on 10-09-2013 11:00 AM
Dear experts,
My IDM is connect to several SAP repositories.
Sometimes user data as roles are overwritten by another team when performing refreshes or synchronizations,…
I would like IDM synchronizes the data from IDM to SAP Back-end by deleting the wrong values (added roles), and putting the ones from IDM.
Example :
Correct Value in IDM :
User ABC123 with role IDM_BC_1
Wrong value :
User ABC123 with role IDM_BA_9
IDM should delete the IDM_BA_9 and give the IDM_BC_A
What is the easiest way to do that ?
Thx for the reply,
Nicolas.
How about a batch job that re-writes the privileges to target system based on the passed repository name? Repository name could be defined in job constants and referred in scripts and SQL statements from that point onwards.
In the job you would have only "to SAP" pass that has a SQL in source tab that selects all the users who have access to the target system, either by comparing your job constant to account-attribute or account-privilege. Destination tab would look the same as Plugin #4 for your repository in SAP PF.
The other alternative would be "to Generic" pass with same source select statement but on the destination tab you would have a entry script that calls the Plugin #4 of the specific repository with the user MSKEY (by means of uProvision U-function).
The job can easily be enhanced to work on multiple repositories even on different repository types.
If you need to work on individual selected user, you easier option would be creating an UI task that calls the Plugin #4 for the specific user&repository combination.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Nicolas,
I'm not an expert like the other guys, but I think you don't need to deprovision first.
Couldn't you just copy the update job and disable the delta handling? I thought I read somewhere, that the complete list of privileges is always send, so that it should automatically delete the roles in the backend and then add the roles that IdM sends. Or did I missunderstand that? I'm really not sure right now, because the others hadn't come up with that yet.
Regards,
Steffi.
Hello Nicolas and Steffi,
The SAP provisioning framework will always send complete list of all role and profile assignments of the user to ABAP system, without delta functions(as Steffi describes). Unless you implement as per SAP Note 1626816. Please you can review the note which explains details about this.
So you may just take the standard plugin task as a reference like Tero has suggested, if you decide to do it in this way.
BR, Keith
Hi Nicolas
I've done this a few times. When reading in from IDM, I disable the writing of roles and profiles so that IDM is never updated after initial load - IDM is authoritative. However, instead of writing, I do a search of the existing IDM assignments for the user and if they do *not* have the role that is in the ABAP backend, trigger a Modify on the user for that repository which will overwrite all the roles and profiles on the back end.
As an advanced step, add the Username to a job variable when you trigger it and then check against the variable when kicking off the script so that it only gets triggered once per user.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Nicolas Varga wrote:
All the answers seem good but I'm surprise that this functionnaly is not standard in SAP IDM while in the IDM of IBM it's standard.
Am I the only one interrested by this that SAP doesn't develop this ?
You're not the only one interested as I've developed similar job couple of times in customer projects along with repairs that could come out of the box like doing uPrivilegeRetry based on the provisioning status in link table. (There is now the stored procedure based provisioning problem analyze/fix-solution.)
Even though these features are not supplied with the product the platform offers relatively easy way to achieve the functionality. I agree it would be nicer if it would come out of the box, tested with warranty.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.