cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Inactivating users by setting the MX_INACTIVATE attribute

Go to solution
Former Member

on ‎12-21-2009 12:36 PM

0 Kudos

Hello there

In the documentation for the Identity Store schema it is written: "Setting an entry to inactive has the same effect as deleting it, i.e. the attribute triggers the deprovisioning task for all target systems of the identity. Depending on the type of a specific target system, the de-provisioning task deletes or locks the user account."

When looking into the deprovisioning tasks in the SAP provisioning framework it however looks like accounts are deleted both in the ABAP and in the Java deprovisioning task.

I would have expected a standard implementation of an ABAP deprovisioning task to do the following:

-Set the users user group to INACTIVE

-Set validity date to expired

-Remove roles associated with the user

-Lock the user

I don't particularly like deleting user accounts in target systems. Do I have to write my own deprovisining task to address this issue?

Best regards,

Anders

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-21-2009 2:34 PM
0 Kudos

Hi Anders,

What you actually want to do is use MX_DISABLED to lock accounts. MX_INACTIVE will kick off the deletion. I know the documentation is somewhat thin in these areas but we have gotten the lock and delete process on the target systems to work fairly well with IDM 7.1 sp3. Just remember, set MX_DISABLED or MX_INACTIVE=1 to turn them on. To get rid of these attributes you need to set them to .

Good luck,

Scott

Show replies
Show replies
Former Member
‎12-22-2009 7:41 AM
0 Kudos

Hello Scott

I am just a little bit concerned about the MX_INACTIVE triggering a delete of the user in the target system. What happens to the logs of user activity etc. in the target systems once the user is deleted? Is it still possible to get relevant audit information from transaction SUIM in ERP when the users are deleted?

Best regards,

Anders

Former Member
‎12-22-2009 1:18 PM
0 Kudos

Hi Anders,

Keep in mind that you don't have to set MX_INACTIVE if you don't want to. You can just set MX_DISABLED and keep terminated, locked, accounts out there indefinitely. If you do decide to delete the accounts on the SAP system then you should be able to get to the logs but I would test this in your dev environment just to be sure.

Scott

Answers (0)

Ask a Question