cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Modifying assignment validity with {M} operator fails

Go to solution
former_member200493
Explorer

on ‎04-08-2015 11:44 AM

0 Kudos

Hi gurus,

I'm trying to change the validity of a role (or privilege) assignment on a "to identity store"-pass using the {M}-operator. It's not working because I always get the infamous "Overlapping assignment validity" error. (IDM 7.2 SP9, patch level 11, running on a DB2)

Here's what I do:

According to the SAP IDM Help, I'm trying to change the validity of roles which are already assigned to the user. The string, I'm trying to write into the MXREF_MX_ROLE attribute looks like this:

AttributeValue
MSKEYVALUE%MSKEYVALUE%
MXREF_MX_ROLE{M}{VALIDTO=2015-05-08}93735|{VALIDTO=2015-05-08}93731|

The user already has assigned the prevailing roles 93735 and 93731 and I only want to change the Valid to-date. According to the SAP documentation, this should work. After executing the pass, both roles should have Valid to-date = 2015-05-08. However, it's not working, due to the "Overlapping Assignment validity" error.

I also tried this:

AttributeValue
MSKEYVALUE%MSKEYVALUE%
MXREF_MX_ROLE{M}{VALIDTO=2015-05-08}93735|{M}{VALIDTO=2015-05-08}93731|

and this:

AttributeValue
MSKEYVALUE%MSKEYVALUE%
MXREF_MX_ROLE{R}{VALIDTO=2015-05-08}93735|VALIDTO=2015-05-08}93731|

None of the options above work. I know there's been an issue with the {M}-operator, described in SAP note 2008106, but it refers to another kind of error and to patch level 2. I suppose that this issue should be sorted out with patch 11.

We now implemented a work-around, which is working fine but due to using several jobs and delays, it is very time-consuming. This is why those questions popped up in my mind:

Does anyone else have problems working with the {M}-operator?

Do I have a wrong understanding what the {M}-operator actually is doing?

Are the strings I'm trying to write into the MXREF_MX_ROLE attribute correct?

Would be nice to get some feedback or suggestions on that issue.

Best,

Steffen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎04-08-2015 12:05 PM
0 Kudos

Hi Steffen,

Did you try passing the LINKID of the assignment you want to change?

AttributeValue
MSKEYVALUE%MSKEYVALUE%
MXREF_MX_ROLE{M}{LINKID=<mcuniqueid>!!VALIDTO=2015-05-08}93735|{M}{LINKID=<mcuniqueid>!!VALIDTO=2015-05-08}93731

Check the thread below on how to get the linkid.

Let me know if it worked.

Kind regards,

Jai

Show replies
Show replies
former_member200493
Explorer
‎04-08-2015 4:27 PM
0 Kudos

Hi Jai,

you deserve the {M}-award!

I tried your approach and it worked. Additionally, I figured out that you don't even need the {M}-operator!

This is how it's working now:

AttributeValue
MSKEYVALUE%MSKEYVALUE%
MXREF_MX_ROLE{LINKID=<mcuniqueid>!!VALIDTO=2015-05-10}93735|{LINKID=<mcuniqueid>!!VALIDTO=2015-05-10}93731

With an SQL statement I select all the user assignments from idmv_link_ext (except the only, system, and some other privileges) and add the prefix consisting of LINKID and VALIDTO.

Since this is working without the {M}, I don't really get the point of this operator. Maybe someone has an idea how to use it somewhere else...

Thanks for your help Jai!

Best from Switzerland,

Steffen

Steffi_Warnecke
Active Contributor
‎04-08-2015 6:49 PM
0 Kudos

Hello Steffen,

I use the M-operator on several multivalue fields, that are read in from AD. Without it, only new lines were added, but no lines were removed, when the data was removed in AD. With the M-operator it takes care of that.

Regards,

Steffi.

former_member200493
Explorer
‎04-08-2015 9:07 PM
0 Kudos

Hi Steffi,

thanks for the input.

So you're using it on the "to LDAP directory" pass?

Regards,

Steffen

Steffi_Warnecke
Active Contributor
‎04-08-2015 9:22 PM
0 Kudos

No, the other way around, when I read something from LDAP. I guess, it is useful for all kinds of passes, where you have multiple values in one attribute and you need to reconcile them with the backend. But at the moment, as far as I can remember sitting here at home without the system in front of me, I just use that operator for the update of some of my attributes in "from LDAP" passes.

For example for "direct reports" and "proxyaddresses".

Regards,

Steffi.

former_member200493
Explorer
‎04-08-2015 10:02 PM
0 Kudos

Thanks for clearing this up - I was kind of confused as you said the data was removed in AD.

Guess this topic is closed. Thanks for help folks.

Steffen

Answers (0)

Ask a Question