Skip to Content
0

Mass User Creation and Role Assignments in IdM 8.0

Apr 07, 2017 at 03:48 PM

501

avatar image

Hello IdM Community,

We are currently involved in the development and configuration and implementation of IdM 8.0. Our landscape consists of a Java Portal and 3 ABAP systems on the backend and a file interface (in this scenario) to import records into the Identity Store. We've been successful in writing IDs to the ID Store via the file repository interface, but not in assigning roles/ privileges and there by triggering the provisioning of the IDs to the back end systems. I've seen some info out there suggesting that user account attributes should be imported separately from role/ privilege assignments, but I haven't seen anything specifically for IdM 8.

My Questions are as follows:

1) How can I add fields to the "General Attributes" tab in the IdM UI, fields like fax, address, etc?

2) How can I create mass users with role/privilege assignments in the same load?

3) If I can't create users and role mappings in the same load, please advise the file format and job passes required to mass assign roles and privileges.

Thank you for your help.

10 |10000 characters needed characters left characters exceeded

Hello Casey,

are those 3 ABAP systems new, too? So no user accounts and role assignments yet? Or do you want to import the information (users, roles, assigments) from those systems into IDM? There are initial load jobs coming with the IDM for this kind of work.

.

Regards,

Steffi.

0
* Please Login or Register to Answer, Follow or Comment.

5 Answers

C Kumar Apr 08, 2017 at 01:25 AM
0

Hello Casey,

Please find answer to your questions below-

1) How can I add fields to the "General Attributes" tab in the IdM UI, fields like fax, address, etc?

Adding fields to the UI tasks (Forms) can be done from Form package which contains all the Forms. Check out the package, modify the existing task or create a copy of the task and update the add the field as allow, mandatory or Read-only as per requirement. Please note that you will be able to select the attribute only if it allowed for the entrytype mapped in the Forms.

2) How can I create mass users with role/privilege assignments in the same load?

This can be achieved by writing a job with

  • 3 From Ascii Pass which will read data (Users, Roles/Privileges, Assignment) from the Ascii file to Temp DB
  • 3 To Identity Store Pass which will write the Users, Roles, and Assignment to Identity Center Database.

3) If I can't create users and role mappings in the same load, please advise the file format and job passes required to mass assign roles and privileges.

If you can't create users and role mappings in the same load, then you can write a new job with 1 From Ascii file to load Assignment and 1 To Identity Store pass to write the assignment in the Identity Store. Please note that this would work only if Users and Roles has been already loaded to IDM.

Please note that there could be several ways to do this and this is one which i could think after going through your question.

Regards,

C Kumar

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello C Kumar and Steffi,

Thanks for the responses. The ABAP systems are not new and the initial load jobs have run successfully with manual provisioning tested successfully as well. Provisioning will be triggered via job and file interface. We will also use a file interface for test IDs, training IDs, and a conversion of 10,000 users from the clients legacy SRM system. This is why I am interested in the file formatting and limitations as it pertains to user and role provisioning. I wonder if there is a best practices way of doing this?

1) I found the forms to add the missing fields. Thanks a lot.

2) I'm going to give this a shot but first I'm going to try #3

3) I think this my be the way to go with 10,000 users. I'll let you know how it works in the sandbox.

Thank you very much for your help.

0
Casey Callahan-Hean Apr 21, 2017 at 08:17 PM
0

Hi C Kumar,

Thanks for the help. I am able to get the to and from pass to run, but they MXREF_MX_ROLE assignment doesn't trigger provisioning. Do I need to create separate provisioning job?

Thanks!

Share
10 |10000 characters needed characters left characters exceeded
Casey Callahan-Hean Apr 24, 2017 at 02:01 PM
0

Hello Community,

It seems as though an assignment pass is required in addition. Is there documentation on the functionality and requirements for IdM jobs and tasks? I can't find anything on this assignment pass or how to create it.

Thanks very much for help.

Share
10 |10000 characters needed characters left characters exceeded
Hendrik Winkler May 04, 2017 at 07:54 AM
0

Dear Casey,

usually, provisioning should be automatically done when there is a new entry for MXREF_MX_ROLE. Please go through some basics:

1) Please check whether your dispatcher is running?

2) Do the connectors work? Does the Initial load Job work? Do you have a connecting user on the target system with write-privileges?

3) Please understand that MXREF_MX_ROLE is a "business role" solely known to IDM. If you need roles provisioned to a backend System, the role needs to have valid system privileges assigned (MXREF_MX_PRIVILEGE) to it. There are also issues with provisioning when there is a single non-working privilege entry within the role so please check if all entries are valid.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Hendrik,

To clarify; manual provisioning to backend systems, via IdM admin UI, works as expected. It is only when attempting to use the custom repository/ job that we created with 1 from pass (file) and 1 to pass (id store) that we don't see the business role assigned to the Identity in the ID store and therefor provisioning to backend systems doesn't not trigger.

This interface is required to test as the provisioning interface that will receive the provisioning actions from the clients legacy access approval system.

Perhaps it is related to the final point you made pertaining to a "single non working entry". I'll investigate.

v/r

Casey

0
JON PRYOR May 05, 2017 at 06:31 PM
0

1. The connector packages can help and it's a pretty good starting point. There's an initial load job that you can copy and then configure/test as you please to fit your needs.

2. These may help depending on how far along you are with development and what's all configured/set-up for provisioning access. These are helpful when updating MXREF/MXMEMBER attributes.

BYPASS_VALIDATE_TASK=1 can be utilized to bypass approvals as part of the initial set-up or mass loads.

DIRECT_REFERENCE=1 can be utilized to make the assignment/removal within IdM, but not to the back-end system.

There are several others that can be found in the SAP documentation, but this is a good start. We have found it's better to load user information separately from assignments. User information you will have one record to load where as user assignment can be many. For performance reasons, we split them up into separate jobs when doing mass changes outside of the initial set-up of a repository utilizing the connector initial load job.

Share
10 |10000 characters needed characters left characters exceeded