on 08-17-2016 10:32 AM
Hi,
I have business role with the Validity dates. MX_PENDING_VALUE is getting created for this role with the Valid To date assigned to this role. The role deletion is happening as expected by the Pending Value object. But the privileges assigned to these roles are not getting removed from the user. I tried writing on demand job to delete these privileges using linkid. MXREF_MX_PRIVILEGE= {d}{linkid=%linkid%}<PRIVILEGE_MSKEY>. There are no errors in the on demand job. But the privileges are not getting removed for the user. I have even tried with BYPASS MEMBER task options. But no luck. Can anyone help me how to remove these expired business role privileges from the user.
It's IDM 7.2; SP10
Thanks in advance
Sudheer
Hi Sudheer,
since you are talking about indirect assignments I would recommend to try MX_AUTOPRIVILEGE instead of MXREF_MX_PRIVILEGE.
Regards
Norman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Sudheer,
{d} only removes current values, for pending you need to use {e}.
Search the IDM help for the article "Using attribute operators (To identity store pass)". All the options are explained really well and you can decide, which one you want to use.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Steffi,
Thanks for the reply. I have tried the below in To Identity store pass
MSKEYVALUE %userMSKEYVALUE%
MXREF_MX_PRIVILEGE = {e}{linkid=%linkId%}%privilegeMSKEY%
CHANGETYPE MODIFY
Still, the privilege is not getting removed. The query that I have used to get the privileges and users in Source is
select mcUniqueID as linkId, mcValidTo as validTo, mcOtherMSKEY as privilegeMSKEY, mcOtherMSKEYVALUE as privilegeMSKEYVALUE,
mcThisMSKEY as userMSKEY, mcThisMSKEYVALUE as userMSKEYVALUE from idmv_link_ext where mcvalidto < sysdate
Any other suggestions.
Thanks
Sudheer
Hello Sudheer,
have you tried the simple version first: no source-query, but in the destination tab directly putting the mskeys of the user and the privilege you want to take away? Like this:
MSKEYVALUE 0815
MXREF_MX_PRIVILEGE {e}4711
CHANGETYPE MODIFY
The mskeys are random here of course. Does your job work like that? Is that privilege assigned several times to the user or why do you use the link-id, too?
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.