on 04-08-2015 11:44 AM
Hi gurus,
I'm trying to change the validity of a role (or privilege) assignment on a "to identity store"-pass using the {M}-operator. It's not working because I always get the infamous "Overlapping assignment validity" error. (IDM 7.2 SP9, patch level 11, running on a DB2)
Here's what I do:
According to the SAP IDM Help, I'm trying to change the validity of roles which are already assigned to the user. The string, I'm trying to write into the MXREF_MX_ROLE attribute looks like this:
Attribute | Value |
---|---|
MSKEYVALUE | %MSKEYVALUE% |
MXREF_MX_ROLE | {M}{VALIDTO=2015-05-08}93735|{VALIDTO=2015-05-08}93731| |
The user already has assigned the prevailing roles 93735 and 93731 and I only want to change the Valid to-date. According to the SAP documentation, this should work. After executing the pass, both roles should have Valid to-date = 2015-05-08. However, it's not working, due to the "Overlapping Assignment validity" error.
I also tried this:
Attribute | Value |
---|---|
MSKEYVALUE | %MSKEYVALUE% |
MXREF_MX_ROLE | {M}{VALIDTO=2015-05-08}93735|{M}{VALIDTO=2015-05-08}93731| |
and this:
Attribute | Value |
---|---|
MSKEYVALUE | %MSKEYVALUE% |
MXREF_MX_ROLE | {R}{VALIDTO=2015-05-08}93735|VALIDTO=2015-05-08}93731| |
None of the options above work. I know there's been an issue with the {M}-operator, described in SAP note 2008106, but it refers to another kind of error and to patch level 2. I suppose that this issue should be sorted out with patch 11.
We now implemented a work-around, which is working fine but due to using several jobs and delays, it is very time-consuming. This is why those questions popped up in my mind:
Does anyone else have problems working with the {M}-operator?
Do I have a wrong understanding what the {M}-operator actually is doing?
Are the strings I'm trying to write into the MXREF_MX_ROLE attribute correct?
Would be nice to get some feedback or suggestions on that issue.
Best,
Steffen
Hi Steffen,
Did you try passing the LINKID of the assignment you want to change?
Attribute | Value |
---|---|
MSKEYVALUE | %MSKEYVALUE% |
MXREF_MX_ROLE | {M}{LINKID=<mcuniqueid>!!VALIDTO=2015-05-08}93735|{M}{LINKID=<mcuniqueid>!!VALIDTO=2015-05-08}93731 |
Check the thread below on how to get the linkid.
Let me know if it worked.
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jai,
you deserve the {M}-award!
I tried your approach and it worked. Additionally, I figured out that you don't even need the {M}-operator!
This is how it's working now:
Attribute | Value |
---|---|
MSKEYVALUE | %MSKEYVALUE% |
MXREF_MX_ROLE | {LINKID=<mcuniqueid>!!VALIDTO=2015-05-10}93735|{LINKID=<mcuniqueid>!!VALIDTO=2015-05-10}93731 |
With an SQL statement I select all the user assignments from idmv_link_ext (except the only, system, and some other privileges) and add the prefix consisting of LINKID and VALIDTO.
Since this is working without the {M}, I don't really get the point of this operator. Maybe someone has an idea how to use it somewhere else...
Thanks for your help Jai!
Best from Switzerland,
Steffen
No, the other way around, when I read something from LDAP. I guess, it is useful for all kinds of passes, where you have multiple values in one attribute and you need to reconcile them with the backend. But at the moment, as far as I can remember sitting here at home without the system in front of me, I just use that operator for the update of some of my attributes in "from LDAP" passes.
For example for "direct reports" and "proxyaddresses".
Regards,
Steffi.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.