Solved: Cleaning up privilege assignments

Former Member · ‎07-08-2014

Hi there

the scenario is as follows: during initial load the privilege-assignments have been loaded into IDM directly from the target systems as direct assignments. Now, some Business Roles (MX_ROLE) were created and some of the privileges were assigned to those roles. The business roles were assigned to the identities in IDM. As expected, the identities end up in having the privilege directly assigned due to initial load and indirectly assigned via business roles.

Now we would like to clean up the identity store so that privileges coming from a business role are only inherited but not directly assigned. My first thought how to solve this was to query the MXI_LINK table: mcAssignedDirect > 0 && mcAssignedInheritCount > 0. With this result I'd have an toIdentityStore pass with MXREF_MX_PRIVILEGE = {D}{LINKID=%link%}%mskey%

Is this a good idea? I hope that deprovisioning won't start here? Is there any other concept to clean this up?

Best regards

Matthias

Former Member · ‎07-08-2014

Hi Matthias,

Yes it will work, but I will suggest with this MXREF_MX_PRIVILEGE = {D}{LINKID=%link%}%mskey% to use a bypass, so you won't trigger provisioning in IdM.

Example:

MXREF_MX_PRIVILEGE = {D}{BYPASS_MEMBER_TASK=1!!BYPASS_MODIFY_TASK=1!!LINKID=%link%}%mskey%

BR,

Simona

Former Member · ‎07-08-2014

Hi Simona

yes you're right. I'd rather use DIRECT_REFERENCE=1 which bypasses both member and validation tasks.

best regards

Matthias

Cleaning up privilege assignments

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Re: Need Help to extract value from message with g...

I am using exit_saplkedrcopa_001 for enhancement t...

How to transport Build Workzone Site to another su...

Re: SAP Integration Suite - IDOC to flat file conv...

Re: Abap2xlsx: print internal table without header