cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to create Dynamic Group in IDM 8?

Go to solution
Former Member

on ‎04-18-2016 11:36 AM

0 Kudos

Hi experts,

I am trying to create a Dynamic Group and assign some person to it.

I did it as follows;

1. checked person with condition as department = korea.

there are 8 persons.

2. create dynamic group and name it DG_korea

3. And add target definition as follows and save it.

4. But if I press search button in 'Assigned Users' tab, there says 'No entries returned'.

5. If I check the target filter ..

********

Can anyone tell me what did I missed or did wrong?

After create Dynamic group and assign persons to it, I planed to assign role and privileges to it.

Best regards,

dongsu

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Ckumar
Contributor
‎04-18-2016 5:31 PM
0 Kudos

Hello Dongsu,

Could you please check your SQL query again. I think it should be like

Select B.mcMskey................

as you are using Idmv_entry_simple B view.

Please run your query in MS-SQL database and verify whether it is returning those 8 entries.

Regards,

C Kumar

Show replies
Show replies
Former Member
‎04-19-2016 1:00 AM
0 Kudos

OK good advice, thanks,

the query is

"select DISTINCT(mcmskey) from idmv_entry_simple B with(nolock) inner join idmv_vna M4 on B.mcmskey = M4.mskey where mcIDStore=%IDSID% and (M4.ATTRNAME = 'MX_DEPARTMENT' and M4.sval='KOREA')"

and when I run this in MS SQL Server Management Studio, it return error with msg

Msg 102, Level 15, State 1, Line 1

Incorrect syntax near 'IDSID'.

Here the IDSID was defined as integer type.

So I changed the query changing mcIDStore=%IDSID% to mcIDStore=1

then it works and returned 8 values.

(if I check developer studio, my identity store looks have number 1 like "1/T1_IdentityStore". So I choose number 1)

Here, can you give me more advice?

dongsu

Ckumar
Contributor
‎04-19-2016 4:44 AM
0 Kudos

Hello Dongsu,

IDSID means "Identity Store ID". Please check your master identity store ID in MMC and put that value instead of %IDSID%.

IDSID is generally numbers like 1, 2, 3...

Regards,

C Kumar

Former Member
‎04-19-2016 5:19 AM
0 Kudos

Hi Kumar,

In Modify Dynamic Group Details screen,

I can not change the Target Filter string directly.

If  just click advanced mode radio button,

below is what I see.

Here what should I type-in at advanced mode?

dongsu

Former Member
‎04-20-2016 11:30 AM
0 Kudos

Hi experts,

I just found one interesting thing about this problem.

In MS SQL Developer Studio,

if I change %IDSID% to IDIS in original query statement, it works find.

Because it is basically eclipse, I can choose possible variables in screen.

So it looks like that the variable name was changed but this part is not updated.

a kind of bug.

But I can not issue customer report for this because now I am not on actual customer project but preparation of PoC.

How do you think?

Can any one help me?

dongsu

ole_k_rosberg
Explorer
‎04-22-2016 1:28 PM
0 Kudos

Hi,

%IDSID% is an internal IdM notation. When  running the query in SQL Dev Studio you ned to change %IDSID% to the id of your IdStore.

As for not getting any members in your dyn group, you will need to calcualte the dynamic group.

This may be done by using the internal function uIS_ResolveDynamicGroup(GroupID)

BR,

Ole K.

Former Member
‎04-25-2016 2:24 AM
0 Kudos

Dear Ole Kristian Rosberg,

%IDSID% is an internal IdM notation. When  running the query in SQL Dev Studio you need to change %IDSID% to the id of your IdStore.

      ==> thank you.

As for not getting any members in your dyn group, you will need to calcualte the dynamic group.

This may be done by using the internal function uIS_ResolveDynamicGroup(GroupID)

     ==> Would you explain this little more, please?

               How to calculate the dynamic group?

      

Best Regards,

dongsu

ole_k_rosberg
Explorer
‎04-27-2016 12:00 PM
0 Kudos

Hi,

See Maintaining Dynamic Groups - SAP Identity Management Configuration Guide - SAP Library

To resolve a dynamic group yo create a scheduled job with a ToGeneric pass.

Job:

Source:

Destination:

Script:

Regards,

Ole K.

Former Member
‎04-29-2016 5:19 AM
0 Kudos

Dear Ole Kristian Rosberg,


Thank you very much.

This is what I was looking for.



But ..

my IDM is 8.0 SP0 on Windows Server 2008 R2 using Sql server 2012.

And there is some unexpected response.

It runs too long.

And the persons not linked to Dynamic Group even though there was no error.

I will do this again after upgrading my IDM from 8.0 SP0 to 8.0 SP2.

I will update the result next week.

Best Regards,

dongsu

former_member2987
Active Contributor
‎04-29-2016 1:46 PM
0 Kudos

Hi Dongsu,

Welcome to the downside of Dynamic groups, and why many people do not like to use them.  There is not too much that can be done about this, except try to schedule the recalculation of the groups for off hours.

Matt

Former Member
‎05-02-2016 1:55 AM
0 Kudos

Hi Matt,

If Dynamic Group in NW IDM is so notorious,

would you tell me how others do role based provisioning without using dynamic group?


And what else worth to know for new comer?


Just a fact..

Regards, dongsu


saurabh_sharma19
Explorer
‎05-02-2016 1:28 PM
0 Kudos

Hi Dongsu ,

I remember facing the same issue while creating Dynamic group in IDM 8.0 SP0.

As mentioned by C kumar this is because of the "mcIDStore=%IDSIS%" in the SQL query.

To update the value of Identity store we made the changes in the Forms Package.

1)Search for the form Modify Dynamic group.

2)In the attribute tab make the attribute editable for the Field 'Target Filter'.

3)Update the value of Identity Store (In your case its 1) instead of %IDS_ID% in the UI and Save.

4)Again update the attribute for field 'Target Filter' to display only.

Hope this will help.

Regards,

Saurabh

former_member2987
Active Contributor
‎05-02-2016 1:41 PM
0 Kudos

Dongsu,

There are many ways to assign roles during provisioning, and personally, I feel that the use of dynamic groups is probably the worst.

I would just create a workflow that evaluates group memberships for newly created users and string them along as a process.

For example:

Check location

     Add appropriate groups

Check Department

     Add appropriate groups

Check Manager

     ....

This can be done either with scripts or conditional tasks.

Not sure the meaning of your graphic from Gartner.

Regards,

Matt

ole_k_rosberg
Explorer
‎05-02-2016 3:28 PM
0 Kudos

Hi,

It seems to be a bug in IdM 8 SP0 creating the filter with mcIDStore=%IDSID%

In SP2 this is corrected and the filter will have mcIDStore = 1 (or the id of the current idstore) as it should.

Regards,

Ole K.

Former Member
‎05-03-2016 5:56 AM
0 Kudos

Thank you Saurabh Sharma,

Currently I am upgrading my IDM to IDM8.0 SP2.

After test DG in SP2, I would try your recommendation.

And your advice help me to understand the architecture of SAP IDM.

Thanks you again.

dongsu

Former Member
‎05-03-2016 5:57 AM
0 Kudos

Dear Ole Kristian Rosberg,

I am upgrading my IDM to IDM8.0 SP2.

I will test in SP2 and let you know the result.

Thank you very much.

dongsu

terovirta
Active Contributor
‎05-03-2016 8:49 AM
0 Kudos

How many Id Stores do you have?

If only "productive" and "staging id" stores you can probably ignore the Id Store reference, as the MSKEYs are unique in the DB and the attribute names between those two Id Stores don't match.

regards, Tero

Answers (0)

Ask a Question