on 01-09-2013 11:36 PM
I just want to validate the proper way to disable provisioning. Here is my scenario (IDM Version 7.2 using Standard SAP Business Suite Provisioning Jobs)
I have done initial load jobs from various SAP ABAP systems. This has brought in direct assignment of Privileges to user master records. Subsequently, I have created business roles including Privileges in the IDM system and assigned them to . Now I want to "clean-up" users by removing the Privileges from these users so that they only remain in the valid Business Roles instead of manually assigned (by the initial load jobs) to Users. During this cleanup mode, I don't want to provision any of the users to the target system as it is kind of a waste AND some of the privileges I will be removing are the PRIV:SYSTEM privileges that are directly assigned to the user instead of via the Business Role(s) that have them and I don't really want the users to be deleted from the target system.
That's the setup. Now here's what I THINK I need to do based on my research to disable the Provisioning from pushing the users to the target systems/clients.
Does this sound right and reasonable? Am I missing anything? Do I really have to do BOTH of these things or is there a better way to do this? Any input would be appreciated.
Disabling the dispatcher won't stop the jobs queuing up. The next time the dispatcher is allowed to run provisioning tasks it'll push everything through. You could clear the provisioning queue before turning it back on.
Disabling the subtree will stop the jobs creating provisioning tasks but you'll need to be careful that you don't accidentally disable or enable something that shouldn't be changed. If you do this, the dispatcher status shouldn't matter.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
only step 3 is necessary. IDM will notice that the privilege is assigned twice (so to speak) and does, in effect, nothing. Just make sure that the privilege is assigned via a role first and then delete the directly assigned privilege from the initial load.
There are twio attributes here: MXREF_MX_PRIVILEGE and MX_AUTOPRIVILEGE. The first attribute contains the directly assigned privileges and the second the privileges assigned indirectly (i.e. from roles).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Eric,
Have a look at some of the standard ABAP load jobs as they now do this automatically by assigning -1 to the provisioning task on the privileges so you can add and remove them without triggering provisioning. You can then take this a basic step and enhance it to meet your circumstances. This is much cleaner than cleaning out the queue.
Hope this help,
Ian
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.