Removing Role Assignment

• Removing the assignment of the UserCreation Manager Role

Private Sub RemoveRoleAssignment()
On Error GoTo errHandler

'Gets the role container in order to do any database update operation
'An time expensive operation, ideally, a global variable is more suited
Dim objRoleContainer As IRoleContainer
Set objRoleContainer = g_objNameSpace.GetRoleContainer

'Gets the "UserCreationManager" role from the role container
Dim objRole As Role
Set objRole = objRoleContainer.GetRolesOnNames("UserCreationManager")

'IRoleBasedSD: Interface RoleBased Security Descriptor
'Interface for making any Active directory related operations
'using role objects. OR Role assignement/unassignement operations using AD Objects
Dim objRoleBasedSD As IRoleBasedSD
Set objRoleBasedSD = g_objNameSpace.GetRoleBasedSD("LDAP://172.23.0.241/OU=DhirenTest,OU=TestHierarchy,DC=drc,DC=DR,DC=com")

'RoleBasedACL: RoleBased Access Control List of the AD object
'Has to be obtained from the objRoleBasedSD of the object
Dim objRoleBasedACL As RoleBasedACL
Set objRoleBasedACL = objRoleBasedSD.RoleBasedACL

'RoleBasedACL contains a list of RoleBasedACE
'RoleBasedACE: RoleBased Access Control Entry
'Creates a new RoleBasedACE
Dim objRoleBasedACE As RoleBasedACE
Set objRoleBasedACE = New RoleBasedACE

'Sets RoleBasedACE properties, i.e. The Role to be assigned/unassigned,
'in this case to be unassigned
objRoleBasedACE.Role = objRole

'Set RoleBasedACE properties, i.e. The Inheritance type
objRoleBasedACE.InheritanceOrAuditFlags = InheritanceFlag.kInheritanceFlagSubtree 

'RoleBasedACE has a property called Trustee, which specifies which trustee is the role to be given to
'The Object will be specified by the objRoleBasedSD of the object
'So set the trustee path
Dim objTrustee As New Trustee
objTrustee.Path ="LDAP://172.23.0.241/CN=Nokia,CN=Users,DC=drc,DC=DR,DC=com" 'or "LDAP://172.23.0.241/CN=Nokia,CN=Users,DC=drc,DC=DR,DC=com"

'Set RoleBasedACE properties, i.e. The Trustee object
objRoleBasedACE.Trustee = objTrustee 

'Remove the RoleBasedACE from the IRoleBasedACL
objRoleBasedACL.RemoveACE objRoleBasedACE

'Set the RoleBasedACL of the RoleBasedSD
objRoleBasedSD.RoleBasedACL = objRoleBasedACL

'Save/Stamp/Persist the data to the disk. Errors in case, if any
'like trustee not found, Access denied etc will come here
objRoleBasedSD.Persist

Exit Sub
errHandler:
  MsgBox "Error removing the assignment of the UserCreationManager Role" & " Error no: " & Err.Number & " ErrorDescription: " & Err.Description
End Sub

See Also

• Pre-requisites Before Scripting for Delegation