cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NW IDM Role based Provisioning to AD

Go to solution
Former Member

on ‎10-08-2008 3:50 PM

0 Kudos

Hi there!

I'm seeing an interesting issue occurring with IDM SP2 (6753-SQL-04.2008) on a SQL Server 2000 (SP) database. (Schema update: 198)

I have a job feeding new entries to the Identity Store database. The To IdentityStore pass works perfectly except for role assignment.

I pass the MSKEY of the Role using the MXREF_MX_ROLE attribute which has a privilege attached to a provisioning task that creates the user in AD. When the job is run, the users are created in the Identity Store, but not in AD. The task creating the AD user is never called and there is no entry in the job log.

I know that the AD task is ok since I disabled the MXREF_MX_ROLE attribute and attached the provisioning task to the entry type (MX_PERSON) which worked fine.

Is there something I'm missing in attaching the privilege to the role? Or could this be a bug?

Thanks,

Matt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-10-2008 8:22 AM
0 Kudos

Hi Matt,

1 Have you configured the constants MX_PROVISIONTASK etc. for your AD repository? You can set up your scenario like in the document about the SAP Provisioning Framework.

2 For what entry / attribute exactly have you set the Provisioningtask, which isn't called? Try to call it from MXREF_MX_ROLE if you haven't done this already.

3 Your created entries in the ToIdentityStore pass - are they persons or privileges?

4 If you assign roles to privileges: Have you assigned the roles also to persons so that the privileges can be provisioned based on the provisiontask of your repository?

5 Can you see in the monitoring component that your assignments between your entry types are correct? E.g. Priv -> Roles via MXREF_MX_ROLE. Roles -> Priv via MXMEMBER_MX_PRIVILEGE.

Best regards,

Nils

Show replies
Show replies
Former Member
‎10-10-2008 8:06 PM
0 Kudos

Nils,

You raised some interesting points.

1 Have you configured the constants MX_PROVISIONTASK etc. for your AD repository? You can set up your scenario like in the document about the SAP Provisioning Framework.

No I did not, but adding in the task did not resolve the issue.

2 For what entry / attribute exactly have you set the Provisioningtask, which isn't called? Try to call it from MXREF_MX_ROLE if you haven't done this already.

Yes, I use MXREF_MX_ROLE to assign the role

3 Your created entries in the ToIdentityStore pass - are they persons or privileges?

The entries created are persons using the MX_PERSON Entry type

4 If you assign roles to privileges: Have you assigned the roles also to persons so that the privileges can be provisioned based on the provisiontask of your repository?

Yes, as mentioned above using MXREF_MX_ROLE 

5 Can you see in the monitoring component that your assignments between your entry types are correct? E.g. Priv -> Roles via MXREF_MX_ROLE. Roles -> Priv via MXMEMBER_MX_PRIVILEGE.

The Privilege is indeed referenced in the role when looking through Monitoring.

Any other thoughts? This one is just plain stumping me.

Former Member
‎10-13-2008 10:19 AM
0 Kudos

Hi Matt,

5.: Please have a look at all assignments between Role, Privileges and Person- also the other way round if you haven't done this already. Perhaps one assignment is only one way mxref and e.g. without mxmember.

Have a look in the monitoring component for the task, which should execute your job. You could also make a dummy job in the task before your other job is called to see where it stops.

Best regards,

Nils

Former Member
‎10-13-2008 1:51 PM
0 Kudos

Hi Matt,

I once had a similiar problem. However, that caused an error message in the job.

What helped was to run one to-id-store-pass creating the person's account and another pass assigning the Role.

Writing this, I just have to ask if the Role is assigned correctly to the user in the ID store?

And does the Privilege show up in the MX_Autoprofile-Attribut?

Edited by: Thomas P. Felder on Oct 13, 2008 2:52 PM

Former Member
‎10-13-2008 2:46 PM
0 Kudos

Thomas,

Yes, the auto attribute is populated.

I can see that possible solution as working. Not sure why, but it certainly feels right. I'll let you know what happens.

Answers (1)

Answers (1)

Former Member
‎10-13-2008 2:47 PM
0 Kudos

Nils,

Checked those out, thanks.

Show replies
Show replies
Former Member
‎11-11-2008 11:13 PM
0 Kudos

Matt,

Were you able to resolve this? We've had similar issues at times.

Two things jumped out at me from your initial description:

First, we were attempting the same thing you are talking about when we began implementation, assigning the role on the 'To Identity Store' pass. This became problematic, and when we discussed it with some of the SAP folks they said it's best practice not to provision in a pass if you can avoid it.

We ended up building several entry reference attributes to mx_role and using them for a variety of purposes. We pass in position based roles from the HR feed to an attribute called 'hr_feed_role', for example, and the user goes through a role assignment ordered group to see if the user is active, etc before copying the value from hr_feed_role to mxref_mx_role.

This also allows us to 'approve' new users outside of the HR feed (our organization doesn't put non-employees in SAP HR) before granting their access.

There are a number of other benefits but I won't bore you.

Another tip we picked up is to avoid using the mskey whenever possible. Why? Because if you move the job or task to another environment it won't work anymore - the mskey's will have changed. I now use the mskeyvalue like this <%mskeyvalue%> - a format which you provide to us if you recall

Back to the issue of the AD provisioning task not triggering, one thing I didn't see mentioned is did you check the privilege itself to make sure the repository is set correctly on it?

Hope you got it working.

-G

Former Member
‎11-20-2008 9:23 PM
0 Kudos

I did evenrually get this working, but I actually don't recall how I fixed it. I know I tweaked something in the relationship between the role and the privilege, but I do not recall what...

Ask a Question