on 07-07-2009 8:19 AM
Experts,
I'm looking for the best way to initiate a termination request in IDM while an employee is marked as terminated/retired in HCM.
While extracting HR data to VDS, is it ok to mark to delete all persons with status not equal to 3, and provide the separation task on deletion of entry type MX_HCM_EMPLOYEE?
I would appreciate it if you could share your experience onthis.
Thanks,
Biju.
Biju,
We don't use HCM/VDS - we have a custom feed that our SAP HR Support team has produced and we read this into the identity center to manage employee access in IdM.
Having said that, we are relying on the status field like you are - we use the text field instead of the numeric code but otherwise there is really no difference.
Here is our flow in a nutshell:
We read in HR data related to user access in a To Identity Store pass that includes an attribute called 'HR_EVENT'. This attribute is excluded from the Delta which we have enabled for this pass. The attribute value is the system parameter for current date/time, and the attribute has an event trigger on add or modify that routes a user to a Role Assignment ordered group.
As an alternative - you can assign the HR_EVENT attribute with a time to live of one minute and set the event trigger to delete - the advantage is you 'clean up' this attribute from the user record, the disadvantage is that you lose the time stamp that could be helpful to tell you the last time something changed on the user in the HR feed.
To continue, the Role Assignment ordered group (obviously you can call this whatever you want) can then have one or more conditional tasks that looks at the user's status and other business logic you may need. So for instance, the first conditional task says:
select distinct count from mxiv_sentries
where mskey = %MSKEY%
and mskey in
(select distinct count from mxiv_sentries
where attrname = 'hr_status' and searchvalue = '3')
If the statement returns True the user is active and can be handled however you like in that case. If the statement returns False we set MX_Disabled to 0, copy MXREF_MX_ROLE to an attribute called ARCHIVE_ROLES and then blank MXREF_MX_ROLE which deprovisions the user.
Note: You may want to leave some access on an Inactive user depending on how your organization uses this status - for us we leave a role on Inactive users that allows them to access email.
Hope this helps.
-Geoff
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Biju,
Using HCM/VDS is fine - you'll still get the status from that feed the same as we do for our custom feed, then just use the process I described in IdM to deprovision the user on target systems.
To my knowledge, there is no documentation on database schema at this time - just get to know mxiv_sentries and that can view can help you through most anything.
-G
Geoff,
Check out this document:
Hope it helps,
Matt
Geoff,
I guess I see what you mean, although there is a reason the DB schema itself is not distributed, and that is to protect you and your installation if you know what I mean.
When trying to understand the relationships between the tables and whatnot, I've found the MSSQL Database Diagram tool a good place to start. Then if you can get it printed out on a large printer or plotter it makes an informative and decorative cubicle hanging.
I know this tool is in MSSQL 2000, if it's not in 2005 there are applications out there that will create these diagrams as well but they can be expensive.
Cheers,
Matt
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.