on 01-30-2014 5:40 PM
Hi All,
We are implementing SAP IDM and we need to set IDM to create a user (identity) related to data bring from HR System, for example:
HR System ( there is a new employee called João Silva)
IDM needs read these fields from HR and create a user to login on target system like jsilva, with this policie, first letter of first name and last name.
And if in the future there will other João Silva, the IDM treat this case increasing number like: jsilva1, jsilva2.
This activity needs to be done automatically by IDM.
Do you guys have any suggestions to accomplish this.?
Thank you for your help.
Regards.
Miguel
Hi ALL
Thank you in advanced.
This problem was solved:
1-
We created a job, on Identity store under task "Create identity (UI)" to IdentityStore, that write our userID in a custom attribute that we create (Client_AD_UserID).
Regarding this, we were able to execute our script before idm creates userID on target systems.
2- We mapped this attribute as value on Task to create identity on Active Directory and SAP with the value reached before.
We made it because here in Brazil we are using the mskeyvalue as other value (personal number) and not userID to target Systems.
Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Guys thank you for your attention.
But will it work even that my mskeyvalue is not my user id, here we will use mskeyvalue as a personal number, but what we need to check is about userID "TCheck1" that is created in this time,
What we need is check if this userprincipal name already exists and if yes, increase a sequencial number, but in this time ( when the user is been created on AD we need to check.
is it information is stored in some place on idm database?
Thank you.
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Miguel:
Yes you have to check the DN and if it already existed then change the ID. You will need more than just ID.
You did not mention whether you have one AD domain in your landscape or more than one.
DN = samaccountname + OU + Domain Name
Before the password CreateADUser you need to make sure you get the samaccountname and OU for the user. The domain information is given by reposity settings.
For you logic basically you are
1. Calculating user's samaccountname
2. Determine OU
3. Form DN
4. Check DN for uniqueness (If not going back to step 1 and repeat the process)
Regards
Andy
Puter my CN will be something like this.
CN= Test Check1, Ou=Users, OU=Company, dc=none,dc=com
I need check the value "Tcheck1" that will be related a samaccountname or userprincipalname to new user on active directory.
I need check if tcheck1 existis during the creation over UI.
Thank you.
Regards.
OK - if you're using the CN as the sAMAccountName as well, it has to be unique across the entire domain. Therefore you can change the script
accnames = Select MSKEYVALUE where MSKEYVALUE like 'CN=accountname%'
if(accnames.indexof("!ERROR") > -1) {return CN=accountname,OU*=Users...;}
for i=1 to 1000
if(accnames.indexOf("CN=" + accnames + i + ",OU=*") == -1) {return "CN=" + accnames + i + "OU*=..." ;}
next
* Note - default AD structure, the base Users container is a CN, not an OU.
Peter
As workarround we are trying do a update on the table to update this value during user creation on UI.
This update can be done inside the script to create new users.
Does anyone have this experience before ? (Update over script) .
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So, you would like to create users in UI and assign a generated MSKEYVALUE to them?
Uncheck the MSKEYVALUE from your UI, this way when the entry is created IdM will assign the MSKEYVALUE, it will be MX_[number].
Add a workflow task after the UI screen in MMC which will call your script and sets the MSKEYVALUE in toGeneric-pass. You would be using the same uIS_SetValue-function as in the script example above but setting a value to MSKEYVALUE instead of "Z_USERREQ_USERID" of the example.
regards, Tero
Hi Experts,
We have implemented this script to treat User ID creation:
We were able to check if the value (jn this example TCheck) already exists on IDM database.
The finding is been done on idmv_entry_simple table as showed below,
If we create a new user like TCheck1, this value did not uptadate on IDM database, permiting that I create a new user with Tcheck1 again.
Maybe we are finding this value in the wrong table.
Does anyone have already faced this before?
Thank you
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter, thank you again for you attention.
When some user is created ove user interface with privilege to creation o Active Directory, where this information will be placed on idm database?
I mean, imagina that I created a user that his SamAccountName / UserprincipleName will be Tcheck1,
In wicht table this data (Tcheck') will be stored on idm database, because I need do my check in this table, to check if this user already exists, correct?
we are trying on column mcdisplayname in idmv_entry_simple, is correct?
Thank you very much.
BR
The userID for each system is held against 'ACCOUNT<repositoryName>'. It doesn't have to be the same as IDM (although this can make admin easier).
You can create the account for AD at that time if necessary, rather than when coming in from HCM.
Realistically, try not to overthink the problem.
accnames = Select MSKEYVALUE where MSKEYVALUE like 'accountname%'
if(accnames.indexof("!ERROR") > -1) {return accountname;}
accnames = "!!" + accnames + "!!";
for i=1 to 1000
if(accnames.indexOf("!!" + accnames + i + "!!") == -1) {return accnames + i;}
next
This will just loop through any account like your first initial, last name, appending a number and checking to see if it already exists. You'll need to fit in the proper sql query and debug etc.
Peter
Assuming you have already got the data out of HR, a simple script with be able to get uniqueness from the IDM solution and generate the new name.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have many - it depends on what your rules are for generating the name.
A really basic one is:
initial = firstname.charAt(0);
tempName = initial+surname;
MaxCounter = 999;
curNames = uselect("Select mskeyvalue from idmv_valink_basic where mskeyvalue LIKE 'tempName%'");
tempCurNames = "!!" + curNames + "";
if(!curNames.InStr("!!" + tempName + "!!"));
{
//tempName doesn't exist at all! We are good to go.
return tempName;
}
curNamesArray = curNames.Split("!!");
for(i=1; i < MaxCounter; i++)
{
if(!curNames.InStr("!!" + tempName + i + "!!"))
{
//tempNamei does not exist.
return tempName+i;
}
}
Handle errors here...
NOTE - this is very basic and not very efficient but it will work (debug my javascript first! )
Peter
Hi Miguel,
Here is the script i am using.
// Main function: zsap_core_generate_mskeyvalue
/*
*----------------------------------------------------------------------------------------------------------------------------
* Parameter(s) Cat. : String
* Parameter(s) : FirstName|LastName|NRIC|MSKEY from the Z_USER_REQUEST Entry Type
* Return value Cat. : String
* Return value : MSKEYVALUE of MX_PERSON
*----------------------------------------------------------------------------------------------------------------------------
* Dependencies : // to scripts, attributes, inbuild functions, context vars, tables/views,
* system/job/repository/global constants/variables
* - inbuild function : uGetIDStore
* - inbuild function : uSelect
* - view : idmv_entry_simple_all
*- NRIC is the unique identity of the user
*--------------------------------------------------------------------------------------------------------------------------*/
function zsap_core_generate_mskeyvalue(Par){
//Example calling DSE internal function
//uStop("Terminated by user");
//string looks like this FirstName|LastName|NRIC|MSKEY
var inputParameter = Par.split("|");
var displayName = inputParameter[1]+ inputParameter[0];
var nric = inputParameter[2];
var mskey = inputParameter[3];
var subName = ""; //To store first five characters of the MSKEYVALUE
var nameLength = displayName.length;
var checkmskeyvalue = ""; //To store the MSKEYVALUE
var count = 0; //To generate the free number in the MSKEYVALUE
var IdentityStore = uGetIDStore();
var tempCount = 0; //Counter used in loop
var tempDisplayName = ""; //variable to hold display name
uInfo("Executing zsap_core_generate_mskeyvalue");
uInfo("displayName:" + displayName + "nric :" + nric + "mskey:" +mskey);
//skip space from displayName
for (tempCount = 0;tempCount<nameLength;tempCount++)
{
if (displayName[tempCount] != " " )
tempDisplayName = tempDisplayName + displayName[tempCount];
}
displayName = tempDisplayName;
// Append additional 0 if the length of name is less than 5 characters
for (; nameLength < 5;)
{
displayName = displayName.concact("0");
nameLength = displayName.length;
}
subName = displayName.substring(0,5);
//for loop to find next available number if the a user with same name and nric number already exists.
for (count = 0;count<=36; count++)
{
if(count <10)
{
checkmskeyvalue = uSelect("select mcMSKEY from idmv_entry_simple_all WITH(NOLOCK) where mcMSKEYVALUE = '" + subName+count+nric +"'");
if (checkmskeyvalue =="" || checkmskeyvalue=="NULL")
{
checkmskeyvalue = subName+count+nric;
break;
}
}
else {
checkmskeyvalue = uSelect("select mcMSKEY from idmv_entry_simple_all WITH(NOLOCK) where mcMSKEYVALUE = '" + subName+String.fromCharCode(count+55)+nric +"'");
if (checkmskeyvalue =="" || checkmskeyvalue=="NULL")
{
checkmskeyvalue = subName+String.fromCharCode(count+55)+nric;
break;
}
}
}
uInfo("checkmskeyvalue:" + checkmskeyvalue );
var retValue = uIS_SetValue(mskey, IdentityStore, "Z_USERREQ_USERID", checkmskeyvalue.toUpperCase());
uInfo("retValue:" + retValue );
return checkmskeyvalue.toUpperCase();
}
Miguel,
There's plenty of documentation on this in the landscape documents. That should point you in the right direction!
Regards,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.