cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to remove duplicate assignement of privileges

Go to solution
christian_rose2
Explorer

on ‎08-07-2014 10:36 AM

0 Kudos

Hello All,

i would like to ask for ideas for the following issue:

I get an new SAP ABAP client and do the initial load, which gives me the users with direct assigned ABAP-Roles/Privileges. So i would like to use IDM business roles and assign these via a job. After this i have the same privileges directly and indirectly assigned to the users. So my question is how to remove all the direct privilege assignements that are already assigned via business roles. Is there somewhere a flag which indicates the direct assignements.

Regards

Christian

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-07-2014 5:07 PM
0 Kudos

Hi Christian,

we are solving that using two step procedure.

First of all we  use SQL select over IdM database to see which privileges are assigned both directly and indirectly.



SELECT     dbo.mxi_link.mcThisMSKEY, dbo.mxi_link.mcOtherMSKEY, dbo.mxi_link.mcAssignedDirect, dbo.mxi_link.mcAssignedInheritCount, 


                      dbo.idmv_link_ext2.mcOtherOcName, dbo.idmv_link_ext2.mcThisMSKEYVALUE, dbo.idmv_link_ext2.mcOtherMSKEYVALUE


FROM         dbo.idmv_link_ext2 INNER JOIN


                      dbo.mxi_link ON dbo.idmv_link_ext2.mcUniqueID = dbo.mxi_link.mcUniqueID


WHERE     (dbo.mxi_link.mcAssignedInheritCount = 1) AND (dbo.mxi_link.mcAssignedDirect = 1) AND (dbo.idmv_link_ext2.mcOtherOcName = 'MX_PRIVILEGE') and dbo.mxi_link.mcLinkState IN (0,1)

Result of SQL is then stored using To ASCII pass as CSV file.

The CSV can be used as a source for removing the directly assigned privileges. We are doing that using job from IdM RDS solution (SAPC Identity Upload - Role/Priv Assignment - [Entry Load])

btw. sometimes is good to know what is version you are working with. We use 7.2 SP8

Show replies
Show replies
christian_rose2
Explorer
‎08-11-2014 8:32 AM
0 Kudos

Hello Jiri,

thank you for the query this helps me further. I still struggle a bit with the to Identity store pass for the deletion. I tried with {D} and {E} and the job gets executed without error, but the directly assigned role is still visible in the UI. Could you provide some details of the pass, i unfortunately do not have the RDS?

I am on 7.2 SP9.

Regards

Christian

jiri_dolezel4
Discoverer
‎08-11-2014 12:53 PM
0 Kudos

Hi Christian,

when U use {D} you have to specify also role validity, because you can have one single role assigned with X validity periods.  If you want to remove all (any of) assignments of one privilege, you can use {e} to do so.

There is a documentation about the functionality available on http://help.sap.com/saphelp_nwidmic72/en/dse.htm#mc/dse_task_group_prop_approval_notification_config...

Hope this help.

Former Member
‎12-16-2014 9:41 AM
0 Kudos

You have to delete the assignment via the LINKID, not with the validity.

Answers (0)

Ask a Question