Skip to Content

On removal of all business roles and privileges for an identity in Identity Management there are still some privileges showing for identity and privileges are showing as inherited

Dear Community Members,

I have come across with an issue in SAP IDM that on removal of all business roles and privileges for an identity in Identity Management through user interface, there are still some privileges showing for user and privileges are appearing as inherited however their is no position based assignment for that identity.

I don't understand from where all those inherited privileges are getting read for that identity while all assignment is removed for that identity in IDM.

Please share your thoughts regarding this issue.

Regards

Girish Almiya

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Posted on Dec 11, 2014 at 02:31 PM

    Hi Girish,

    Can you please check in database for any direct assignment? may be you are not allowed to view the role?

    select * from idmv_link_ext with (NOLOCK) where mcThisMSKEY = <mskey of the user>

    and check for mcAssignedDirect = 1 entries. Column mcOtherMSKEYVALUE shows the role/priv names assigned to the user.

    Kind regards,

    Jaisuryan

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Dec 11, 2014 at 03:10 PM

    Girish,

    Dropping the system privilege in IDM (PRIV:ECCCLNT100:ONLY as an example) will drop all roles for that system. The typical use case is either terminations or when a user changes a role in a company.

    If you just need to drop a single role, just drop the role name via the privilege tab (which works for the ONLY privilege as well)

    Note that you might not be able to see the only privilege from the UI, if you can't it can be managed by changing the visibility setting on the privilege via the MMC console.

    Matt

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Matt,

      System privilege in IDM (PRIV:ECCCLNT100:ONLY) is already made visible from console(MMC) to appear in UI and in order to place provisioning, a master task is created for system privileges for all existing repository.So that whenever business roles are assign to user, master task execute itself for all required repository (decide on base of business roles assigned) and add system privilege (PRIV:ECCCLNT100:ONLY) for all concerned repository for provisioning to backend system.


      Here my issue is that after deleting all business role and manually assigned privileges for an identity in IDM when i do save the task and then recheck for identity's BR and privileges assignment. I see some privileges are still there and it status shows inherited. I'm wondering that from where these privileges are being read, as their is no position based assignment to that identity.


      Regards


      Girish Almiya

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.