Use the web content member fixer task

Overview

Use the member fixer task to...

1. Check if users or groups referenced in WCM items have been renamed or deleted
2. Fix these references

Member fixer is used to:

• Fix references to users in library and item level access settings that refer to users and groups from a given user repository where the structure of the user repository has been altered.

  For example, an LDAP transfer may have been executed, or the LDAP schema may have changed, or users and groups may have been moved in the LDAP.

• Fix references to users in item level access settings that refer to users and groups who have been deleted from the user repository.

The member fixer task's function is to check all of the items in a specified library for references to users and groups that no longer exist in the current user repository. In report mode, it will report all the references to members. In fix mode, these references can be fixed, either by replacing them with references to members that exist, or by removing the references. The fix parameter determines whether the member fixer task runs in report or fix mode.

References to members in library items contain the distinguished name of the member as well as a unique ID for the member. This unique ID is an internal id that is unique over time, and is different to the distinguished name. This means if a member is deleted and another member is created with the same distinguished name, the two members will have different unique IDs. The mismatchedId parameter can be used to update or remove references from web content items to users with these unique IDs.

When a member that has been given permissions on a library is deleted, the member permissions are entirely removed from the library, so that any inherited permissions for items in the library will also be removed. Therefore, the member fixer task can not be used to update these permissions to a different member. However, when an LDAP transfer is carried out, the member permissions on the library are maintained. So, the member fixer task can be run after an LDAP transfer to update or remove these permissions

Enable the member fixer tool

To enable the member fixer add the following parameters to the WCM WCMConfigService service using the dmgr console:

• connect.businesslogic.module.memberfixer.class=com.aptrix.pluto.security.MemberFixerModule
• connect.businesslogic.module.memberfixer.remoteaccess=true
• connect.businesslogic.module.memberfixer.autoload=false

Custom Mapping

To update a reference to a member that does not exist with a member that does exist, member mappings can be defined in a custom mapping file. Where the member fixer task does not find a mapping in this file for a member, it will search the user repository for members with the same ID as the member that no longer exists. If such a member is found, it will update the reference with this user or group, or remove the reference, as specified by the altDn parameter. If no such member is found, this member is classified as 'invalid' and will be updated or removed as specified by the invalidDn parameter.

To map user and group domain names before running the member fixer task, edit:

WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

.and set...

• cn=contentAuthors,dc=lotus,o=ibm->cn=contentEditors,dc=rational,o=ibm

  Completely replace one distinguished name with another.

• cn=[ID],dc=websphere,o=ibm->cn=[ID],dc=tivoli,o=ibm

  Replace part of a distinguished name. This example will change all of the distinguished name except the common name.

Further examples are listed in the MemberFixerModule.properties file.

You then run the member fixer task using:

-DaltDn

Run the Member Fixer task:

To create a report of users or groups referenced in WCM items that need fixing:

cd WP_PROFILE/ConfigEngine
 
./ConfigEngine.sh run-wcm-admin-task-member-fixer \
      -DPortalAdminId=wpadmin\
      -DPortalAdminPwd=foo\
      -DWasUserId=wpadmin\
      -DWasPassword=foo\
      -Dlibrary=MyLibrary

If the query parameter "library" is omitted, the default library configured with the defaultLibrary property in WCM WCMConfigService service is used.

A summary of updates that will be performed can be found in...

WP_PROFILE/logs/WebSphere_Portal/SystemOut.log

If the report indicates that the update will not happen as required, change the member fixer task parameters and run the report mode again. Repeat this process until you are satisfied that the fixes will be applied correctly. This is important because the fixes made by the member fixer task when run in fix mode may not be easy to undo if incorrect fixes are applied.

If there have been changes to users and groups, update the items that reference them...

./ConfigEngine.sh run-wcm-admin-task-member-fixer \
                 -DPortalAdminId=wpadmin \
                 -DPortalAdminPwd=foo \
                 -DWasUserId=wpadmin \
                 -DWasPassword=foo \
                 -Dlibrary=MyLibrary \
                 -Dfix=true

If the member fixer task indicates that certain mismatched member conditions exist, append the specified parameters:

Condition	To correct condition
Nonexistent users or groups have alternate distinguished names available.	Update items that reference the nonexistent users or groups: -DaltDn=update Remove members that reference the users or groups: -DaltDn=remove
If users or groups have invalid distinguished names (DNs) the report will list these as "invalid". This means the distinguished name doesn't exist and there is no alternate distinguished name available.	Remove users and groups that have invalid distinguished names: -DinvalidDn=remove Update users and groups with invalid distinguished names with the portal administrator user's distinguished names: -DinvalidDn=update
Users or groups have been found with mismatched unique IDs.	Fix mismatched unique IDs: -DmismatchedId=update Remove users and groups with mismatched unique IDs: -DmismatchedId=remove

After the member fixer task has run, review the SystemOut.log to verify that the member fixer task ran correctly. The member fixer task may not be able to save items that fail validation, such as items that contain invalid fields. You must edit these items to make them valid and then run the member fixer task again.

Run the Member Fixer in a federated security environment

In a federated security environment with multiple realms, you can specify the realm to run the member fixer task on by adding:

-Drealm=realmName

If omitted, the default realm will be used.

The member fixer task will check whether there are any members and groups referenced in items that are under any of the base distinguished names defined for the specified realm and fix these references. References to members can only be updated with references to members in the specified realm.

Additionally, the member fixer task can be used to check whether there are any members and groups referenced in items that are not under any of the base distinguished names defined for any of the realms in the environment and fix these references. To do this, follow the same steps described above for a single realm environment and add:

-DnoRealmDn=true

In a federated security environment with multiple realms, the member fixer task should be run for each realm in turn to verify all of the references are fixed.

Preserve dates

You can preserve the last modified date of items updated by the member fixer task by adding:

-DpreserveDates=true

Otherwise the last modified date will be updated when the member fixer task is run.

Restricting which items types to fix

You can restrict which objects types are processed by appending:

-DrestrictOn=ItemType

For example:

• content
• folder
• project
• style for presentation templates
• template for authoring templates
• taxonomy
• category
• SiteArea
• Workflow
• WorkflowStage
• WorkflowAction
• Cmpnt for components

You can restrict multiple object types by separating the types with a comma (,). For example, to restrict workflows and workflow stages, you can specify...

-DrestrictOn=Workflow,WorkflowStage

If not specified, all object types will be updated.

Parameters to set for large repositories

To prevent session timing out before the task has finished, you can append the option:

-DsessionTimeOut=timeOut

This sets the number of seconds in which the task must complete before its session will timeout. The default session timeout is 14,440 seconds, which is 4 hours. For large repositories you should increase this setting. For example:

-DsessionTimeOut=36000

.which is 10 hours.

Examples

These options can be combined when the conditions occur at the same time. For example, if alternate DNs are available for nonexistent users and groups and there are mismatched unique IDs, you would use the following command:

./ConfigEngine.sh run-wcm-admin-task-member-fixer  \
     -DPortalAdminId=wpadmin  \
     -DPortalAdminPwd=foo  \
     -DWasUserId=wpadmin  \
     -DWasPassword=foo-Dlibrary=MyLibrary  \
     -Dfix=true  \
     -DaltDn=update  \
     -DmismatchedId=update

If there have been changes to users and groups that are within the specified realm or that are not within any realm, update the items that reference them by entering the following command:

./ConfigEngine.sh run-wcm-admin-task-member-fixer  \
    -DPortalAdminId=wpadmin  \
    -DPortalAdminPwd=foo  \
    -DWasUserId=wpadmin  \
    -DWasPassword=foo  \
    -Drealm=MyRealm  \
    -Dlibrary=MyLibrary  \
    -Dfix=true  \
    -DnoRealmDn=true 

Parent

Maintain web content

Previous

Set service configuration properties

+

Search Tips   |   Advanced Search