Skip to Content

Department Change in SAP IDM 8.1

Hello Community,

I'm currently implementing SAP IDM 8.1 for a small customer here in Germany. The main processes are on-, offboarding and the department change. The first two were no problems and working really fine. The last one gives me some headache.

Starting Situation

We'd build up a test environment with an ERP ABAP System, the IDM Java system itself and an active directory. There is currently no HR system and it is also not planned to implement one in near future. So we'd decided to define our own value for MSKEYVALUE (e.g. RoFiebig in my case). Because it's a small company we don't see any issues with this naming convention.

All employees are organized in five departments (eg. IT) and for example apprentices switching between these departments very often. In the active directory each department has it's own OU to manage access rights to different network shares. A department change could take place immediate or in the future and must be approved by the HR department.

My approach

These are the facts:

  • Change could be immediate and in the future
  • should be approved by HR
  • Attribute must be changed in IDM
  • OU must be changed in Active Directory
  • All old relevant roles must be revoked after a change

The immediate change of attribute MX_DEPARTMENT is no problem, even with approval. But I'd designed a different approach and wondering if this could be done much easier.

  1. Principal of the apprentice / employee is requesting the department change
  2. HR approves this
  3. New Department and Change Date will be written in two custom attributes (future_department and department_change_date)
  4. Each Night a job should run which does the following
  • find all Persons with a future_department and write it to a temporary table
  • check if a date is set and if it is the current date or in the past
  • If yes the future_department will be copied to MX_DEPARTMENT and a change of the OU will take place via modRDN
  • if no nothing will happen

My open questions

  • How to set the valid_to date to all relevant department roles?
  • Isn't there an easier and faster way to implement this?
  • Is there any complete and valid IDM 8.x documentation by SAP? There are so many whitepapers, examples etc. for 7.x but nearly nothing for 8.x
Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Jan 24, 2017 at 02:59 PM

    Hello Ronny,

    Your approach seems fine however just to add SAP IDM has provision to provide assignment validity to SAP IDM attributes too. If you assign validity to the attribute then attribute get automatically assigned to the user and after the expiry of validity it automatically get removed from the user.

    Similarly, Assignment validity can be provided while assigning the Role to the user which could be new designation start date and end date in your case. Basically you need to play with Roles validity in this case using the MXREF_MX_ROLE attribute.


    C Kumar

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 11 at 01:09 PM

    I am back in the SAP IDM community.
    Use ValidFrom and ValidTo when you set the attributes.


    Here are the attribute operators you can use:

    Add comment
    10|10000 characters needed characters exceeded