cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Privilege assigned twice on Role assignment

Go to solution
Former Member

on ‎12-02-2015 6:43 AM

0 Kudos

Hi Experts,

Recently I am facing an issue with privilege assignment though IDM UI.

We assign roles to user which in turn assigns privilege. When we assign a role, the privilege within are indicated as indirect assignment.

However after initial load job is run, the privilege within role are also shown as direct, inherited assignment.

Meaning a privilege appears twice on IDM UI, one through the role as indirect and one as direct, inherited assignment.

The issue is when there is a request for role removal, the entry disappears from UI and we believe privileges will be deleted as well from ABAP system.

However because these privileges are also inherited, user access is not affected. This is against our compliance as user should not be assigned with the privileges.

Our expected screen should be privilege to be displayed as coming from Role only unless assigned explicitly.

Kindly advise why privileges are duplicated?

Thanks & Regards,

V!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎12-02-2015 7:00 AM
0 Kudos

Hi V,

The pass "WriteABAPUsersRolePrivilegeAssigments" in initial load job will assign the privs directly to the user which are assigned in target system. Disable the pass to stop it happening henceforth.

Are you running the initial load job everyday?

Kind regards,

Jai

Show replies
Show replies
Former Member
‎12-02-2015 7:06 AM
0 Kudos

Hi Jai,

Does this mean, that for existing users, we will have to remove this privilege directly?

Yes, we are scheduling initial load job to run everyday at an interval of 6 hours.

Thanks & Regards,

V!

jaisuryan
Active Contributor
‎12-02-2015 7:21 AM
0 Kudos

Hi V,

Yes, you will have to remove the privs from the existing users, simple job would do. Since the users get priv via role anyway, i would expect no deprovisioning tasks to be triggered.


Initial load is to be run once when you set up the system. For regular updates, you will have to make a copy of the job and disable passes which are not relevant as per requirement.


Kind regards,

Jai

Answers (0)

Ask a Question