cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP user group provisioning via IDM

Go to solution
Former Member

on ‎07-01-2015 2:49 PM

0 Kudos

Dear Gurus.

I have a need to be able to add and/or remove user groups to/from users in ABAP via IDM.

UpdateABAPUser task seems to be supporting that via "usergroups" attribute.

I was already able to add user groups to user overwritting this, whevever there already was assigned to user in ABAP Backend and that is as far as I managed to get.

I have following questions:

1) is there any option to perform "delta" assignment/deassignment which would add a specific user group the the ones that user already might have assigned in ABAP backend or is IDM only capable of overwritting all that there already is in ABAP?

2) how do I remove all assigned user groups? When I execute the connector with empty value in "usergroups" attribute nothing happens. I tried {E}, {D}, {R} operators, but it always ends up in an error that "{E} user group does not exist" etc.

Thank You in advance for any support in that area.

Darek.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jrondorf
Participant
‎07-01-2015 3:46 PM
0 Kudos

Hi Darek,

long time no talk.

As attribute operators are not working, I don't think delta will work, so either all or nothing, where noting (delete) might be %% as value.

Cheers, Jannis

Show replies
Show replies
Former Member
‎07-01-2015 4:07 PM
0 Kudos

Hello Jannis!

It's nice to hear from You and long time indeed!

Thank You very much for Your reply.

The "%%" did the trick.

It's a pitty that there is no "delta" option avaliable here.

Thank You very much once again.

Darek.

Steffi_Warnecke
Active Contributor
‎07-01-2015 4:22 PM
0 Kudos

Hello Darek,

maybe you could create a new pass to start with, where you read the current user-groups from the backend back into IDM (if you don't already do that in another job) and then just use that information and add the new group to it via script or the pass or something, before you write the information to the backend. You could check how IDM would save several values in the attribute (or better how the backend/connector expects them) and this way won't loose the current groups.

Just something off the top of my head (I don't have something like this in use, since we use the standard provisioning for user groups).

Regards,

Steffi.

jrondorf
Participant
‎07-01-2015 4:25 PM
0 Kudos

That is what I wanted to suggest also, with adding that this dies not need to be imported into the Identity Store, but maybe just into a temp table.

Former Member
‎07-01-2015 4:26 PM
0 Kudos

Hello Steffi.

Thank You for Your suggestion.

I was actually considering the same appraoch as a secondary option.

Kind Regards,

Darek.

Answers (1)

Answers (1)

jaisuryan
Active Contributor
‎07-01-2015 3:33 PM
0 Kudos

Hi Darek,

I'm not sure if I understood your requirement properly... Could you please explain clearly (with screenshots if possible)?

Attribute operators are used to maintain values in IDM attributes.. they cannot be used in connectors as IDM would assume it as legal value in your ABAP system and try to assign the same..

To maintain user groups, I usually maintain/store user group name in any attribute such as MX_USER_CATEGORY or MX_ADMIN_UNIT

Then in ABAP connector, maintain usergroup = %MX_USER_CATEGORY%

So whatever value maintained in those attribute for that user; gets written in ABAP system. If the user has no MX_USER_CATEGORY, then no user group would be maintained..

If you want to assign/remove user groups values from that attribute, then you can use {D} {E} {e} etc

Kind regards,

Jai

Show replies
Show replies
Former Member
‎07-01-2015 3:55 PM
0 Kudos

Hi Jai.

The problem here is that I don't want to involve standard provisioning framework here. If I set the attribute as You descibed, standard provisioning framework would populate the same user groups to all ABAP systems that user is created on, and this is not what I want in this specific case.

I am executing some "IDM-supprted mass update activity" and I need to assign specific user groups to specific users on specific systems temporarily.

This is why I am not using standard IDM attributes, but I have copied the standard "Modify ABAP user connector" over to a new, custom one, disabled most of attributes on that custom connector except the ones that I want to update, and I am executing this custom one for specific users/repositories as per my needs.

For example - if I want user to be assigned to a specifc user group (let's say EXP_INACT), this is how the custom connector would look like:

Now I can execute this connector for a specific user and repository either manually (test provisoning task) or through a script and I can manage users as needed.

This allows me to execute specific changes to users on repositories without involving standard provisioning framework which is helpful in some specific cases.

My questions are:

1) is there any way so that this connector did not overwrite the user groups already assigned to user on target repository (so called delta assignment)

2) how to make this connector remove all the user groups assigned to user (if I just remove the "EXP_INACT", nothing happens in the backend - no update is being done)

I hope this clarifies the case a bit more.

Kind Regards,

Darek.

Ask a Question