cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

On removal of all business roles and privileges for an identity in Identity Management there are still some privileges showing for identity and privileges are showing as inherited

former_member225671
Explorer

on ‎12-11-2014 12:45 PM

0 Kudos

Dear Community Members,

I have come across with an issue in SAP IDM that on removal of all business roles and privileges for an identity in Identity Management through user interface, there are still some privileges showing for user and privileges are appearing as inherited however their is no position based assignment for that identity.

I don't understand from where all those inherited privileges are getting read for that identity while all assignment is removed for that identity in IDM.

Please share your thoughts regarding this issue.

Regards

Girish Almiya

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member2987
Active Contributor
‎12-11-2014 3:10 PM
0 Kudos

Girish,

Dropping the system privilege in IDM (PRIV:ECCCLNT100:ONLY as an example) will drop all roles for that system. The typical use case is either terminations or when a user changes a role in a company.

If you just need to drop a single role, just drop the role name via the privilege tab (which works for the ONLY privilege as well)

Note that you might not be able to see the only privilege from the UI, if you can't it can be managed by changing the visibility setting on the privilege via the MMC console.

Matt

Show replies
Show replies
former_member225671
Explorer
‎12-11-2014 5:18 PM
0 Kudos

Hi Matt,

System privilege in IDM (PRIV:ECCCLNT100:ONLY) is already made visible from console(MMC) to appear in UI and in order to place provisioning, a master task is created for system privileges for all existing repository.So that whenever business roles are assign to user, master task execute itself  for all required repository (decide on base of business roles assigned) and add system privilege (PRIV:ECCCLNT100:ONLY) for all concerned repository for provisioning to backend system.


Here my issue is that after deleting all business role and manually assigned privileges for an identity in IDM when i do save the task and then recheck for identity's BR and privileges assignment. I see some privileges are still there and it status shows inherited. I'm wondering that from where these privileges are being read, as their is no position based assignment to that identity.


Regards


Girish Almiya

jaisuryan
Active Contributor
‎12-11-2014 2:31 PM
0 Kudos

Hi Girish,

Can you please check in database for any direct assignment? may be you are not allowed to view the role?

select * from idmv_link_ext with (NOLOCK) where mcThisMSKEY = <mskey of the user>

and check for mcAssignedDirect = 1 entries. Column mcOtherMSKEYVALUE shows the role/priv names assigned to the user.

Kind regards,

Jaisuryan

Show replies
Show replies
former_member225671
Explorer
‎12-11-2014 2:55 PM
0 Kudos

Hi Jai,

Thanks for your response. I will check as advised.

Regards

Girish Almiya

Ask a Question