on 03-16-2015 7:15 PM
Hi there,
It's definitely Monday, nothing is working the way I expect.
I need a sanity check. I thought when one removes the ONLY role for a system, all related roles get dropped too. For example, if I drop PRIV:ROLE:ADDEV, all ADDEV privileges assigned to the user should be dropped as well.
Do I need a {} operator of some sort?
Thanks,
Matt
Hello Matt,
how tried you to drop the Only priv? UI or toIdenttiyStore pass?
As you mentioned {} I assume you tried to use a ToIS pass. You have to use {D}. Additionally, is the pass in "Test mode"?
All triggers are set correctly (meaning that the pass at the end of each Initial Load job was the last relevant pass executed)?
Best regards
Dominik
PS: PRIV:ROLE:ADDEV should be PRIV:ONLY:ADDEV
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt,
Our users have been assigned with privs from many repositories. Hence we created a simple script to return only the privs of that particular repository to be deleted.
if(Par == "" || Par == "NULL" || Par == null){
uWarning("User do not have any privilege assigned");
uSkip(1);
}
var privs = uReplaceString(Par, "|", ",");
var SQL = "select mcMSKEY from idmv_entry_simple with (nolock) where mcMSKEY in (" + privs + ") and mcMSKEYVALUE like 'PRIV:%ADDEV%'";
var result = uSelect(SQL);
if (result != ""){
result = "{D}" + uReplaceString(result, "!!", "|{D}");
}
else{
uWarning("User do not have any priv for ADDEV");
uSkip(1);
}
return result;
The input to the input was mskeys of the privs assigned to the user like,
MXREF_MX_PRIVILEGE = z_removePrivs(%MXREF_MX_PRIVILEGE%)
Kind regards,
Jaisuryan
Does the Account Privilege get removed from the user? Is the user deleted from the target system?
I would check the tasks on privileges like Dominik suggested (and repositories) plus that the MX_REQ_PRIV on the privileges points to Account Privilege.
This is ABAP-privilege but the provisioning/deprovisioning works the same if PF is used.
The filtering script doesn't do any good if the basics aren't set correctly.
It also depends whether the privileges are assigned directly or via role, removing Account Privilege removes only directly assigned privileges with it.
regards, Tero
Hi Matt,
Cannot help you on this, but I just tested the scenario on IdM 8, using the UI to remove the ONLY privilege.
All privileges for the repository where removed correctly.
Regards, Ole K.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.