cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assign business role based on position

Go to solution
Former Member

on ‎10-18-2013 10:25 AM

0 Kudos

Hi All,

I am lloading user identities from HCM with position attribute. My client has provided me role and position mapping. Now I have to assign roles dynamically to users based on user's position attribute.

Can I implement this using SAP IDM 7.2 "Context based role assignment" ? Can anyone refer me some usefull technical document on "Context based role assignment"?

Regards,

Dhiman Paul.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Steffi_Warnecke
Active Contributor
‎10-18-2013 11:29 AM
0 Kudos

Hello Dhiman,

I'd rather suggest dynamic groups for this, because there you specify via a SQL query, what users should be part of the group. The dynamic groups can then be added to business roles, so that those business roles are added to the users found by the query of the dynamic group.

So you could just create a dynamic group for each position, the users would be found via the query and the business role added to them, when the dynamic group is recalculated (the query is triggered).

Please see the IdM help for more information about this. It really sounds more complicated then it is in the end.

Regards,

Steffi.

Show replies
Show replies
Former Member
‎10-21-2013 12:34 PM
0 Kudos

Hi Steffi,

I am unable to understand how dynamic group will be auto assigned as per sql written? What is the trigger point? Do you mean when ever there is new entry with specific position then corresponding dynamic group will be triggered?

Regards,

Dhiman Paul.

Steffi_Warnecke
Active Contributor
‎10-21-2013 1:29 PM
0 Kudos

Hello Dhiman,

no, you need to create a job with the pass to recalculate the dynamic groups. We have a simple script with uIS_ResolveDynamicGroup(mskey) that is called by that pass and runs at certain times.

I think there is a possibility to have the task run automatically, but that would produce a lot of traffic and if I remember correctly there was a lot more work involved to get that going.

Regards,

Steffi.

Answers (2)

Answers (2)

Former Member
‎10-21-2013 2:22 PM
0 Kudos

Hi Steffi,

It is also an useful link for me too. But I am unable to see the script name in the Global list (right click -> link to global script). I am using IDM 7.2 SP08.

Any thoughts as to where I can get the scripts (uIS_ResolveDynamicGroup).

Regards,

Shanky Agrawal

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎10-21-2013 2:26 PM
0 Kudos

Hello Shanky,

that is not the script name but the name of the used function/procedure. You have to create the script yourself and in that script you use uIS_ResolveDynamicGroup.

There should be some documentation around on how to create scripts (well, that is the easiest part ^^) and would the content should look like. This one has just 5 lines (without commentary) in our case. So it isn't that hard.

Regards,

Steffi.

Former Member
‎10-21-2013 4:45 PM
0 Kudos

Hi Shanky,

I would suggest you to refer to the Rule Management section of the SAP IDM RDS solution. You will get an idea of how you can use the dynamic groups to meet your requirements.

Its pretty simple. In the RDS solution of IDM, There are predefined tasks for Rule Management. You have to use the following.

1. Create a dynamic group

    

     In this you will create a dynamic group with your rule criteria. Say if the position of an employee      is      Delivery manager", Assign XYZ role.

     In this UI task, you will provide a group name, group description, condition Attribute name &  condition.Attribute value

        

2. ReCalculate Dynamic group members.

     In this taks you have to just selct the group for which you want to calculate the group members.

    The input will be just the group id from a dropdown in the IDM UI.

     When you execute this task, it will call a script sapc_rule_resolveDynamicGroups in which the internal function uIS_ResolveDynamicGroup is called. For more information on the uIS_ResolveDynamicGroup function, please refer the followng screenshot. For your reference, I have attached the script sapc_rule_resolveDynamicGroups.

Hope this is more clear. All the best.

Cheers,

Krishna.

DGscript.txt.zip
Former Member
‎10-21-2013 1:56 PM
0 Kudos

Thanks Steffi.

What type of pass that will be? Just a ToIdentitystore pass?

Thanks,

Dhiman Paul.

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎10-21-2013 2:04 PM
0 Kudos

We have used a "To Generic"-pass. The source is a query looking for all dynamic groups (it's an own entry type) and in the destination we just give the found mskeys to the script, which is linked via "Next data entry" in the header of the tab.

Ask a Question