Skip to Content
0

SAP IDM 7.2 multiple accounts

May 05, 2017 at 02:36 PM

71

avatar image

Hello!

We are running SAP IDM 7.2 SP10 and have a conceptual question.

For the SAP application I understand we have the MX_PERSON and we assign some business role which grant the priv:only:XXXX which create the account in the backend and some other privileges which grant roles into backend. There is no concept of multiple accounts.

For other non SAP application, I have the requirement:

1) I can have one, two, three.. accounts on the same system with a different login

2) One identity (MX_PERSON) per user

How can I manage the creation through SAP IDM? Is someone already faced this conceptual issue?

Thanks

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Dominik Trui May 07, 2017 at 11:34 AM
1

Hello Nicolas,

yes thats possible. It also depends if you can import all accounts at once or each account individually. With latter also having two different variations.

First option would be to use several repositories. So each repository would handle one account. Then you would have to maintain only the assignment of the Only privs. All repositories can use the same hook tasks then.

If you don't want to use more than one repository, you would have to do it like this. All below variations have in common that you use more ACCOUNT attributes which have the repository name in it but some suffix, too. E.g. I have ACCOUNTXYZ_P10, ACCOUNTXYZ_P20, ACCOUNTXYZ_P30 for a purchase ordering systems which then has three backends in the SAP system. An employee can have users in all of them.

This uses only one Only / System priv.

On to the variations:

All accounts at once:

For each ACCOUNT attribute I just add a line to the file. SQL based work similar, just add more rows. Actually I calculate the SQL insert / update queries in the Source tab and use only sth like %SQL_QUERY_1% in the destination tab for some other 3rd party system. Other connection types should work similar.

Each account individually, fixed maximum number of accounts:

If you have a maximum number of possible accounts, you could just set up the hook tasks with conditional tasks and then the create / modify / delete tasks linked below.

I do this e.g. for the password setting of the users which are in both AD domains.

Each account individually, variable maximum number of accounts:

I would only use a ToGeneric in the hook tasks and link not the tasks which create / update the users. Then execute them several times. TBH I haven't done this by now. You would have to note somewhere on the person which account to create / add and then re-call the same task after one account is done. Be careful, this could end in an infinite loop if done not correctly.

I'd actually try to use the variation above and expand it if needed. Could be messy though

Best regards

Dominik

Share
10 |10000 characters needed characters left characters exceeded
Nicolas NAPOLEONI May 18, 2017 at 07:42 PM
0

Hello Dominik,

Sorry for the late reply, thanks for your help, i'll try with this.

Share
10 |10000 characters needed characters left characters exceeded