cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to delete users assigned to a role

Go to solution
Former Member

on ‎04-22-2013 5:50 AM

0 Kudos

Hi, all

I am trying to create a job to remove users from a certain role. I have setup a simple "To Identity Store" job where the destination has field:

entry type: MX_ROLE

MSKEYVALUE : name of the role

mxmember_mx_person: name of the user

changetype : delete

The job not only deletes the role assignment but the role itself. Can you advise how you remove the role assignment from a user? I noticed that doing it from entry type MX_PERSON deletes the user itself.

Thanks,

Jonathan.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-24-2013 4:47 PM
0 Kudos

I don't know if you've already solved the problem, but here are some hints from me.

As already mentioned by Peter Wass, I'd suggest to start by the MX_PERSON objects, this would be:

entry type: MX_PERSON

MSKEYVALUE : name of the user

MXREF_MX_ROLE: MSKEY of the role (or MSKEYVALUE with <> notation) with Modifiers {D} and {A}.

changetype : modify

Probably you want to have some more logic for the calculation of the roles to be removed and appended, then you should use an entry script in the source-tab, do your calculation, store the roles to be appended and deleted in separate variables and assign them to MXREF_MX_ROLE in destination tab.

If you want to start by the roles, you should try:

entry type: MX_ROLE

MSKEYVALUE : name of the role

mxmember_mx_person: {D}name of the user

changetype : modify

Hope this helps,

Matthias

Show replies
Show replies
Former Member
‎04-25-2013 2:51 PM
0 Kudos

Hi, Mathias

I found the {D} already in one of the vanilla jobs. But I really appreciate your feedback and detailed explanation. I am using the entry script to do the calculation.

One side question, are you aware of any doc on how to execute a custom BAPI from SAP and bring in data into IDM?

Thanks,

Jonathan.

Former Member
‎05-01-2013 7:47 PM
0 Kudos

Hi Jonathan,

sorry for the delay.

Did you have a look at the built-in documentation about modifiers in the Destination tab? http://help.sap.com/saphelp_nwidmic71/en/managing_passes/to_passes/dse_toidstore_dest.htm

{D}: Removes a given value. This operation is not case sensitive.

This is used for mulitvalue attributes like MXREF_MX_ROLE.

Documentation about calling BAPI is very basic. You should have a look at the examples in the SAP Provisioning Framework or import an example job. There should be several jobs delivered with SAP IDM installation. If this doesn't fit your needs you may also write a java class which performs the actions you need. I think this should be the right documentation for that: http://scn.sap.com/community/netweaver-idm/blog/2008/11/17/how-to-use-custom-classes-in-the-sap-netw...

Kind Regards

Matthias

Former Member
‎05-02-2013 12:26 AM
0 Kudos

I haven't seen a document but you can do it via a script.  NOTE: This is NOT the script, just an outline...

Create a JCO connection

connection.getFunctionTempalte("BAPI_NAME").getFunction()

getImportParameterList()

getTableParameterList()

importParameters.setValue(...)

connection.execute(function)

Alternatively, if you just want data from a specific table (or even a few with decent joining data) you can just read the tables directly and do the joins in SQL during load into IDM

Peter

Answers (2)

Answers (2)

Former Member
‎04-22-2013 4:43 PM
0 Kudos

You FIRST have to delete the role and privilege assignments and then delete the users itself. Make sure you check "wait for event tasks" is the second pass (where you delete the users itself) in order to wait for all role and privilege assignments to disappear before you delete the user itself from IDM....

Show replies
Show replies
Former Member
‎04-22-2013 4:50 PM
0 Kudos

Hi, Sietze

Thanks. This is exactly what I am trying to do, but in an automated fashion. For example, an employee has changed his position in SAP. Once we detect the delta in the HCM feed, I will remove his old role and put in the new one. But so far I am not able to do it via the "To Identity Store" pass. Do you have a better idea?

Regards,

Jonathan.

Murali_Shanmu
Active Contributor
‎04-23-2013 1:13 AM
0 Kudos

I don't think you can achieve this just by hard coding values in a "To Identity Store" pass. It needs to be more dynamic. You would need some sort of logic somewhere which tells IdM the roles which need to be assigned to a user when a new position is attached to it.

Using scripts in the staging area, you can detect a change in position and then tell IdM to remove old roles and assign new roles to the user.

Cheers,

Murali

Former Member
‎04-23-2013 5:38 AM
0 Kudos

Hi, Murali

The question is a dumb down version for the proof of concept. There are actually a lot more logic that I am building to detect the delta and where the change actually happens(is it a postion change, last name change, etc). I am already able to assign the new role ... but just cannot figure out a way to delete the old role without deleting the user itself(actually deleting and recreating the user is the easiest but not going to work with the auditors).

Thanks,

Jonathan.

Former Member
‎04-23-2013 6:05 AM
0 Kudos

Hi Jonathan

Try:

MSKEYVALUE:     <user>

changetype:          modify

MXREF_MX_ROLE:     {A}<newrole>|{D}<oldrole>

You'll probably need a script to determine which roles unless there's only one assigned.  In that case it becomes:

MXREF_MX_ROLE:     $FUNCTION.scriptName(data)$$

where scriptName returns {A}<newrole>|{D}<oldrole>

I posted scripts to do this work a little while ago if you can find it.

Peter

Former Member
‎04-23-2013 6:07 AM
0 Kudos

The script post was here

Peter

Former Member
‎04-23-2013 11:49 PM
0 Kudos

Sorry Jonathan - I'm confused.

Are you trying to delete the role, or remove the role from the user?

Peter

Former Member
‎04-25-2013 2:34 PM
0 Kudos

Hi, Peter.

I found the {D} in one of the vanilla jobs delivered with the SAP provisioning. But thank you for your link. It is very nice of you to share your java scripts and I can definitely use it. We are doing something very similar in our projects.

Cheers

Jonathan.

Murali_Shanmu
Active Contributor
‎04-22-2013 1:02 PM
0 Kudos

Hi Jonathan,

I did it the other way round. I have a list of users in a flat file and used this as my input. Below is how the"To Identity Store" would look like.

MSKEYVALUE will be the userID from flat file. For MXREF_MX_ROLE you can hard code your role name.

Cheers,

Murali.

Show replies
Show replies
Former Member
‎04-22-2013 2:23 PM
0 Kudos

Hi, Murali

Thank you for your response. Does your setup remove the ROLE from the user? I thought changetype=modify in this case is to add the ROLE to the user.

By the way, I have already tried to do it the other way around. It will DELETE the user all together, not what I want.

Regards

Jonathan.

former_member2987
Active Contributor
‎04-22-2013 3:07 PM
0 Kudos

Murali,

Why {e} rather than {D}?

Matt

Murali_Shanmu
Active Contributor
‎04-23-2013 12:44 AM
0 Kudos

Matt,

I bumped into an issue earlier when I assigned roles with validity dates and later on when I tried to remove them with {d}, it did not remove the role. Hence, either I could give {d}{LINKID=linkid}<rolename> or just {e}<rolename>  which would even remove the role in pending status.

Cheers

Murali

Murali_Shanmu
Active Contributor
‎04-23-2013 1:03 AM
0 Kudos

Jonathan,

Yes, my setup will remove the role assignment from the user. At the end, you will still be able to see the user and also the role. Its just the assignment which is removed.

There are 3 types of operations which you can use as a value for the changeType. They directly apply on the Entry Type selected in the "Destination" tab. For example, if entry type is MX_PERSON
(1) add :   Will add a new user

(2) Modify : Will update the attributes of an existing user

(3) Delete : Will delete the existing user

In your case, you do not want to delete any object. You are looking to remove an existing role assignment from a user and adding a new role assignment to the same user. Hence, you have to use changeType=modify

Notice, that I gave an operator {e} in front of the role name. This will tell IdM to remove the role from the user. You can see more explanation from this Help.

Hope this clears your doubts.

Cheers

Murali

Ask a Question