var iter = apl.iterator();

var perm = null;

while (iter.hasNext()) {

perm = iter.next();

if (perm.get_GranteeName().toString().startsWith('S-1') ){

iter.remove();

CEObject.save(RefreshMode.REFRESH);

break;

}

}

}

Thank you hamgem, but what about the information regarding the creator or modifier of a document in P8? You don't want to loose the creators/modifiers correct name just because the person left the company.

Just disabling the users in LDAP once he left the company and keeping the persons record in LDAP till all documents the user created or modified are no longer in P8, means, you potentially keep a very long list of names in your LDAP just because these people used to work for your company.

Wouldn't it be "better" to kind of "freeze" a document in P8, meaning, P8 would no longer lookup the creators/modifiers record in the LDAP for documents that are freezed?

I think the creator/last modifier fields are just strings filled in at the time and never referred back to LDAP. I modified a value directly in the db to grzzlbrzl, it showed up correctly everywhere but no error because this user never existed...

BR,

/gerold

Just for clarification, this script will fix the orphaned SIDS that cause havoc in Security permissions, that's great.

Do we just leave Last Modifier and Creator alone, are the really just strings with the persons name as suggested above?

They are.