on 12-02-2015 6:43 AM
Hi Experts,
Recently I am facing an issue with privilege assignment though IDM UI.
We assign roles to user which in turn assigns privilege. When we assign a role, the privilege within are indicated as indirect assignment.
However after initial load job is run, the privilege within role are also shown as direct, inherited assignment.
Meaning a privilege appears twice on IDM UI, one through the role as indirect and one as direct, inherited assignment.
The issue is when there is a request for role removal, the entry disappears from UI and we believe privileges will be deleted as well from ABAP system.
However because these privileges are also inherited, user access is not affected. This is against our compliance as user should not be assigned with the privileges.
Our expected screen should be privilege to be displayed as coming from Role only unless assigned explicitly.
Kindly advise why privileges are duplicated?
Thanks & Regards,
V!
Hi V,
The pass "WriteABAPUsersRolePrivilegeAssigments" in initial load job will assign the privs directly to the user which are assigned in target system. Disable the pass to stop it happening henceforth.
Are you running the initial load job everyday?
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi V,
Yes, you will have to remove the privs from the existing users, simple job would do. Since the users get priv via role anyway, i would expect no deprovisioning tasks to be triggered.
Initial load is to be run once when you set up the system. For regular updates, you will have to make a copy of the job and disable passes which are not relevant as per requirement.
Kind regards,
Jai
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.