on 03-21-2013 3:41 AM
Hi,
I am using a "To Identity Store" pass to add and remove privileges via Flat files.
While adding a Privilege, I have to disable to Add Member Event tasks. To achieve this, for MXREF_MX_PRIVILEGE, I assigned the below value in the destination tab of the Identity Store pass
{DIRECT-REFERENCE=1}{VALIDFROM=2013-03-21!!VALIDTO=9999-12-31}<PRIV:ROLE:REPOSITORY:SAP_ALL>
The above line gives me an error "No such attribute property:Attribute: MXREF_MX_PRIVILEGE"
If I remove Direct-reference, my privilege gets assigned with the validity dates. Yes,it remains in Pending status as it has triggered the Add Member event.
Secondly, I have to remove a Privilege. I am using another pass "To Identity Store" and hard coded the values as below.
MSKEYVALUE = testuser
changetype = modify
MXREF_MX_PRIVILEGE = {d}<PRIV:ROLE:REPOSITORY:SAP_ALL>
The above executed without an error, but the assignment is still showing up in the IdM UI.
Any idea ?
Thanks,
Murali.
Just an update.
I made a typo and I found the right syntax for adding privilege
{DIRECT_REFERENCE=1!!VALIDFROM=2013-03-21!!VALIDTO=9999-12-31}<PRIV:ROLE:REPOSITORY:SAP_ALL>
Now, I am still stuck with with removal of Privilege.
Any suggestions ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ivan,
The user "Testuser" is already created in the SAP and has the role "SAP_ALL". Hence, when I go to IdM, I am able to see the testuser having the privilege "PRIV:ROLE:REPOSITORY:SAP_ALL".
I have a requirement to remove this privilege assignment using a flat file and passing it to a job.
I couldn't get it working. Hence,I hard coded the values and still it didn't remove the privilege from this user.
Hope I made myself clear.
Thanks.
Note: I was able to add privileges with Validity dates to the same "Testuser" as mentioned in the above message.
Message was edited by: Murali Shanmugham
Hi Murali,
The problem here is that you are using {d} to delete a privilege. If you want to do it this way you should provide a LINKID of the person-to-privilege relation. The issue goes from the way you added the privilege. You added the privilege with validity and you are trying to remove it without specifing validity and using {d} command. It won't work that way. So you have 2 options here:
Best Regards,
Ivan
Thanks Ivan.
I did not know about this concept
I actually want to remove all privileges with that name (including the ones which are still pending).
I will try providing the value for MXREF_MX_PRIVILEGE as {e}<PRIV:ROLE:REPOSITORY:SAP_ALL> and shall let you know how it goes tomorrow.
Thanks again.
Cheers,
Murali.
Thanks Ivan. It worked when I put an {e}.
The only problem which I see using {d} is that, in my particular project, business users will just update a flat file with user name and privilege name and provide it to IdM for deassignment. They would not be able to provide the Link ID of the User to Privilege relationship. I just have one pass to read the flat file and the next pass to update the entries in Identity Store. How do you think I can automatically get the Link Id and add it for each role in my pass ?
Hi Murali,
There are at least 2 different approaches here:
Best Regards,
Ivan
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.