on 12-11-2014 12:45 PM
Dear Community Members,
I have come across with an issue in SAP IDM that on removal of all business roles and privileges for an identity in Identity Management through user interface, there are still some privileges showing for user and privileges are appearing as inherited however their is no position based assignment for that identity.
I don't understand from where all those inherited privileges are getting read for that identity while all assignment is removed for that identity in IDM.
Please share your thoughts regarding this issue.
Regards
Girish Almiya
Girish,
Dropping the system privilege in IDM (PRIV:ECCCLNT100:ONLY as an example) will drop all roles for that system. The typical use case is either terminations or when a user changes a role in a company.
If you just need to drop a single role, just drop the role name via the privilege tab (which works for the ONLY privilege as well)
Note that you might not be able to see the only privilege from the UI, if you can't it can be managed by changing the visibility setting on the privilege via the MMC console.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt,
System privilege in IDM (PRIV:ECCCLNT100:ONLY) is already made visible from console(MMC) to appear in UI and in order to place provisioning, a master task is created for system privileges for all existing repository.So that whenever business roles are assign to user, master task execute itself for all required repository (decide on base of business roles assigned) and add system privilege (PRIV:ECCCLNT100:ONLY) for all concerned repository for provisioning to backend system.
Here my issue is that after deleting all business role and manually assigned privileges for an identity in IDM when i do save the task and then recheck for identity's BR and privileges assignment. I see some privileges are still there and it status shows inherited. I'm wondering that from where these privileges are being read, as their is no position based assignment to that identity.
Regards
Girish Almiya
Hi Girish,
Can you please check in database for any direct assignment? may be you are not allowed to view the role?
select * from idmv_link_ext with (NOLOCK) where mcThisMSKEY = <mskey of the user>
and check for mcAssignedDirect = 1 entries. Column mcOtherMSKEYVALUE shows the role/priv names assigned to the user.
Kind regards,
Jaisuryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.