Normally in SAP ABAP systems we can mention the validity for roles in user master data. In our client we have a Netweaver 7.3 system. We have developed some portal roles for user access. Some times we are requested to add a specific role for just 2 days. I can not see any validity from and validity to while adding roles to the users. Can you please help me how to maintain validity for roles in portal system.
I think that functionality doesn't exist, maybe can confirm and comment whether it will be supported in the future. A possible workaround would be to bind the portal roles to a group that supports validity (ABAP, LDAP).
it does not exist and I doubt it will be introduced. Honestly, you don't want to do a role assignment in Portal. You want to do it automatically with UME pointing to LDAP or ABAP or in more complex landscape to use IdM for role provisioning. Both these solutions allow you to restrict role assignment.
Provisioning should be done from IDM tasks and not locally.
If ABAP is user store then you can use PFCG_COMPRESS_TIMES to remove invalid roles (with all consequences for Java stack).
But the best solution is to have the whole identity pot and assignments centrally in an IDM and manage it there without local interferance, even if it is technically possible.
At the moment this UME is not connected to any back end ABAP system. We are currently doing user admin and role admin activities in identity management. But i cant find any validity option for roles.
In recent audits our auditors were asking the system evidences for temporary role assignments and deletion of user accounts. Unfortunately i can not find any change documents or logs in this portal system.
Kindly advice how to get these information in a portal system which is not connected to Back end ABAP system.
as it was already mentioned SAP portal does not support expiry date on role assignments. All roles are assigned from today till they are manually removed from user/group. So if you need some control you have to build it outside of SAP portal. The best solution is that it allows automatic de-provisioning of roles after expiry day. We already mentioned pointing UME to ABAP/LDAP or implementing some kind of identity management solution. These solutions require some investment. So temporary you could implement a periodic manual process (e.g. weekly) that will remove roles that are not required anymore.
It is still not clear to me whether you are doing this in the Netweaver Administrator (NWA, formerly labelled Identity Management) or you have an IDM there (assignments via the Identity Center)?
As mentioned by Martin, you will need to externally provision and record validities, as natively within the NWA itself it is not available so nothing can remove the roles again except you.
For change documents you can use the Java Security Log. Did you try that?
Yes, SAP NW IdM does support assignments with validity. IdM takes care to provision/deprovision the role as soon as you step into/out of the validity period.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.