cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Roles/Privileges provisioning to unrelated systems

Former Member

on ‎08-12-2011 10:54 AM

0 Kudos

Hello IDM Gurus,

I set up an IDC config and connected it to 3 SAP target systems, say A, B and C. Each of the repositories/target systems have linked up to default provisioning/deprovisioning/modify tasks from the SAP provisioning framework. I have imported privileges from each of these systems; I have contained a basic user privilege from each target system within its own simple role through the role members section of each privilege. Provisioning the role related to a specific system should ideally provision to only the related system; instead I'm encountering the weird error of provisioning Role A (containing privilege A) to a user but instead of just provisioning to system A, the user gets provisioned to systems A, B and C. This made absolutely no sense to me, so I went through and checked to see if there were any rogue links between the other privileges and roles, but there were none. I tried to simplify things and tried provisioning just the privilege directly to the user and it did the same thing; provisioning privilege A to a user ends up automatically provisioning the user to system A, B and C.

Are the repositories messed up? Should they be created from scratch?

I'm stumped; any ideas/suggestions?

i would appreciate any help with the issue! Thanks in advance!

Best regards,

Sandeep

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

paul_abrahamson_sap
Active Participant
‎08-12-2011 12:19 PM
0 Kudos

In IdM 7.1 adding a privilege causes the ModifyUser task to run, which then triggers a modify chain to all repositories which a user has privileges in. So by add privilege C to a user, a modify event is also triggered for privs A and B.

If the 'Modify' event task on Privilges A and B is set to -Inherited/None- this means it will trigger the repository's modify task for the privileges. The fix is to set the modify task on the privileges to -None- (if you're using a To ID Store pass for this set the MX_MODIFYTASK to -1) on the MX_PRIVILEGE entries for these privilges. You can also alter the initial load job which creates these privilges to set this to -1.

I hope this helps

Paul

Show replies
Show replies
Former Member
‎08-13-2011 11:20 PM
0 Kudos

Thanks a lot for your quick response Paul!

I checked the privileges as well as the initial load jobs and the privileges are set to Inherited/None for Provision and Deprovision and already set to None for the Modify task; this is happening as you suggested through our initial load jobs which set the Modify Task to -1. Unfortunately, adding a privilege still seems to be triggering the other systems' provisioning tasks as well; add the privilege for system A and the "Group System Provisioning" task kicks off and fires all 3 systems provisioning tasks.

Is there any other property on the privileges or repository that I should be checking or fixing in order to prevent this behavior? Or is there anything else that I haven't thought of checking that could be causing this behavior?

I would really appreciate any ideas/suggestions.

Thanks much for your time and help!

Cheers!

Sandeep

Ask a Question