on 12-05-2012 3:16 PM
Hi,
I’m trying to restrict the access IDM will have to the SAP systems. I’d like to introduce a role that will only allow IDMJCO to edit dialog users. I’m looking at the S_USER * authorisation objects but can’t see an option to restrict access by user type. I can only see an option to restrict by user groups.
Are you aware of an authorisation object/role I could use?
The background to this is we had a situation where IDM edited all background/service/communication users in our test environment. If the same issue happened in Production we would of had a massive outage and I'd be looking for a new job . We want to try mitigate against such an issue again by restricting IDM 's access to dialog users only.
rgds
Jim
Hi Jim
I've never done it in HCM but I regularly impliment user filtering in IDM using regular expressions and a rabid insistance on naming conventions.
You can implement a global constant regex that matches your users naming standard and using a global script, apply the filter to all 'load' jobs. You can then also modify the provisioning tasks to include a conditional switch to match the user ID to the regex. If necessary you can use this to stop all but users getting into the system (which may satisfy your needs).
You can of course check the MX_USERTYPE before performing any updates to also ensure that the user is a dialog user before updating the data which will probably satisfy given the security policy you're trying to implement. Just add a conditional to the 'Modify' tasks with:
SELECT searchvalue FROM idmv_value_basic_active WHERE attrname='MX_USERTYPE' and mskey=%mskey%
Then have case 'A' and case Else.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
Thanks for the feedback, we will definitely look at implementing your suggestions on the IDM side. On the HCM side we are going to look at cleaning up the groups and putting all "service" users in one group and then use the SAP authorizations to prevent IDM editing these users. Belt and Braces approach.
Kind Regards
Jim
User | Count |
---|---|
81 | |
24 | |
11 | |
9 | |
7 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.