cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting IDM access in HCM

jim_oshea5
Participant
0 Kudos

Hi,

I’m trying to restrict the access IDM will have to the SAP systems. I’d like to introduce a role that will only allow IDMJCO to edit dialog users. I’m looking at the S_USER * authorisation objects but can’t see an option to restrict access by user type. I can only see an option to restrict by user groups.

Are you aware of an authorisation object/role I could use?

The background to this is we had a situation where IDM edited all background/service/communication users in our test environment. If the same issue happened in Production we would of had a massive outage and I'd be looking for a new job . We want to try mitigate against such an issue again by restricting IDM 's access to dialog users only.

rgds

Jim

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Jim

I've never done it in HCM but I regularly impliment user filtering in IDM using regular expressions and a rabid insistance on naming conventions.

You can implement a global constant regex that matches your users naming standard and using a global script, apply the filter to all 'load' jobs.  You can then also modify the provisioning tasks to include a conditional switch to match the user ID to the regex.  If necessary you can use this to stop all but users getting into the system (which may satisfy your needs).

You can of course check the MX_USERTYPE before performing any updates to also ensure that the user is a dialog user before updating the data which will probably satisfy given the security policy you're trying to implement.  Just add a conditional to the 'Modify' tasks with:

SELECT searchvalue FROM idmv_value_basic_active WHERE attrname='MX_USERTYPE' and mskey=%mskey%

Then have case 'A' and case Else.

Peter

jim_oshea5
Participant
0 Kudos

Hi Peter,

Thanks for the feedback, we will definitely look at implementing your suggestions on  the IDM side. On the HCM side we are going to look at cleaning up the groups and putting all "service" users in one group and then use the SAP authorizations to prevent IDM editing these users. Belt and Braces approach.

Kind Regards

Jim

Answers (0)