cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Event tasks in SYSTEM Privilege ?

Go to solution
Former Member

on ‎12-18-2014 6:51 AM

0 Kudos

Hello Experts,

SAP IDM 7.2 SP8.

I have query on event task being defined on SYSTEM PRIVILEGE (PRIV:SYSTEM:<REPO_NAME>).

I believe IDM should not trigger provisioning tasks(ex. HOOK TASK 4) due to removal or addition of SYSTEM privilege.

Only removal/addition of ACCOUNT PRIVILEGE (PRIV:<REPO_NAME>:ONLY) should

trigger of provisioning tasks which also remove/add of system privilege for the user as defined in provisioning framework.

So, How Event tasks should be defined for system privileges ?

I think it should be empty (NONE).

Below screenshots shows the current configuration being done for system privileges in my client's IDM system.

This results in trigger of HOOK TASK 4 when SYSTEM privilege is removed/added from the user which causes errors which I know happen because of defining event tasks on SYSTEM PRIVILEGES.

Your help is appreciated.

Thanks & Regards,

Pradeep

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Steffi_Warnecke
Active Contributor
‎12-18-2014 8:42 AM
0 Kudos

Hello Pradeep,

As I understand it, the system privilege is the importent one. It's the one that triggers provisioning (you even set the attributes there, that should trigger provisioning) So it's correct that there should be tasks defined (either directly or via the repository tasks and then they are inherited from there).

Nontheless, you member tasks seem to be a bit off. Our tab looks like this:

Our "Tasks"-tab looks like yours. Since those are inherited from the repository, the event tasks from there are used for provisioning.

Regards,

Steffi.

Show replies
Show replies
Former Member
‎12-18-2014 9:22 AM
0 Kudos

Hi Steffi,

Thank you very much.

I just  compared Task defined at Repo level and privilege level and could relate then.

Add Task (Assignment at Repo level, screenshot 1) =  Add Task (Assignment at Privilege level, screenshot 3)

Remove Task (Assignment at Repo level, screenshot 1) =  Remove Task (Deassignment at Privilege level, screenshot 3)


Provisioning task (Privilege tasks at Repo level, screenshot 1) = Provisioning task (Privilege tasks at Privilege level, screenshot 2)


Deprovisioning task (Privilege tasks at Repo level, screenshot 1) = Deprovisioning task (Privilege tasks at Privilege level, screenshot 2)

So I need to set Add Task (Assignment at Privilege level, screenshot 3) and Remove Task (Deassignment at Privilege level, screenshot 3)  to NONE .

In your case, this is the setting done and so provisioning does not trigger due to addition/removal SYSTEM privilege which is correct.


I would do this change in Dev system and test it .

I will update the thread with result.

Event task defined at repo level.

Screenshot 1:

Task defined at privilege level (tab Tasks)

Screenshot 2:

Event task defined at privilege level.

Screenshot 3:

Thanks & Regards,

Pradeep

Answers (4)

Answers (4)

devaprakash_b
Active Contributor
‎02-26-2015 1:16 PM
0 Kudos

This message was moderated.

Show replies
Show replies
devaprakash_b
Active Contributor
‎02-26-2015 12:44 PM
0 Kudos

This message was moderated.

Show replies
Show replies
Former Member
‎12-18-2014 1:40 PM
0 Kudos

Hello Steffi, Hello Tero,

Thank you very much for your inputs.

I have tested it and now it works.

I realized that these settings need to changed in production system .

Thanks again for your help.

Regards,

Pradeep

Show replies
Show replies
devaprakash_b
Active Contributor
‎02-26-2015 1:23 PM
0 Kudos

This message was moderated.

terovirta
Active Contributor
‎12-18-2014 7:29 AM
0 Kudos

The system privilege should not trigger provisioning. In my dev the "Member Events" are set to "none" and events in "Tasks" are set to "inherited". I think this is done by standard Sp9p? Initial Load and I didn't have to fiddle with the tasks anymore in Initial Load.

regards, Tero

Show replies
Show replies
Former Member
‎12-18-2014 8:22 AM
0 Kudos

Hi Tero,

Thank you for your response.

I am using IDM 7.2 SP8.

So in your case, in member events tab for system privilege, all tasks are set to NONE and all tasks in tab Tasks (Provisioning task, Deprovisioning task, modify task) is set to inherited. As these tasks are set to inherited, so should it not trigger provisioning if MX_ADD_MEMBER_TASK/MX_DELETE_MEMBER_TASK for the default repo have tasks defined.

I understand that it will trigger provisioning.

From your reply, I see that you might have default repo having MX_ADD_MEMBER_TASK/MX_DELETE_MEMBER_TASK defined with provisioning tasks but having tasks (Provisioning task, Deprovisioning task, modify task) set to inherited in tab Tasks for privilege does not trigger provisioning.

Is this correct ? If yes, I wonder then how repo inherited tasks can be triggered for privilege assignment if we want to.

Your help is appreciated.

Regards,

Pradeep

terovirta
Active Contributor
‎12-18-2014 9:27 AM
0 Kudos

In order for the task to be inherited from repository the task must exist in repository where the privilege is pointing to.

As the 7.2 repositories don't have the MX_PROVISION/MX_DEPROVISION_TASKs set by the repository creation wizard there is nothing to inherit from repository even that the value happens to be inherited. So that's why the System Privilege assignment in my case does not trigger anything.

(I wouldn't call repo a default repository as the repository is pretty much fixed per privilege.)

I cannot remember at which SP / patch level the Initial Loads started to set the tasks correctly but originally from Sp0, I made sure that the Initial Loads set the all tasks to none (-1) except the Modify task for System Privilege and all tasks enabled for Account Privilege but the Modify task set to none.

regards, Tero

Ask a Question