on 06-16-2011 4:46 PM
We loaded our SAP composite roles into the identity center, and assigned them as privileges to the corresponding business roles we created. My understanding is that we should be able to just assign the business role, which has the composite role assigned as a privilege, to the person and then it should provision to abap. Problem is, it doesn't provision unless I enter the business role and the privilege both when I asssign the role to the person. It's as if the privilege is not being provisioned with the business role, but when I display the business role, the privilege (composite role) is there. Does anyone know what could be causing this? Thanks,
Lori
Thanks everyone for all of your help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
One more question.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please verify the role contains the mskey of the privlege in the MXMEMBER_MX_PRIVILEGE attribute for role.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We found that we had related problems with auto-privileges (i.e. those which are assigned to the role members attribute) are not properly removed when removing a business role. It turned out to be a bug in IdM 7.1 SP5 and we're awaiting a fix for it in SP6. However, a workaround is to run the reconcile job which forces the removal off the linked privileges.
You might want to check if you have any entries in the mxiv_dirty_mskeys view. If you do have, there's a standard job wizard which you can use to create a job to reconcile these dirty entries. When you run the job wizard it can be found under the following folder: Identity Center > Jobs > Reconcilliation > Reconcile dirty entries.
Paul
Hi Paul,
When you assign a privilege to a role in the UI, it appears that it shows up in the Roles tab for the privilege in MMC. And, it doesn't provision. If I remove the role from the Roles tab and enter it in the Role Members tab, it then provisions. So how exactly do I get the roles to show up in the Role members tab when I assign a privilege in the UI? I think I must not have the attributes set correctly for MX_ROLE and MX_PRIVILEGE. Can you tell me exactly what attributes I need? Thanks so much for your help.
Lori
We set up our role and privilege metadata in the Identity Centre (MMC).
We assigned the role to the privilege by editing the privilege and adding the role in the role members tab
Example ROLE
General ROLE:CFS:USER
Display Name CFS Service
Description
Visibility Default
Membership Default
Assigned To Default
Member Events Default
Role Privileges Default
Member Privileges (To be linked following Privilege Initial Load)
Mutual Exclusions Default
Parent Roles None
Example PRIVILEGE
General PRIV:CFS:ACCOUNT
Display Name CFS Account
Description Controls provisioning of CFS Account
Repository CFS
Member Events Default
Tasks
Provisioning Task None/Inherited
Deprovisioning Task None/Inherited
Modify Task --Noneu2014NB change to None to prevent duplicate modify tasks
Master Privilege Default
Visibility Owner Entries:
ROLE:CFS:USER
Entry visibility: Owner only
Member visibility: All
Roles None
Role Members ROLE:CFS:USER
Seeting the Entry Visibility to Owner Only and assinging the role as the owner of the privilege means that the privilge can't be added to the user in UI only the Role can be added.
When the Role is added to the user in the UI, the user gets the MX_AUTOPRIVILEGE attributes for all the privilges which have the role in their respective role members list.
I hope this helps
Paul
Furthermore, did you edit the MX_ROLE and MX_PRIVILEGE Entry Types since the initial installation i.e remove the standard 'Allow' flags for any attributes for a role and privilege?
If you create a dummy new identity store you'll be able to see the default attributes which are assigned to each entry type in the entry type attribute list.
Compare these to your entry types in the enterprise identity store and if they're missing any, perhaps try and 'Allow' them back in. I would however be a little concerned about the integrity of these standard entry types if they've been changed.
P.s. I wouldn't recommend adding the dummy id store to your 'clean' development / test/ live environments. If you've got a sandpit environment to do this in, it would be better, as creating an IdStore creates a lot of metadata which may not be so easy to clean up aferwards
Edited by: Paul Abrahamson on Jun 23, 2011 4:56 PM
Thanks Paul. So is it better to assign the role to the privilege in the MMC than to assign the privilege to the role in the UI? I thought that you could do it either way, and that the UI would be the easier way. But it seems to work well the way you described. Do you only use the UI for assigning the roles to a person?
Lori
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.