cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Valid to and Valid from dates not appearing on screen.

Former Member

on ‎12-01-2010 11:05 AM

0 Kudos

Anyone use the Valid From field when adding a privilege to a user ? I am trying to time delimit a privilege.

When I add a privilege with a 'valid to' and 'valid from' date to a user and save the change, the valid from date disappears. The change/display screen will then display the 'valid to' date, but the 'from' field is blank.

Where is this one stored in the schema and also which job is running at midnight to remove all privileges that have expired (ie. 'valid to' date has passed) ?

We are on SAP id 7.1 sp3

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎03-04-2011 10:22 PM
0 Kudos

Hi Guys,

I can update validto date on a privilege for a certain user using UI

Is there a way to do it in a task in identity center?

What field of what table holds this relationship(user/privilege/validto)?

I changed validto in UI and went to SQL server and tried to find modified tables and it returned 0 modified tables.

Any idea

Thanks in advance

Show replies
Show replies
paul_abrahamson_sap
Active Participant
‎03-07-2011 9:01 AM
0 Kudos

Via the UI:

Select the assigned privilege in the list on the right, then expand the details box below the table of privileges. This should expose the Valid From and Valid To dates.

Via a Task

In the To Identity Store pass, map

MXREF_MX_PRIVILEGE {VALIDFROM=YYYY-MM-DDTHH:MM:SS!!VALIDTO=YYYY-MM-DDTHH:MM:SS}<PRIV:name>

The times are optional if you ommit the THH:MM:SS part it defaults to 00:00:00 for valid from and 23:59:59 for valid to.

In 7.1 The user privilege assignment is stored in MXI_VALUES table. The valid to is stored in the field ExpiryTime.

View MXIV_SENTRIES will let you search using attrname instead of attr_id. You'll need to find the record which matches the mskey of the Identity and attrname = MXREF_MX_PRIVILEGE or MX_AUTOPRIVILEGE (if the privilege is inherited).

If the valid from is in the past, I think the only way you'd find it is either the modifytime attribute or looking in the audit tables?

If the valid from is in the future, the attribute value will actually be stored in a pending value object in MXI_VALUES table. This gets a bit more tricky to relate back to the ID. See the help file for Attribute validity and Pending value objects.

I hope this helps

Paul

Former Member
‎01-21-2011 8:49 PM
0 Kudos

Hi All,

I am trying to use the validfrom and validto when assigning privileges.

even with a validfrom future date, it disappears.

Any idea how this works?

Thanks

Show replies
Show replies
Former Member
‎12-01-2010 10:02 PM
0 Kudos

Thanks for the ideas, I'll keep looking a bit deeper.

Here's an example of what I am finding ;

Add prior date profile.

Add profile to user from date -3 and and end date +3 days from now

Screen shows correct profile and to and to dates in right hand column

Save changes and screen refreshs and shows correct to and from date

Check SU01 and it shows role is valid from today until 31.12.9999

Do "display identity' or 'Change identity' in IDM and it only shows a date in the 'Valid to' column

Add future date profile

Delete previous profile and check user is deleted from SU01

Add profile with user from date +3 and to date +6 days from now

Screen shows correct profile and to and from dates in right hand column

Save changes and screen refreshs and shows correct to and from date

Check SU01 and it shows no user created

Do "display identity' or 'Change identity' in IDM and it now shows a date in the 'Valid from' and 'Valid to' column

So all looks good.

Next question is how to delete a future date privilege !

Go into change user, click on the future dated privilege and the delete button isn't available. You have to change the 'to date' to be in the past and save the screen before you can delete the privilege. I guess I can live with that.

Thanks for your help

Show replies
Show replies
Former Member
‎12-01-2010 11:56 AM
0 Kudos

Hello,

The table "mxi_objectclass_attributes" decides whether the attribute has a valid to, valid from and a reason.

There must be some scheduled job in the Job folder which checks for the privilege END date and removes those privileges from a user.

Show replies
Show replies
thomas_groth2
Explorer
‎12-01-2010 1:14 PM
0 Kudos

Hello,

i think this valid-from disappears when it is set in the past or the actual day. Then the provisioning starts right away. If you enter a future date it should not disappear (until the provisioning starts).

As far as i know there is no Job in the Job folder. The valid-to date also includes a time, eg. 01.12.2010 23:59:59. When that time is reached the de-provisioning starts automatically.

Best regards,

Thomas

Edited by: Thomas Groth on Dec 1, 2010 2:20 PM

Ask a Question