cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Privilege not getting Reassigned

Go to solution
Ckumar
Contributor

on ‎05-28-2014 3:21 AM

0 Kudos

Hi experts,

I am using SAP IDM 7.2

We have a multivalue attribute MXREF_MX_PRIVILEGE which contains more than one privileges. This attribute is assigned to user xyz.

The requirement is that when system/administrator is Disabling the user xyz then it should add grace period(Valid To date) to some of the privileges which is under the MXREF_MX_PRIVILEGE attributes.

But whenever i tried to do so its showing overlapping error.

To fix this issue i removed the particular privileges by using {d} first and then Re-assigned that privilege again with the grace period to the user xyz but again i am getting Overlapping error.

Could you please guide how to fix this.

Thanks in Advance

Regards,

C Kumar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-28-2014 6:46 AM
0 Kudos

Hi Kumar,

    You dont need to remove the privileges and re assign them. You may modify them instead

PFB the Modify pass which does it for you.

Use {R} instead of {A} . Do let me know if this works

Regards,

Mohamed Fazil

Message was edited by: Mohamed Fazil

Message was edited by: Mohamed Fazil

Show replies
Show replies
Former Member
‎05-28-2014 9:47 AM
0 Kudos

The {R} operator is "replace" and will remove all other existing direct assigned privilege assignments. As a result only the inherited privileges and the one(s) you specify after the {R} operator would remain.

A modification can be done using the linkid and setting a new validfrom and/or validto:

MXREF_MX_PRIVILEGE {LINKID=3456!!VALIDFROM=2014-05-28!!VALIDTO=2015-06-11!!LINKREASON=User was disabled, starting grace period}<Manager>

This means that you need  a script to loop through all direct assigned privileges that you want to put into a grace period, find their link-id and set the validto to today+14 days using the syntax above.

If these privileges are inherited from a role you need to modify the role validity instead. If have multiple direct assignement validities you can use the {E} operator to remove the other future asssignments for the privilege. Example:

{E}{LINKID=1234!!VALIDTO=<today+14 days)}<privilege1 name>|{E}{LINKID=5678!!VALIDTO=<today+14 days)}<privilege2 name>|

Br,

Chris

Answers (0)

Ask a Question