cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Remove the privileges but keep the role access

Go to solution
former_member2987
Active Contributor

on ‎01-22-2015 5:50 PM

0 Kudos

Hi there, kinda drawing a blank here....

I'm working on a system where as a part of deprovisioning, we want to remove all assigned privileges, but not the system access itself. 

One use case is ECC where we want to drop all IDM Privileges except Portal.  Would just dropping everything and re-adding the Portal Role make the most sense? Or is there an easy way to drop all privileges but specific ones without getting into a lot of custom coding?

Thanks!

Matt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎01-23-2015 3:02 PM
0 Kudos

The other side of this is what happens outside of SAP.  What if I want to drop all roles but Portal and AD (AD access is typically held open, although locked and disabled) after separation. This kind of pushes back to the need for scripting.

Back to the Whiteboard....

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎01-23-2015 5:07 PM
0 Kudos

Sounds like your idea with the "Post Employment" portal role could be a start. Did you think about a IDM business role, that could include all the access somebody could need in this case? Maybe you could assign this during the termination workflow in IDM at the end.

Answers (2)

Answers (2)

Former Member
‎01-22-2015 9:00 PM
0 Kudos

Hi Matt ,

I believe , you can do a small Script just to exclude Portal roles ( IDM Privileges). This way , Portal Role assignments will not be removed by IDM .Script can just include 1) Simple SELECT Statement to extract all roles with the exception of Portal Roles & pass only this values to MXREF_MX_PRIVILEGE for removal .

This way , you dont want to do a remove & add for the user .

Hope it helps .

Thanks ,

Jerry George

Show replies
Show replies
former_member2987
Active Contributor
‎01-23-2015 2:58 PM
0 Kudos

Hi Jerry,

That's the scripting idea I had, but I'm hoping to find a way to do it without scripting. In any case I'm going to have to think this through and put something together for the SAP IDM Idea place.  This is a scenario that I see all too often and I can never give people a "best practices" approach that works. At the end of the day, I think IDM needs to be able to do this automatically since there are post employment scenarios where some form of Portal access is still required to get tax documents, retirement benefits, etc.

BTW, glad to see you're still watching the IDM Stuff BTW!

Cheers,

Matt

Steffi_Warnecke
Active Contributor
‎01-22-2015 6:53 PM
0 Kudos

Hello Matt,

is there a way to control that via the repository the privileges belong to? You wrote, that you e.g. want to keep the portal roles, but lose the IDM roles. Can't you just deprovision what is not bound to a certain repository? Or better yet, just deprovision what IS bound to a certain repository.

Regards,

Steffi.

Show replies
Show replies
former_member2987
Active Contributor
‎01-23-2015 2:55 PM
0 Kudos

Hi Steffi,

That certainly is a thought, I could just create a Portal role, and then have a role for all other SAP System assignments and just drop that role.

I'll have to think about this.  Thanks for your help!

Regards,

Matt

PS - Another thought came to me as I was replying to Jerry... We could conceivably drop all the SAP Roles and then add a new role for "Post Employment Portal Access" or something like that in IDM.  That would also be excellent for reporting purposes.

Ask a Question