on 01-22-2015 5:50 PM
Hi there, kinda drawing a blank here....
I'm working on a system where as a part of deprovisioning, we want to remove all assigned privileges, but not the system access itself.
One use case is ECC where we want to drop all IDM Privileges except Portal. Would just dropping everything and re-adding the Portal Role make the most sense? Or is there an easy way to drop all privileges but specific ones without getting into a lot of custom coding?
Thanks!
Matt
The other side of this is what happens outside of SAP. What if I want to drop all roles but Portal and AD (AD access is typically held open, although locked and disabled) after separation. This kind of pushes back to the need for scripting.
Back to the Whiteboard....
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt ,
I believe , you can do a small Script just to exclude Portal roles ( IDM Privileges). This way , Portal Role assignments will not be removed by IDM .Script can just include 1) Simple SELECT Statement to extract all roles with the exception of Portal Roles & pass only this values to MXREF_MX_PRIVILEGE for removal .
This way , you dont want to do a remove & add for the user .
Hope it helps .
Thanks ,
Jerry George
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jerry,
That's the scripting idea I had, but I'm hoping to find a way to do it without scripting. In any case I'm going to have to think this through and put something together for the SAP IDM Idea place. This is a scenario that I see all too often and I can never give people a "best practices" approach that works. At the end of the day, I think IDM needs to be able to do this automatically since there are post employment scenarios where some form of Portal access is still required to get tax documents, retirement benefits, etc.
BTW, glad to see you're still watching the IDM Stuff BTW!
Cheers,
Matt
Hello Matt,
is there a way to control that via the repository the privileges belong to? You wrote, that you e.g. want to keep the portal roles, but lose the IDM roles. Can't you just deprovision what is not bound to a certain repository? Or better yet, just deprovision what IS bound to a certain repository.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Steffi,
That certainly is a thought, I could just create a Portal role, and then have a role for all other SAP System assignments and just drop that role.
I'll have to think about this. Thanks for your help!
Regards,
Matt
PS - Another thought came to me as I was replying to Jerry... We could conceivably drop all the SAP Roles and then add a new role for "Post Employment Portal Access" or something like that in IDM. That would also be excellent for reporting purposes.
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.