cancel
Showing results for 
Search instead for 
Did you mean: 

Issue with nested roles

Henrik1
Participant
0 Kudos

Hi,

Due to many variations and requirement for derived roles, we have a number of nested roles on IdM, containing all single abap roles (i.e no composites).

The issue that I see now:

Scenario: Parent role, with no direct privileges assigned, containing 2 child roles, with assigned privileges.

Assigning the parent role to a user gives the expected result.

Then I assign the two child roles directly and save. No impact to provisioning, as expected

If I then remove the parent role, the de-provisioning process kicks in, and removes all the access from the user, even though they still have the 2 child roles assigned.

Even if I directly assign a privilege on the impacted system, the full set of roles is not assigned.

Reconciliation is set to true.

Version 7.20 SP6

I was wondering if someone could try this out for me on 7.2 SP9, and let me know if the result is the same.

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member2987
Active Contributor
0 Kudos

Hi Henrik,

I assume you are only making changes via the Web UI and not via the MMC console?

Matt

Henrik1
Participant
0 Kudos

This test is done all through the webUI.

would you expect different result through the MMC?

As additional information, I can confirm that this behaviour does not occur on SP9.

Have tried doing the assignments through MX_ASSIGNMENTS, as well as MXREF_MX_ROLE - no difference in result

Former Member
0 Kudos

I'm pretty sure this is a bug that has been fixed but I can't say exactly in which release/patch. Perhaps create a ticket and ask.

Edit: Looks like there's a patch on SP8 for "Privileges assignment by nested roles"

Br,

Chris

Message was edited by: Per Krabsetsve

former_member2987
Active Contributor
0 Kudos

Yes, DO NOT USE THE MMC to update roles.

The results do not always appear in the Web UI.

Matt