cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

self registration for idm usage

richard_pietsch
Active Contributor

on ‎05-27-2021 8:32 AM

0 Kudos

Hi folks!
I want to setup a self registration service for IDM following the default NetWeaver self register service to allow new IDM users to register themselves but the access to the IDM self services should be approved by an administrator user (in our system we basically use self services that allows IDM users to request privileges for connected backend systems, the availability of these services is granted via an IDM role).

Now, using the self register option for NetWeaver, a new user account will be generated in UME only. To use my workflow e.g. for approval of the IDM self service role, I need the MX_PERSON first. But it is not directly created during the self registration...

So, what are suitable options here? Create a job that regularly checks new UME users and assigns the IDM self service role to them, which must be approved by an administrator?

Regards, Richard

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

todor_petrov
Contributor
‎05-27-2021 11:16 AM
0 Kudos

Hi Richard,

I read somewhere that this is actually possible, but i am struggling to find the link. If I do, I will share it with you.

Until then, i found something else, which might be interesting - https://assets.cdn.sap.com/sapcom/docs/2015/07/52e9e755-5a7c-0010-82c7-eda71af511fa.pdf

The document explains how to actually connect IdM data to the NetWeaver UME. As far as i see it supports two way writing of data, so if you use the UME API for self-registration then maybe those users can be directly created in IdM.

Let me know if this one helps.

BR,

Todor

Show replies
Show replies
richard_pietsch
Active Contributor
‎06-02-2021 9:26 AM
0 Kudos

Hi Todor,

thanks for your input. I checked the document, also played around with the VDS configuration and... failed 😞

Maybe I was missing something here. But that's ok. I decided to use my "quick and dirty" approach that is working fine.
I setup a repository job that reads the new UME users created via self registration. The new users will then be created in ID store - here I assign the ACCOUNT* attribute and the PRIV*ONLY privilege with BYPASS operation (as the user is already created) and delete the PRIV*ONLY privilege again. This triggers the deletion in UME (but the IDM entry remains). Finally, I assign the self service IDM role to the new MSKEYVALUE, which must be approved by an administrator. Only after approval the user will be created in UME (again) with the required privileges.

Not the smartest solution, but it was necessary as there's a post processing within the CreateUser task which will not execute if the creation itself fails (as the UME entry already exists). In addition, there's no UME user in case the administrator declies the IDM role request and all notifications are triggered out of the regular approval process.

Regards, Richard

Ask a Question