cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User creation

Go to solution
Former Member

on ‎04-06-2014 5:26 AM

0 Kudos

Hello Experts,

I have a query regarding user creation via IDM.

I need to add an event agent to my HR system to watch it for any new addition of user or change to existing user information.

Which event agent type I need to use ?

Once event agent detects a new entry in repository for HR system, it just creates a new identity in IDM, right ? Also, is it possible that on the basis of some field value from HR system, IDM can create the user in target systems as well i.e. adding the privilege for sap system to new user detected from HR system which can create user in SAP system as well ? Is it possible ? If yes, then how I can achieve this ?

And (in case no), what are other alternates ?

I am working with IDM 7.2.

Thanks in advance!

Naveen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-06-2014 10:32 PM
0 Kudos

I think the first question is - what is your HR system?  Are we talking HCM?

An event agent can be used to trigger an event.  It really depends on your granularity.  Do you have an actual need for a 30 second response time on creating the account?  Can you live with 30 minutes?  If so, you can just schedule a delta import every 30 minutes and not only will it create new users but all updates will come through.

You can configure it to do anything once you have the data.  If there is some data in HR that will tell you what you need to know, you can attach any number of jobs to trigger when its updated.

Show replies
Show replies
Former Member
‎04-07-2014 5:34 AM
0 Kudos

Hello Peter,

Thanks for the response.

Its not an SAP HCM system. I can stick to the 30 mins frequency, that will not be a problem I guess.

Could you please suggest about the steps needs to be done to accomplish this user creation to target systems without manuel intervention, as in where to include the jobs and how to detect the type on the basis of a field maintained on HR system to create user in selected systems.

Many thanks,

Naveen

Former Member
‎04-07-2014 9:15 AM
0 Kudos

I would start by looking at NOT using an event agent. You can often simplify your implementation footprint if you create a well designed Delta Load jog that is scheduled to run every X minutesThe event agent would need to start such a job anyway when it detects a change since the event agent itself can't contain logic for transporting the actual changes into IdM.

You don't mention what HR system this is or how you interface with it, but:

- If it has a standard interface (jdbc/LDAP or ither) where you can query for changed entries based on a timestamp or change-number you can use that. The event agent would require the same type of query to detect that a change has happened and to trigger the "delta load" job anyway.

- If there is no such timestamp/changelog you can read the entire HR source and use the delta functionality to detect new/modified/deleted entries.

- If it has a push to LDAP or REST  function you could use the VDS interface to write the entry into IdM, either directly or through a temporary/holding IDStore like HCM.

Br,

Chris

Former Member
‎04-07-2014 10:08 AM
0 Kudos

Hello Chris,

Thanks for the response.

-> If there is no such timestamp/changelog you can read the entire HR source and use the delta functionality to detect new/modified/deleted entries

I guess this one would suit my situation. I want to use an event agent and under that agent, I'll run a job (it has a query to fetch entries from HR system to IDM.) to read new/modified entries (from database pass) and write the delta only to IDM (to identity store pass). Please point me if my understanding is not correct. And then for the new entries coming in, I want to create users in target systems as well with out manuel intervention. I am using the event agent first time, it would be helpful if you can share in detail. Please suggest further.

thanks & regards,

Naveen

Former Member
‎04-07-2014 11:59 AM
0 Kudos

As I mentioned in my reply; if you don't have a changenumber or changelog then the eventagent is not an option. The eventagent is only useful when you can issue a simple operation that lets it know if there are changes to read. If there are changes detected it triggers a JOB to process the change. It cannot create or process data or deltas itself. If this is your scenario then you should not use the event agent. You should use a job that is scheduled to run at regular intervals instead.

New entries from your "HR" system can be assigned to target systems by assigning roles/privileges that are created from the respective systems initial load jobs when creating the entries.

Former Member
‎04-07-2014 12:22 PM
0 Kudos


Hello Chris,

Just to add, I have the changenumber available. I am aware about the roles/privileges created from initial loads. Please suggest further.

Thanks & Regards,

Naveen

Answers (1)

Answers (1)

Former Member
‎04-07-2014 10:21 AM
0 Kudos

Hi Naveen,

I have a suggestion for the second part of your question. If you want
to automatically provision a user based on the field from the HR, first:

  1. You have to add a trigger for this attribute on add and change, then the trigger will call a task
  2. The task will check , what access to assign based on the attribute’s value.
  3. The check can be done by authorization table(here you will have column for the position value and for the business role, that should be assigned based on this value).

Note: this is a simple case and I don't know, if this is what you are looking for

Kind Regards,

Simona Lincheva

Show replies
Show replies
Former Member
‎04-07-2014 10:43 AM
0 Kudos

Hello Simona,

Many thanks!

-> 1. You have to add a trigger for this attribute on add and change, then the trigger will call a task:

I did not get your point here. Could you please elaborate ?

Best regards,

Naveen

Former Member
‎04-07-2014 11:42 AM
0 Kudos

Hi Naveen,

On each attribute you have tab- Event handling and there you can set tasks for add and modify, so when you add/modify the attribute this task will be executed.

Kind regards,

Simona

Former Member
‎04-08-2014 6:53 AM
0 Kudos

Hello Simona,

Got it. I can see the options add,modify and delete under event handling, thanks.

So I can add a task here which should be triggered everytime the value for the attribute is changed, for example, if I have added a task "Assign privilege", then whenever a new entry is detected, task assign privilege will be triggered. Is my understanding correct till here ?

And also, now I need to understand about the fact on which privilege to be assigned. Lets say I have below criteria to be treated

Employee Designation          Privilege

IT admin                              sap & other

Manager                              sap only

Temporary staff                    none

So on the basis of above, how I can direct the task to assign the appropriate privilege to the new identity.

Please suggest.

Best regards,

Naveen

Former Member
‎04-08-2014 7:08 AM
0 Kudos

Hi Naveen,

It's easy:

1. You can create a temporary table and you can have column position and privileges, then into the task, that is triggered you can have a simple script, that will check the value from you attribute against the table you created. The result from the script will be a value from your second column(privileges).

Note: this is a simple sace, you can have more complicated table, as well more complicated check.

Kind Regards,

SImona

former_member2987
Active Contributor
‎04-08-2014 12:36 PM
0 Kudos

Simona,

Maybe instead of using a trigger you could use an event task on an attribute?

Also during your create user workflow you could insert a switch task to evaluate your possible values?

IT Admin, Manager, Temporary staff and then assign the appropriate roles/privileges.

Matt

Former Member
‎04-08-2014 12:47 PM
0 Kudos

Hi Matt,

   Yes, my suggestion is to use for a trigger an event task set on the attribute(on add and modify).

As for your second suggestion I had the same idea and I was about to write it down with my other proposal, but it'll be easier to user a script, as well if the case is more complicated the script will be easy to adapt to more complicated scenario.

Kind Regards,

Simona

Former Member
‎04-08-2014 2:02 PM
0 Kudos


Hello Matt, Simona,

The selection scenario is very straight forward. As I mentioned before, something like this:

Employee Designation          Privilege

IT admin                              sap & other

Manager                              sap only

Temporary staff                    none

not much complicated.

As one option is (Suggested by Simona), writing down a script to get appropriate value for privilege.

Other option (Suggested by Matt), could you please share this in more detail on how to achieve it or the steps included. Would be of great help.

Best regards,

Naveen

Former Member
‎04-08-2014 10:49 PM
0 Kudos

A simple switch task (there are examples in the provided SAP Provisioning Framework).

Switch task (get the value of the Employee Designation)

- IT Admin

    - Assign Roles (mxref_mx_role {A}<rolename>|<rolename>)

- Manager

    - Assign Roles (mxref_mx_role {A}<rolename>|<rolename>)

- Temporary

    - Assign Roles (mxref_mx_role {A}<rolename>|<rolename>)

- Else

    - Error? Assign Nothing?

The only difficulty is making sure that the switch task gets the right data and that the data is correct every time (hence the case else).

If the roles are static and the types of designations are static this is probably the easiest.

You could also do things like:

- Add a 'Designation' multivalue attribute to each role.  The assign roles then selects all roles with the designation matching the employees.  You won't need a switch task then - the same task works for everyone and its the data on the roles which determines what gets assigned.  In many ways, this is much more elegent as it doesn't require changes to tasks if things change.  You can publish it through the UI and allow administrators to update it.

Ask a Question