on 04-22-2013 5:50 AM
Hi, all
I am trying to create a job to remove users from a certain role. I have setup a simple "To Identity Store" job where the destination has field:
entry type: MX_ROLE
MSKEYVALUE : name of the role
mxmember_mx_person: name of the user
changetype : delete
The job not only deletes the role assignment but the role itself. Can you advise how you remove the role assignment from a user? I noticed that doing it from entry type MX_PERSON deletes the user itself.
Thanks,
Jonathan.
I don't know if you've already solved the problem, but here are some hints from me.
As already mentioned by Peter Wass, I'd suggest to start by the MX_PERSON objects, this would be:
entry type: MX_PERSON
MSKEYVALUE : name of the user
MXREF_MX_ROLE: MSKEY of the role (or MSKEYVALUE with <> notation) with Modifiers {D} and {A}.
changetype : modify
Probably you want to have some more logic for the calculation of the roles to be removed and appended, then you should use an entry script in the source-tab, do your calculation, store the roles to be appended and deleted in separate variables and assign them to MXREF_MX_ROLE in destination tab.
If you want to start by the roles, you should try:
entry type: MX_ROLE
MSKEYVALUE : name of the role
mxmember_mx_person: {D}name of the user
changetype : modify
Hope this helps,
Matthias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Mathias
I found the {D} already in one of the vanilla jobs. But I really appreciate your feedback and detailed explanation. I am using the entry script to do the calculation.
One side question, are you aware of any doc on how to execute a custom BAPI from SAP and bring in data into IDM?
Thanks,
Jonathan.
Hi Jonathan,
sorry for the delay.
Did you have a look at the built-in documentation about modifiers in the Destination tab? http://help.sap.com/saphelp_nwidmic71/en/managing_passes/to_passes/dse_toidstore_dest.htm
{D}: Removes a given value. This operation is not case sensitive.
This is used for mulitvalue attributes like MXREF_MX_ROLE.
Documentation about calling BAPI is very basic. You should have a look at the examples in the SAP Provisioning Framework or import an example job. There should be several jobs delivered with SAP IDM installation. If this doesn't fit your needs you may also write a java class which performs the actions you need. I think this should be the right documentation for that: http://scn.sap.com/community/netweaver-idm/blog/2008/11/17/how-to-use-custom-classes-in-the-sap-netw...
Kind Regards
Matthias
I haven't seen a document but you can do it via a script. NOTE: This is NOT the script, just an outline...
Create a JCO connection
connection.getFunctionTempalte("BAPI_NAME").getFunction()
getImportParameterList()
getTableParameterList()
importParameters.setValue(...)
connection.execute(function)
Alternatively, if you just want data from a specific table (or even a few with decent joining data) you can just read the tables directly and do the joins in SQL during load into IDM
Peter
You FIRST have to delete the role and privilege assignments and then delete the users itself. Make sure you check "wait for event tasks" is the second pass (where you delete the users itself) in order to wait for all role and privilege assignments to disappear before you delete the user itself from IDM....
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Sietze
Thanks. This is exactly what I am trying to do, but in an automated fashion. For example, an employee has changed his position in SAP. Once we detect the delta in the HCM feed, I will remove his old role and put in the new one. But so far I am not able to do it via the "To Identity Store" pass. Do you have a better idea?
Regards,
Jonathan.
I don't think you can achieve this just by hard coding values in a "To Identity Store" pass. It needs to be more dynamic. You would need some sort of logic somewhere which tells IdM the roles which need to be assigned to a user when a new position is attached to it.
Using scripts in the staging area, you can detect a change in position and then tell IdM to remove old roles and assign new roles to the user.
Cheers,
Murali
Hi, Murali
The question is a dumb down version for the proof of concept. There are actually a lot more logic that I am building to detect the delta and where the change actually happens(is it a postion change, last name change, etc). I am already able to assign the new role ... but just cannot figure out a way to delete the old role without deleting the user itself(actually deleting and recreating the user is the easiest but not going to work with the auditors).
Thanks,
Jonathan.
Hi Jonathan
Try:
MSKEYVALUE: <user>
changetype: modify
MXREF_MX_ROLE: {A}<newrole>|{D}<oldrole>
You'll probably need a script to determine which roles unless there's only one assigned. In that case it becomes:
MXREF_MX_ROLE: $FUNCTION.scriptName(data)$$
where scriptName returns {A}<newrole>|{D}<oldrole>
I posted scripts to do this work a little while ago if you can find it.
Peter
The script post was here
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Murali
Thank you for your response. Does your setup remove the ROLE from the user? I thought changetype=modify in this case is to add the ROLE to the user.
By the way, I have already tried to do it the other way around. It will DELETE the user all together, not what I want.
Regards
Jonathan.
Matt,
I bumped into an issue earlier when I assigned roles with validity dates and later on when I tried to remove them with {d}, it did not remove the role. Hence, either I could give {d}{LINKID=linkid}<rolename> or just {e}<rolename> which would even remove the role in pending status.
Cheers
Murali
Jonathan,
Yes, my setup will remove the role assignment from the user. At the end, you will still be able to see the user and also the role. Its just the assignment which is removed.
There are 3 types of operations which you can use as a value for the changeType. They directly apply on the Entry Type selected in the "Destination" tab. For example, if entry type is MX_PERSON
(1) add : Will add a new user
(2) Modify : Will update the attributes of an existing user
(3) Delete : Will delete the existing user
In your case, you do not want to delete any object. You are looking to remove an existing role assignment from a user and adding a new role assignment to the same user. Hence, you have to use changeType=modify
Notice, that I gave an operator {e} in front of the role name. This will tell IdM to remove the role from the user. You can see more explanation from this Help.
Hope this clears your doubts.
Cheers
Murali
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.