on 11-17-2014 4:35 PM
Hi folks,
I'm having an issue with IDM 7.2 SP8 running on a SQL Server Database on a system that I have inherited. I'm doing some post go-live cleanup and was not here for the design or initial implementation.
During de-provisioning, we use the {D} with {DIRECT_REFERENCE=1} operator to remove all SAP Privileges, followed by a separate task with the {e} operator to remove the only privilege.
However we're seeing that not all of the privileges are dropping from IDM and the backend.
Does anyone have an idea on how to improve this process? I'm getting a feeling that there's a conflict with the two methods.
However I thought that all we needed to do was remove the system's ONLY privilege and then all related privileges would also be dropped and that this should be accompanied by the removal of ACCOUNT[SYSTEMNAME] attribute.
What best practices are you using for removing a user from a SAP system?
Thanks,
Matt
Checkk that the remaining privileges are not inherited from roles and that they are not still waiting for approval on initial assignment. Also consider using e or E not just on the only privilege if your users have pending future assignments as they are not touched by the {D} operator
{E} - Same as {R}, but also removes any pending values (values with a future ValidFrom).
{e} - Same as {d}, but also removes any pending values (values with a future ValidFrom) matching the given value (case-sensitive). If no value is given, all values are removed.
Br,
Per Christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.