cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ID Mgmt 7.2 SP8 attribute validity

Former Member

on ‎07-26-2013 7:46 AM

0 Kudos

Hello IDM folks,

Has anyone implemented SP8 utilising the new functions around attribute validity on reference attributes.  The reason I ask is to determine if this will allow the creation of PVO on role to role structural references, which I have not been able to achieve thus far as previously no validity has been possible.

On review of the post 'SP 8 for SAP NetWeaver ID Mgmt 7.2 Now Available' by Regine Schimmer, I came accross the following point in the new features (New Features and Functions in Support Package 8 for SAP NetWeaver Identity Management 7.2):

Page 15;

"With SAP NetWeaver Identity Management 7.2 SP8, it is possible to specify validity for all types of reference attributes.   This makes it possible to add validity to structural attributes like role-to-role references."

Cheers,

Andrew

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎07-31-2013 7:53 AM
0 Kudos

Hello experts,

In order to close this thread I can confirm that we raised an OSS to SAP on the issue.  They have confirmed that the issue is addressed in SP7, and is considered a bug in SP6.  We are currently migrating to SP8 so will advise if the 'bug' is corrected.

Regards,

Andrew

Show replies
Show replies
Former Member
‎07-30-2013 4:54 AM
0 Kudos

Hi gents,

The point in us going to SP8 (and the due diligence I am trying to do re its operation prior to going that way) is that role to role referencing seems to be considered by the system as a structural relationship and not an assignment.  As a structural I am unable to enter validity dates for a role to role, irrespective of the validity configuration on the reference attributes.  So with role to role, no validity and no PVO......  My original problem, as the design we are going for is:

PERSON <-> ROLE:POSITION <-> ROLE:BUSINESS <-> PRIVS

When the role to role ref is created with dates, it yields a syntax error which limits the ability to save the assignment (or technically the structural reference):

Unable to set value for attribute Assigned Roles, detailed information (may not be translated): Wrong attribute property/value syntax

The doco on SP8 suggests that I can have dates for role to role, which may fix this error and allow the creation of a PVO.  Nirvana!

Cheers

Andrew

Show replies
Show replies
ivan_petrov
Active Participant
‎07-30-2013 3:04 PM
0 Kudos

Hi Andrew,

First mistake - position is not a role it is attribute of MX_PERSON -> MX_FS_POSITION & MX_FS_POSITION_ID

Second mistake - you should assign one role to another ONLY if you want to inherit privileges from one role into another one and that is why you don't need validity there

Best regards,

Ivan

Former Member
‎07-31-2013 3:56 AM
0 Kudos

Hi Ivan

Not a mistake - a design decision.  Position can be easily made a role and thus the position-business role assignments can be maintained easily.

The validity is to create the pending value object on the role-role assignment so that approvals work properly (rather than using basic approvals).

Peter

ivan_petrov
Active Participant
‎07-31-2013 7:38 AM
0 Kudos

Hi Peter,

Still not a good idea, I don't see any benefits using position as role. It will bring you only problems as in this case. Maybe I'm wrong, but I don't see benefit of that assignment. May be you can provide an example to prove your point

If you are using the position as an attribute, the attribute it self has a validity and the attachment of business role has validity it self so you can be much more flexible in the assignments.

Best regards,

Ivan

ivan_petrov
Active Participant
‎07-29-2013 3:16 PM
0 Kudos

Hi Andrew,

Yes it is possible, but I didn't get your point here. I don't see how this will help in your case. May be if you provide a more detailed explanation we can help you better.

Best regards,

Ivan

Show replies
Show replies
former_member190695
Participant
‎07-29-2013 8:55 AM
0 Kudos

Hi Andrew,

Yes, If you specify a validfrom and a validto date a PVO is created, this applies to all entry reference attributes. Search for "About attribute validity" in the SAP IdM help (MMC) to read more. Ensure you assign an object in the following format--> MXMEMBER_MX_ROLE:{A}{VALIDFROM=2013-07-01!!VALIDTO=2013-07-31}<BUSINESS:ROLE:NAME> or MSKEY.

Regards,

Ridouan

Show replies
Show replies
Ask a Question