on 06-27-2014 4:23 PM
Hi folks!
I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend. Easy enough!
However if the privilege is not in IDM but is in the back-end, it needs to be removed. Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
I looked in the business suite and plain ABAP portions of the framework. I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
Thanks for your help!
Matt
Hi Matt ,
I believe new Internal Function "uIS_SetDirty" will resolve this issue . Please see documentation for this Internal Function below .
If you find a user who has access in backend System (ABAP) but not in IDM , you can set that user to a Dirty Entry by using this Internal Function "uIS_SetDirty".
Please check whether this help ,
Thanks ,
Jerry George
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Matt,
so you want to remove local administrated role?
If the object really is to undo the local administration, I would do this:
Best regards
Dominik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dominik,
Interesting, nice total concept as it mirrors my sync design. The issue is how do I remove the roles in the ABAP system assigned to a user that don't exist in IDM as corresponding privileges to the same user?
I'm hoping Jerry's idea of using the uPrivReconcile function will do the trick.
Matt
Hi Matt ,
As part of the Sync Job if we find mismatches for the user , we can call an ADMIN type Job for synchronization . We can call the function uIS_PrivReconcile() or any reconcile internal functions to get the roles -> Back end system sync .
When ever we have a back end sync , system will sync user-> Role Relationship , with only problem being it will invoke sync for all repositories
Thanks ,
Jerry George
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
How do you find the mismatches in first place? In a job that you execute per each repository? Then you should have a list of valid privileges per the repository per user available readily from IdM and could send them to the backend. Similar to what the Plugin # 4 does for AS ABAP.
regards, Tero
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Matt,
did I understand correctly: you have a user in IdM, who has an account in the ABAP backend. And you have assigned ABAP roles to this user via IdM. Now - for some reason - the user has more ABAP roles in the backend than he has in IdM. And now you want to remove those roles in the backend, that IdM knows nothing about for that user (so that he has the same roles in IdM and the backend). Is that right?
Why don't you just trigger the provisioning of the roles for that repository for those users? Since IdM will always send ALL roles of the user to the backend where the current roles will be unassigned and the send will be assign, it should be ok?
But maybe I don't understand what you're problem here is.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Steffi, that's exactly the use case. We have some very dirty data that we need to clean up.
Ongoing reconciliation allows us to make sure that only authorized changes (those done from IDM) are kept in the system and any direct back end changes are removed. I think solution will take care of this.
Thanks for your thoughts!
Matt
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.