cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issues with Privilege assignment

Go to solution
Murali_Shanmu
Active Contributor

on ‎03-21-2013 3:41 AM

0 Kudos

Hi,

I am using a "To Identity Store" pass to add and remove privileges via Flat files.

While adding a Privilege, I have to disable to Add Member Event tasks. To achieve this, for MXREF_MX_PRIVILEGE, I assigned the below value in the destination tab of the Identity Store pass

{DIRECT-REFERENCE=1}{VALIDFROM=2013-03-21!!VALIDTO=9999-12-31}<PRIV:ROLE:REPOSITORY:SAP_ALL>

The above line gives me an error "No such attribute property:Attribute: MXREF_MX_PRIVILEGE"

If I remove Direct-reference, my privilege gets assigned with the validity dates. Yes,it remains in Pending status as it has triggered the Add Member event.

Secondly, I have to remove a Privilege. I am using another pass "To Identity Store" and hard coded the values as below.

MSKEYVALUE = testuser

changetype = modify

MXREF_MX_PRIVILEGE = {d}<PRIV:ROLE:REPOSITORY:SAP_ALL>

The above executed without an error, but the assignment is still showing up in the IdM UI.

Any idea ?

Thanks,

Murali.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Murali_Shanmu
Active Contributor
‎03-21-2013 3:58 AM
0 Kudos

Just an update.

I made a typo and I found the right syntax for adding privilege

{DIRECT_REFERENCE=1!!VALIDFROM=2013-03-21!!VALIDTO=9999-12-31}<PRIV:ROLE:REPOSITORY:SAP_ALL>

Now, I am still stuck with with removal of Privilege.

Any suggestions ?

Show replies
Show replies
ivan_petrov
Active Participant
‎03-21-2013 8:44 AM
0 Kudos

Hi Murali,

Why you need to attach SAP privilege to a person who hasn't been created in SAP?

I cannot get the idea here.

Best Regards,

Ivan

Murali_Shanmu
Active Contributor
‎03-21-2013 8:48 AM
0 Kudos

Hi Ivan,

The user "Testuser" is already created in the SAP and has the role "SAP_ALL". Hence, when I go to IdM, I am able to see the testuser having the privilege "PRIV:ROLE:REPOSITORY:SAP_ALL".

I have a requirement to remove this privilege assignment using a flat file and passing it to a job.

I couldn't get it working. Hence,I hard coded the values and still it didn't remove the privilege from this user.

Hope I made myself clear.

Thanks.

Note: I was able to add privileges with Validity dates to the same "Testuser" as mentioned in the above message.

Message was edited by: Murali Shanmugham

ivan_petrov
Active Participant
‎03-21-2013 9:13 AM
0 Kudos

Hi Murali,

The problem here is that you are using {d} to delete a privilege. If you want to do it this way you should provide a LINKID of the person-to-privilege relation. The issue goes from the way you added the privilege. You added the privilege with validity and you are trying to remove it without specifing validity and using {d} command. It won't work that way. So you have 2 options here:

  • use {d}{LINKID=linkid}<privilege> - this way you told IDM exactly which privilege you want to remove, because it is possible to have one and the same privilege with two different validity periods.LINKID can be taken from MXI_LINK table from MCUNIQUEID field. Of course it can be taken using a pass also. If you want to know more look here: http://help.sap.com/saphelp_nwidmic72/en/managing_passes/to_passes/dse_modifying_properties_of_link_...
  • use {e}<privilege> - this way you will remove all privileges with that name even they are still pending.

Best Regards,

Ivan

Murali_Shanmu
Active Contributor
‎03-21-2013 9:32 AM
0 Kudos

Thanks Ivan.

I did not know about this concept

I actually want to remove all privileges with that name (including the ones which are still pending).

I will try providing the value for MXREF_MX_PRIVILEGE as {e}<PRIV:ROLE:REPOSITORY:SAP_ALL> and shall let you know how it goes tomorrow.

Thanks again.

Cheers,

Murali.

Murali_Shanmu
Active Contributor
‎03-21-2013 11:12 PM
0 Kudos

Thanks Ivan. It worked when I put an {e}.

The only problem which I see using {d} is that, in my particular project, business users will just update a flat file with user name and privilege name and provide it to IdM for deassignment. They would not be able to provide the Link ID of the User to Privilege relationship.  I just have one pass to read the flat file and the next pass to update the entries in Identity Store. How do you think I can automatically get the Link Id and add it for each role in my pass ?

ivan_petrov
Active Participant
‎03-25-2013 11:56 AM
0 Kudos

Hi Murali,

There are at least 2 different approaches here:

Best Regards,

Ivan

Murali_Shanmu
Active Contributor
‎03-25-2013 3:25 PM
0 Kudos

Thanks Ivan. Its very useful.

Answers (0)

Ask a Question