cancel
Showing results for 
Search instead for 
Did you mean: 

Disabling provisioning

Former Member
0 Kudos

I just want to validate the proper way to disable provisioning.  Here is my scenario (IDM Version 7.2 using Standard SAP Business Suite Provisioning Jobs)

I have done initial load jobs from various SAP ABAP systems.  This has brought in direct assignment of Privileges to user master records. Subsequently, I have created business roles including Privileges in the IDM system and assigned them to .  Now I want to "clean-up" users by removing the Privileges from these users so that they only remain in the valid Business Roles instead of  manually assigned (by the initial load jobs) to Users.  During this cleanup mode, I don't want to provision any of the users to the target system as it is kind of a waste AND some of the privileges I will be removing are the PRIV:SYSTEM privileges that are directly assigned to the user instead of via the Business Role(s) that have them and I don't really want the users to be deleted from the target system.

That's the setup.  Now here's what I THINK I need to do based on my research to disable the Provisioning from pushing the users to the target systems/clients. 

  1. On the policy tab of the Dispatcher, unclick the Run Provisioning Jobs checkbox(es)
  2. Right click the entire "Provisioning Framework" folder (including CORE and CONNECTORS) and choose "Disable SubTree" from the Context Menu
  3. Do my cleanup (and nothing should be provisioned)
  4. Reenable the "Provisioning Framework" folder (basically choose Enable SubTree instead of Disable Subtree) for the "Provisioning Framework" folder
  5. Check the Run Provisioning Jobs checkbox(es) on the Policy tab of the Dispatcher

Does this sound right and reasonable?  Am I missing anything?  Do I really have to do BOTH of these things or is there a better way to do this?  Any input would be appreciated.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Disabling the dispatcher won't stop the jobs queuing up.  The next time the dispatcher is allowed to run provisioning tasks it'll push everything through.  You could clear the provisioning queue before turning it back on.

Disabling the subtree will stop the jobs creating provisioning tasks but you'll need to be careful that you don't accidentally disable or enable something that shouldn't be changed.  If you do this, the dispatcher status shouldn't matter.

Peter

Former Member
0 Kudos

Hi,

only step 3 is necessary. IDM will notice that the privilege is assigned twice (so to speak) and does, in effect, nothing. Just make sure that the privilege is assigned via a role first and then delete the directly assigned privilege from the initial load.

There are twio attributes here: MXREF_MX_PRIVILEGE and MX_AUTOPRIVILEGE. The first attribute contains the directly assigned privileges and the second the privileges assigned indirectly (i.e. from roles).

Former Member
0 Kudos

Thanks for the reply.  I still would like to know how to disable provisioning properly for other potential scenarios where I want to make changes to a user and not provision them immediately.

Former Member
0 Kudos

Hi Eric,

Have a look at some of the standard ABAP load jobs as they now do this automatically by assigning -1 to the provisioning task on the privileges so you can add and remove them without triggering provisioning. You can then take this a basic step and enhance it to meet your circumstances. This is much cleaner than cleaning out the queue.

Hope this help,

Ian

Former Member
0 Kudos

The easiest way to stop provisioning is to reset all the tasks in the repository to nothing. This can also easily be referred when needed (just make sure you make a screenshot before changing anything):

Former Member
0 Kudos

Hi,

Sietze is half right. This is ok to do unless there are tasks on the privileges themselves as these override the settings on the repository. In which case provisioning would still be triggered even though the repository tasks were switched off.

Cheers,

Ian