cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

unable to delete direct assigned privileges using provisioning job

devaprakash_b
Active Contributor

on ‎09-27-2015 3:10 PM

0 Kudos

Hello experts,

IDM - 7.2 SP 9.16

we have designed a workflow, in a such a way that, whenever the user leaves the organization his id would be locked in the idm connected systems and all the assigned IDM roles and directly assigned privileges needs to be deleted from idm connected systems excluding the systems and only privileges. The user id would be available in the backed systems for 30 days with locked status and later his id would be deleted completely through a schedule job.

So in this workflow process the while removing the directly assigned privileges in the pass, its not deleting from idm or even the De-provisioning tasks are not triggering in IDM. When tried to delete the direct assigned privileges through non provisioning job, its get deleted from idm and backend systems.

When investigated further, we found that the privileges which are assigned directly from idm standard ui are getting deleted but privileges assigned through IDM console job gets deleted.

Deletion process:

In the first pass the indirectly assigned system and only privileges would be calculated and then would be assigned as direct privileges.

In the next pass the directly assigned privileges ignoring the only and system privileges would be calculated and stored in a context variable.

In next pass the direct assigned privs would be deleted.

script

/*---------------------------------------------------------------------------------------------------------------------------

* Category              : provisioning script

* Short description    : This script will return the role de-assignments to an identity seperated by the "{D}" value

*                    example: {D}roleMSkey|{D}roleMskey

*

*/

function  scriptname(Par){

    deleteidentifier        = "{D}";

    roles                = Par;

    returnValue            = nullAttribute;

    roleArr                = roles.split(seperator);

    for (i = 0; i < roleArr.length; ++i) {

        if (returnValue == nullAttribute) {

            returnValue = key + roleArr[i];

        } else {

            returnValue = returnValue + sapDelimeter + deleteidentifier + roleArr[i];

        }      

    }

    return returnValue;

}

Thought of another idea by passing the privileges which needs to be assigned to the user and removing others using {M} account operator passing the ONLY and System privileges, which should removes rest all assigned direct privileges. Added the operator at end of the script before passing the return value. Received the below error

ToIDStore.modEntry failed modifying entry 'XXXXXXXXXXX' when storing attribute 'MXREF_MX_PRIVILEGE={M}14937|324|14936'. The operator is not legal in this position.

When passed the {M} attribute operator at staring of the attribute value in the destination pass, its removing all the direct assignments, but not excluding the only and system privileges

Can you kindly provide me a solution, as the script is working fine for the privileges added directly via idm console (identity center) but for privs added through IDM standard UI

Regards,

DP

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

terovirta
Active Contributor
‎09-28-2015 7:38 AM
0 Kudos

Maybe I am missing something or you didn't tell everything.. Why is the job this complex?

You can get a list of directly assigned privileges (and filtering out system/account-privileges) with quite simple SQL from idmv_link_ext which would return the list in "priv1!!priv2!!priv3" format, which is then quite straightforward to modify with uReplaceString to "{D}priv1|{D}priv2|{D}priv3"..

regards, Tero

Show replies
Show replies
devaprakash_b
Active Contributor
‎09-28-2015 8:34 AM
0 Kudos

Hi Tero,

First we would calculate the only and systems privileges which are assigned through IDM role and then we would assign them as directly.

Later we would exclude only an system priv and pass it to delete.

the script would pass  {D}priv1|{D}priv2|{D}priv3 in this format itself. but still it is not deleting the entries.

terovirta
Active Contributor
‎09-28-2015 9:08 AM
0 Kudos

It's a lot easier to have the "No Master Task" defined rather than include the account-privileges (*:only) in the business roles.

From the config that I am working on I see that we're using "{e}" operator to remove.

The first SPs of 7.2 didn't have fully working "No Master Task" and have once inlcuded the account-privileges to bus roles but replaced that with "No Master Task" when that worked on the newer SP.

regards, Tero

jaisuryan
Active Contributor
‎09-28-2015 2:48 AM
0 Kudos

Hello DP,

1) I can see few mistakes in the script so not sure if it would have worked properly.

Variables "seperator", "key" and "sapDelimeter" were not declared/initialized

2) I would start investigating the "Calculate direct assignments" task and see if the context variable has required "direct" role mskeys in it. Use uWarning() functions to see the values passed.

3) Just for my information: You said system and only privs are assigned indirectly. Is that mean you have "PRIV:<rep>:ONLY" privs assigned into the every BR or position instead of using "No Master Task"?

Kind regards,

Jai

Show replies
Show replies
devaprakash_b
Active Contributor
‎09-28-2015 8:27 AM
0 Kudos

Hi Jai,

In the script it is there, but i haven't pasted it here.

Ask a Question