cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What is for what ? Locked, Disabled, Inactive

Go to solution
former_member431321
Participant

on ‎05-20-2019 9:50 AM

0 Kudos

Hi all,

I am looking for a best practice for Locked, Disabled and Inactive attribute for IDM User.

I just configured HCM-IDM integration.

IDM find all retired employee checking the P000-STAT2 value and when it is not '3', it marks the ID as Locked(MX_LOCKED =true).

But the locked user can login to IDM if password is properly set.

And there is another similar attribute ACCOUNT IS DISABLED(MX_DISABLED).

When MX_DISABLED = 1, the user can not login to IDM.

.

Can anyone tell me what is for what?

.

regards,

dongsu

Show replies
Show replies
former_member2987
Active Contributor
‎05-21-2019 2:55 PM
0 Kudos

No worries Dongsu, I get hung up on it all the time 🙂

Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎05-20-2019 1:54 PM
0 Kudos

Hi Dongsu, I too this directly from the IDM Schema document, hope it helps.

MX_DISABLED

The main purpose of MX_DISABLED (on MX_PERSON entry type) is to enable/disable logon in general.

Therefore setting this attribute should usually trigger a lock-account-task to all target systems of the identity - at least to the AS Java which is used for the SAP NetWeaver IdM User Interface.

MX_INACTIVE

The main purpose of the MX_INACTIVE attribute is to define identity entries (entries with the entry type MX_PERSON or a custom entry type defined as an "Identity" entry type) as inactive. This can be done in a User Interface task or in a pass which uses the identity store as the source.

Setting an entry to inactive has the same effect as deleting it, that is the attribute triggers the de-provisioning task for all target systems of the identity. Depending on the type of a specific target system, the de-provisioning task deletes or locks the user account.

An inactive entry will be invisible, except when explicitly asked for otherwise (for example through tasks implemented for managing the inactive entries).

NoteYou cannot login to User Interface with an inactive identity entry.NoteInactive entries may have roles and privileges.

As of SAP NetWeaver Identity Management 7.2 SP9 inactive entries may be updated, for instance to maintain information while an employee is on leave of absence. The following rules apply when updating inactive entries:

  • No event tasks (attributes/entry types/member event handling) are executed as a result of the updates until the entry is reactivated.
  • When maintaining assignments, the role is assigned to the user, but no further processing is done until the entry is reactivated.

When the entry is reactivated, the assignments are recalculated based on the role hierarchy at the time of reactivation.

To restore an entry, remove the MX_INACTIVE attribute, either by updating the entry with a task in the Identity Management User Interface or by setting the value to an empty string in a To identity store pass.

When running a job where the identity store is the source, you must specify whether you want inactive entries included or not. This regards the User Interface tasks as well.

Show replies
Show replies
former_member431321
Participant
‎05-21-2019 1:42 AM

Thank you Matt. It is helpful very much.

Answers (0)

Ask a Question