on 07-08-2014 7:47 AM
Hi there
the scenario is as follows: during initial load the privilege-assignments have been loaded into IDM directly from the target systems as direct assignments. Now, some Business Roles (MX_ROLE) were created and some of the privileges were assigned to those roles. The business roles were assigned to the identities in IDM. As expected, the identities end up in having the privilege directly assigned due to initial load and indirectly assigned via business roles.
Now we would like to clean up the identity store so that privileges coming from a business role are only inherited but not directly assigned. My first thought how to solve this was to query the MXI_LINK table: mcAssignedDirect > 0 && mcAssignedInheritCount > 0. With this result I'd have an toIdentityStore pass with MXREF_MX_PRIVILEGE = {D}{LINKID=%link%}%mskey%
Is this a good idea? I hope that deprovisioning won't start here? Is there any other concept to clean this up?
Best regards
Matthias
Hi Matthias,
Yes it will work, but I will suggest with this MXREF_MX_PRIVILEGE = {D}{LINKID=%link%}%mskey% to use a bypass, so you won't trigger provisioning in IdM.
Example:
MXREF_MX_PRIVILEGE = {D}{BYPASS_MEMBER_TASK=1!!BYPASS_MODIFY_TASK=1!!LINKID=%link%}%mskey%
BR,
Simona
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Simona
yes you're right. I'd rather use DIRECT_REFERENCE=1 which bypasses both member and validation tasks.
best regards
Matthias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.