cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Pending Value Object with more requested privileges

Go to solution
Former Member

on ‎10-29-2014 12:20 PM

0 Kudos

Hi Experts,

If I add two (or more) privileges to an user, SAP IDM creates two (or more) pending value objects. So I have to approve more items.

I want to have only one approval item with several requested privileges.

How can I realize this?

Thanks in advance:)

Regards

Florian

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎10-29-2014 1:19 PM
0 Kudos

Hi Florian,

You have to disable 7.2 approval mechanism to get a single approval request for all the privileges.

If your DB is SQL,

1. Stop any running dispatchers.

2. Open a command prompt and navigate to the directory containing the Identity Center script files.

3. Run the script mxmc-disable-72-approvals.cmd. You are prompted for the password for

mxmc_oper.

4. Start the dispatchers.

for Oracle,

Disabling the 7.2 approval mechanism on an Identity Center database

To disable the 7.2 approval mechanism:

1. Stop any running dispatchers.

2. Open a command prompt and navigate to the directory containing the Identity Center script files.

Make sure you have the same include.sql file as you used during install.

3. Run the script mxmc-disable-72-approvals.cmd/ mxmc-disable-72-approvals.sh. You are prompted

for the password for mxmc_oper.

4. Start the dispatchers.

but this has a disadvantage, when you cannot reject one role and approve other. The whole request will be rejected.

Kind regards,

Jaisuryan

Show replies
Show replies
Former Member
‎10-29-2014 1:44 PM
0 Kudos

Thanks Jai..

I found the script, but I get many warnings with "permission was denied":

Disable 7.2 approval mechanism

Msg 229, Level 14, State 5, Server SNT241, Line 24

The SELECT permission was denied on the object 'MC_GLOBAL_VARIABLES', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 25

The SELECT permission was denied on the object 'MC_GLOBAL_VARIABLES', database 'mxmc_db', schema 'dbo'.

Disabling the 7.2 approval mechanism

Msg 229, Level 14, State 5, Server SNT241, Line 36

The SELECT permission was denied on the object 'MC_GLOBAL_VARIABLES', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 36

The DELETE permission was denied on the object 'MC_GLOBAL_VARIABLES', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 37

The SELECT permission was denied on the object 'MC_GLOBAL_VARIABLES', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 37

The DELETE permission was denied on the object 'MC_GLOBAL_VARIABLES', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 40

The DELETE permission was denied on the object 'mxi_approval', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 41

The DELETE permission was denied on the object 'mxi_approver', database 'mxmc_db', schema 'dbo'.

Msg 229, Level 14, State 5, Server SNT241, Line 42

The DELETE permission was denied on the object 'mxi_approval_pending_action', database 'mxmc_db', schema 'dbo'

Regards Florian

Steffi_Warnecke
Active Contributor
‎10-29-2014 1:58 PM
0 Kudos

Hello Florian,

did you use the password for the mxmc_oper-user?

Regards,

Steffi.

Former Member
‎10-29-2014 2:06 PM
0 Kudos

Hi Steffi,

yes, i'm sure.

I can connect to MSSQL with this password.

BUT i cannot open the tables..... select permission was denied...

Regards Florian

Answers (2)

Answers (2)

Former Member
‎10-29-2014 3:25 PM
0 Kudos

OK, I have disabled the 7.2 approval mechanism. But I still get several approval items.

How I have to configure the privileges?

Regards Florian

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎10-29-2014 3:55 PM
0 Kudos

Hello Florian,

have a look at the "Privilege"-tab of the repository you want to activate grouping for (just click in the repository itself to see it). You'll find the option at the end there. If you look at the build-in help for the different options, you should get a pretty good idea of how to configure it..

Regards,

Steffi.

Former Member
‎10-29-2014 4:16 PM
0 Kudos

Hi Steffi,

I have activate the grouping with P:2 (P:3).

Now when I request several privileges I get only one approval item. But inside the approval I can only see one privilege... How can I see all requested privileges?

The Attribute MX_PRIV_GROUPING_ATTR_VALUE is empty...

Thank you:)

Regards Florian

Former Member
‎10-29-2014 12:57 PM
0 Kudos

The Privilege Grouping functions should do able to do this for you (in IdM 7.2) if the assignments are in the same repository. See  About privilege grouping

Br,

Per "Not SAP" Krabsetsve

Show replies
Show replies
Former Member
‎10-29-2014 1:46 PM
0 Kudos

Thanks Per,

"the Page cannot be found"

I found Repository Constants like MX_PRIV_GROUPING_ATTRIBUTE and MX_PRIV_GROUPING_RULE.

But I dont know how to handle with it...

Regards

Florian

Ask a Question