on 12-01-2010 11:05 AM
Anyone use the Valid From field when adding a privilege to a user ? I am trying to time delimit a privilege.
When I add a privilege with a 'valid to' and 'valid from' date to a user and save the change, the valid from date disappears. The change/display screen will then display the 'valid to' date, but the 'from' field is blank.
Where is this one stored in the schema and also which job is running at midnight to remove all privileges that have expired (ie. 'valid to' date has passed) ?
We are on SAP id 7.1 sp3
Hi Guys,
I can update validto date on a privilege for a certain user using UI
Is there a way to do it in a task in identity center?
What field of what table holds this relationship(user/privilege/validto)?
I changed validto in UI and went to SQL server and tried to find modified tables and it returned 0 modified tables.
Any idea
Thanks in advance
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Via the UI:
Select the assigned privilege in the list on the right, then expand the details box below the table of privileges. This should expose the Valid From and Valid To dates.
Via a Task
In the To Identity Store pass, map
MXREF_MX_PRIVILEGE {VALIDFROM=YYYY-MM-DDTHH:MM:SS!!VALIDTO=YYYY-MM-DDTHH:MM:SS}<PRIV:name>
The times are optional if you ommit the THH:MM:SS part it defaults to 00:00:00 for valid from and 23:59:59 for valid to.
In 7.1 The user privilege assignment is stored in MXI_VALUES table. The valid to is stored in the field ExpiryTime.
View MXIV_SENTRIES will let you search using attrname instead of attr_id. You'll need to find the record which matches the mskey of the Identity and attrname = MXREF_MX_PRIVILEGE or MX_AUTOPRIVILEGE (if the privilege is inherited).
If the valid from is in the past, I think the only way you'd find it is either the modifytime attribute or looking in the audit tables?
If the valid from is in the future, the attribute value will actually be stored in a pending value object in MXI_VALUES table. This gets a bit more tricky to relate back to the ID. See the help file for Attribute validity and Pending value objects.
I hope this helps
Paul
Hi All,
I am trying to use the validfrom and validto when assigning privileges.
even with a validfrom future date, it disappears.
Any idea how this works?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the ideas, I'll keep looking a bit deeper.
Here's an example of what I am finding ;
Add prior date profile.
Add profile to user from date -3 and and end date +3 days from now
Screen shows correct profile and to and to dates in right hand column
Save changes and screen refreshs and shows correct to and from date
Check SU01 and it shows role is valid from today until 31.12.9999
Do "display identity' or 'Change identity' in IDM and it only shows a date in the 'Valid to' column
Add future date profile
Delete previous profile and check user is deleted from SU01
Add profile with user from date +3 and to date +6 days from now
Screen shows correct profile and to and from dates in right hand column
Save changes and screen refreshs and shows correct to and from date
Check SU01 and it shows no user created
Do "display identity' or 'Change identity' in IDM and it now shows a date in the 'Valid from' and 'Valid to' column
So all looks good.
Next question is how to delete a future date privilege !
Go into change user, click on the future dated privilege and the delete button isn't available. You have to change the 'to date' to be in the past and save the screen before you can delete the privilege. I guess I can live with that.
Thanks for your help
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
The table "mxi_objectclass_attributes" decides whether the attribute has a valid to, valid from and a reason.
There must be some scheduled job in the Job folder which checks for the privilege END date and removes those privileges from a user.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
i think this valid-from disappears when it is set in the past or the actual day. Then the provisioning starts right away. If you enter a future date it should not disappear (until the provisioning starts).
As far as i know there is no Job in the Job folder. The valid-to date also includes a time, eg. 01.12.2010 23:59:59. When that time is reached the de-provisioning starts automatically.
Best regards,
Thomas
Edited by: Thomas Groth on Dec 1, 2010 2:20 PM
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.