cancel
Showing results for 
Search instead for 
Did you mean: 

Results of dropping the :ONLY Role

former_member2987
Active Contributor
0 Kudos

Hi there,

It's definitely Monday, nothing is working the way I expect.

I need a sanity check.  I thought when one removes the ONLY role for a system, all related roles get dropped too.  For example, if I drop PRIV:ROLE:ADDEV, all ADDEV privileges assigned to the user should be dropped as well.

Do I need a {} operator of some sort?

Thanks,

Matt

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello Matt,

how tried you to drop the Only priv? UI or toIdenttiyStore pass?

As you mentioned {} I assume you tried to use a ToIS pass. You have to use {D}. Additionally, is the pass in "Test mode"?

All triggers are set correctly (meaning that the pass at the end of each Initial Load job was the last relevant pass executed)?

Best regards

Dominik

PS: PRIV:ROLE:ADDEV should be PRIV:ONLY:ADDEV

former_member2987
Active Contributor
0 Kudos

Hi Dominik,

Yes, I'm using {D} and I'm not in test mode.

The PRIV:ROLE:ADDEV was a typo.

I'm also having an issue where the same systems are not provisioning.  I need to investigate further.

Matt

Former Member
0 Kudos

Seems like the triggers for the other privs are not set up correctly, too.

jaisuryan
Active Contributor
0 Kudos

Hi Matt,

Our users have been assigned with privs from many repositories. Hence we created a simple script to return only the privs of that particular repository to be deleted.

if(Par == "" || Par == "NULL" || Par == null){

uWarning("User do not have any privilege assigned"); 

uSkip(1);

}

var privs = uReplaceString(Par, "|", ",");

var SQL = "select mcMSKEY from idmv_entry_simple with (nolock) where mcMSKEY in (" + privs + ") and mcMSKEYVALUE like 'PRIV:%ADDEV%'";

var result = uSelect(SQL);

if (result != ""){

  result = "{D}" + uReplaceString(result, "!!", "|{D}");

}

else{

  uWarning("User do not have any priv for ADDEV");

  uSkip(1);

}

return result;

The input to the input was mskeys of the privs assigned to the user like,

MXREF_MX_PRIVILEGE = z_removePrivs(%MXREF_MX_PRIVILEGE%)

Kind regards,

Jaisuryan

former_member2987
Active Contributor
0 Kudos

Jai, nice script.  I'll be taking a closer look at it.

Thanks,

Matt

terovirta
Active Contributor
0 Kudos

Does the Account Privilege get removed from the user? Is the user deleted from the target system?

I would check the tasks on privileges like Dominik suggested (and repositories) plus that the MX_REQ_PRIV on the privileges points to Account Privilege.

This is ABAP-privilege but the provisioning/deprovisioning works the same if PF is used.

The filtering script doesn't do any good if the basics aren't set correctly.

It also depends whether the privileges are assigned directly or via role, removing Account Privilege removes only directly assigned privileges with it.

regards, Tero

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Matt,

Cannot help you on this, but I just tested the scenario on IdM 8, using the UI to remove the ONLY privilege.

All privileges for the repository where removed correctly.

Regards, Ole K.