on 08-07-2014 10:36 AM
Hello All,
i would like to ask for ideas for the following issue:
I get an new SAP ABAP client and do the initial load, which gives me the users with direct assigned ABAP-Roles/Privileges. So i would like to use IDM business roles and assign these via a job. After this i have the same privileges directly and indirectly assigned to the users. So my question is how to remove all the direct privilege assignements that are already assigned via business roles. Is there somewhere a flag which indicates the direct assignements.
Regards
Christian
Hi Christian,
we are solving that using two step procedure.
First of all we use SQL select over IdM database to see which privileges are assigned both directly and indirectly.
SELECT dbo.mxi_link.mcThisMSKEY, dbo.mxi_link.mcOtherMSKEY, dbo.mxi_link.mcAssignedDirect, dbo.mxi_link.mcAssignedInheritCount,
dbo.idmv_link_ext2.mcOtherOcName, dbo.idmv_link_ext2.mcThisMSKEYVALUE, dbo.idmv_link_ext2.mcOtherMSKEYVALUE
FROM dbo.idmv_link_ext2 INNER JOIN
dbo.mxi_link ON dbo.idmv_link_ext2.mcUniqueID = dbo.mxi_link.mcUniqueID
WHERE (dbo.mxi_link.mcAssignedInheritCount = 1) AND (dbo.mxi_link.mcAssignedDirect = 1) AND (dbo.idmv_link_ext2.mcOtherOcName = 'MX_PRIVILEGE') and dbo.mxi_link.mcLinkState IN (0,1)
Result of SQL is then stored using To ASCII pass as CSV file.
The CSV can be used as a source for removing the directly assigned privileges. We are doing that using job from IdM RDS solution (SAPC Identity Upload - Role/Priv Assignment - [Entry Load])
btw. sometimes is good to know what is version you are working with. We use 7.2 SP8
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Jiri,
thank you for the query this helps me further. I still struggle a bit with the to Identity store pass for the deletion. I tried with {D} and {E} and the job gets executed without error, but the directly assigned role is still visible in the UI. Could you provide some details of the pass, i unfortunately do not have the RDS?
I am on 7.2 SP9.
Regards
Christian
Hi Christian,
when U use {D} you have to specify also role validity, because you can have one single role assigned with X validity periods. If you want to remove all (any of) assignments of one privilege, you can use {e} to do so.
There is a documentation about the functionality available on http://help.sap.com/saphelp_nwidmic72/en/dse.htm#mc/dse_task_group_prop_approval_notification_config...
Hope this help.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.