cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Management

Go to solution
Former Member

on ‎04-25-2013 9:53 AM

0 Kudos

Hello,

I need your help with a new problem.

In the company where I work we have several SAP systems, let’s say A, B, C.

My team can manage the users on all systems but another team (German Team), can only manage the users of 1 system (German System).

How can I allow the German team to only manage the users / roles of 1 system (German) ?
They only have to create users, give / remove roles, reset password through IDM.

If my question is not clear, I can explain more.

Thank you very much for you help.

Nicolas.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Murali_Shanmu
Active Contributor
‎04-26-2013 1:35 AM
0 Kudos

Hi Nicolas,

Let me understand your question correctly.

There are two teams as IdM Administrators who access the IdM UI to manage users (via UI Tasks).

One team should have access to manage users/roles belonging to system A, B and C.

Another team should have access to manage users/roles belonging to only system C.

Is my understanding correct?

Show replies
Show replies
Former Member
‎04-26-2013 8:11 AM
0 Kudos

Hi Murali,

You got it, 100% correct 🙂

For the moment I'm not yet using IDM Business Roles, but the imported roles from CUA.
My Team can give and manage roles for all users, all systems (A, B, C).

German team, only to German system (C).

Thanks for your help.

Murali_Shanmu
Active Contributor
‎04-29-2013 4:17 AM
0 Kudos

Nicolas,

There are two steps to approach this.

(1) Firstly, you need an attribute which can distinguish users based on location. I believe in your case it is the attribute MX_ADMIN_UNIT which is populated with the User Group value (country name).

Open the Entry type "MX_PERSON" and under Access Limitations, provide this attribute for both the fields "Search Attribute" and "User attribute". If you have a checkbox "User access limitations for display task", select this checkbox.

This will ensure that an administrator who has value Germany for MX_ADMIN_UNIT will only get to see users who also have the same value for MX_ADMIN_UNIT attribute.

Below is a slide show from SAP TechED which explains the concept

(2) This Administrator would however be able to see all the Business Roles across all the systems. To prevent this, you would need another attribute on the MX_ROLE entry type which can be referenced just as above. Depending on your setup, you can use an appropriate attribute. If you add MX_ADMIN_UNIT attribute to MX_ROLE Entry type and do it the same way, it would also work.

Cheers,

Murali.

Former Member
‎04-29-2013 10:07 AM
0 Kudos

Hello Murali,

I cannot use MX_ADMIN_UNIT because we already use it to store the User Group imported from SAP.

For example, a user can be Business Analyst on the 3 systems, but from different country. The user groups are the standarized on all systems.

I think I have to create a new attribute to make the distinction between Master Admin and Country / Landscape admin.

Can you give me the link of this document ?

Thanks again for your help,

Nicolas.

Murali_Shanmu
Active Contributor
‎04-29-2013 10:12 AM
0 Kudos

Yea, In that case, its better you create your own attribute and have it for both the Entry Types.

Also, please be aware that using this filter might bring a slow performance.

Just search on the Internet for "SCI261 SAP NetWeaver Identity Management 7.1" and you should be able to find this document. I couldn't get the correct link.

Cheers,

Murali.

Former Member
‎04-29-2013 10:33 AM
0 Kudos

Thanks for your help Murali.

I'll close the ticket and try to implement what you said and what's on the document.

Nicolas.

Answers (1)

Answers (1)

Former Member
‎04-25-2013 11:52 PM
0 Kudos

The Access Control on tasks can organise this if you set the tasks up correctly (assign role w/ access where name like ROLE:German...).

The other option is to play around with the object filtering.  On the MX_PERSON object (and all others) under the General tab you'll find the Access Limitations section.

You can use this to limit the access of administrators to certain subsets of data.  Check the online help for more details.  They have an example there which may help.

Peter

Show replies
Show replies
Ask a Question