cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workflow for Change in Validity of User in IDM

Former Member

on ‎03-24-2014 2:22 PM

0 Kudos

Hi Experts,

We are using IDM 7.2 SP8 and need to configure approval workflows. We have already configured workflow for Role assignment and now need to configure another for change in user details like validity end date. Can anyone help with any documentation for the same.

Thanks and regards,

Nits

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎03-26-2014 2:49 AM
0 Kudos

Hi Krishna/Simona,

We are thinking of maintaining the user validity same as the validity of the role. As we have a standard workflow in provisioning framework which is triggered on change in role validity, we want to leverage on the same to maintain the user validity as well.

Is it a good idea in our case as we will mostly have only one composite role assigned to user?

The issue we are facing is neither the standard workflow for role assigment nor the one for the one for change in user valiity is correctly maintaining the User Validty in backend.

Appreciate your comments on the same.

regards,

Nits

Show replies
Show replies
terovirta
Active Contributor
‎03-26-2014 6:32 AM
0 Kudos 


Nits SAP wrote:






The issue we are facing is neither the standard workflow for role assigment nor the one for the one for change in user valiity is correctly maintaining the User Validty in backend.

What do you mean by that? Like there are no validity dates visible in back end? Or when the validity end is met in IdM, IdM does not trigger de-provisioning? (I don't think IdM sends the validity dates for privileges to backend, all the validity is stored in Id Store and the dates trigger the defined workflows.)

I cannot remember having any issues sending mx_validfrom and mx_validto to SAP-backends.

What are the standard workflows you mean? The provisioning/de-provisioning workflows in the SAP Provisioning Framework?

If you just want to approve the changes to user record.. Having an approver task for user changes is pretty straight forward, just a change event task for mx_person which has an approval step. It requires some work to make it ignore the changes to attributes you're not interested and re-setting the old values in case of decline, but all of them are doable.

Former Member
‎03-26-2014 7:30 AM
0 Kudos

Hi Tero,

Thanks for your comments.

What i meant is the validity of the role to be assigned in backend is maintained same as the one specified while requesting for the role. However, the validity for the user is not changed. We intend to change the validity of user in backend to always match with the validity of the requested role.

Can you suggest how this can be acheived(if possible)?

Another issue that we are facing is:

1) We request for Role1 for User1 and trigger workflow for the same. The workflow completes successfully after approval from role owner. Role is successfully assigned to user in IDM UI and respository but nothing happens to user's access in backend.

2) We now request for Role2 for same User1, This time too the workflow is triggered and request goes to "OK" status. However, in backend the role1 is assigned to user but role2 is not assigned.

i.e., the subsequent role removal/role deletion request leads to actuall role assignment/deletion of previously request role.

Kindly help with your comments to resolve this issue.

Thanks and regards,

Nits

terovirta
Active Contributor
‎03-26-2014 3:16 PM
0 Kudos 


Nits SAP wrote:




Hi Tero,




Thanks for your comments.


What i meant is the validity of the role to be assigned in backend is maintained same as the one specified while requesting for the role. However, the validity for the user is not changed. We intend to change the validity of user in backend to always match with the validity of the requested role.

This it somewhat odd functionality as the validity of the user should be driven by the leading identity system (like an HR-system) or if it's handling externals in IdM (like consultants) then IdM UIs that are used in maintaining the user should contain the validity for the user.

Anyway, you can get the valid from/to dates from the role assignment and assign them to the user's attributes.

I guess there are two options:

a) I  would try querying the link attributes in toIdStore pass at the end of the approval workflow, by Including properties when reading attribute values from the identity store. As the functionality exists i toIdStore pass you can map the mx_validto attribute to a script that takes "%{VALIDTO}MXREF_MX_ROLE%" as a parameter and then pick the date in script and return the date to the attribute value.

b) If that doesn't work then writing a script queries the validity from the link-table based on the link-reference in PVO and stores the dates to the person entry. Haven't looked into PVO's in late SPs so cannot remember by heart whether they contain the validity dates for the assignment or not.

Former Member
‎03-26-2014 4:30 PM
0 Kudos

Hi Tero,

Thanks for the detailed explanation on how to realize user validity to be same as role validity. We will try it and let you know the outcome.

Kindly help us with your comments on the issue:

-------------------------------------------------------------------------------------------------------------------------------

1) We request for Role1 for User1 and trigger workflow for the same. The workflow completes successfully after approval from role owner. Role is successfully assigned to user in IDM UI and respository but nothing happens to user's access in backend.

2) We now request for Role2 for same User1, This time too the workflow is triggered and request goes to "OK" status. However, in backend the role1 is assigned to user but role2 is not assigned.

i.e., the subsequent role removal/role deletion request leads to actuall role assignment/deletion of previously request role.

-------------------------------------------------------------------------------------------------------------------------------

Thanks and regards,

Nits

terovirta
Active Contributor
‎03-26-2014 5:37 PM
0 Kudos 


Nits SAP wrote:




1) We request for Role1 for User1 and trigger workflow for the same. The workflow completes successfully after approval from role owner. Role is successfully assigned to user in IDM UI and respository but nothing happens to user's access in backend.


2) We now request for Role2 for same User1, This time too the workflow is triggered and request goes to "OK" status. However, in backend the role1 is assigned to user but role2 is not assigned.




i.e., the subsequent role removal/role deletion request leads to actuall role assignment/deletion of previously request role.

That sounds like something wrong with repository definitions or the tasks defined for privileges.

What does the job logs show you after the approval workflow has been completed?

Former Member
‎03-24-2014 3:50 PM
0 Kudos

Hi Nits,

I don't think that this is a standard IdM scenario, but you can make a custom solution. As I don't know what exactly  is your idea, I can suggest, when you are using SP8 you can make SAPUI5 UI custom workflow. So when you have selected a user, depending on the attribute you have selected to change a different workflow will be triggered(a different level of approval will be needed), but this is just an idea.

Kind Regards,

Simona Lincheva

Show replies
Show replies
Former Member
‎03-24-2014 2:35 PM
0 Kudos

Hi Nits,

Sounds interesting. But i am afraid that there is no document from sap available for this as per my knowledge. And even I wonder if IDM support this scenario.

~ Krishna

Show replies
Show replies
Former Member
‎03-25-2014 10:53 PM
0 Kudos

I don't have a system to work on but I'm pretty sure its possible.  I seem to remember doing something like this a while ago...

Peter

Ask a Question