Skip to Content

Identity Management 8 (SP5): User on ABAP deleted while still roles left.

Hey community,

I have two quick questions. Hope you are able to help.

I'm running the latest SP5 for IDM 8.

Issue 1: I have a user that is assigned to two (context-enabled) business roles targeting the same ABAP-system. Both business roles have the master privileges in them (PRIV:XXXXX:ONLY).

Once one(!) business role runs out of validity, the IDM system deletes the ABAP user (runs deprovision) and leaves the identity with a valid role in the store without ever touching it. Seems like IDM is ignoring the role that is still there. Now IDM and ABAP systems are inconsistent.

Issue 2: This might be connected to issue 1. When I assign business roles using context, the provisioned ABAP roles do not have the correct validity assigned to them. In ABAP, every role is from 1900 -> 9999. Is that an ongoing issue? I do not have this issue when I provision without context. (Also, is there no standard modify event task delivered for when I modify a roles validity? IDM does trigger provisioning when I do that and there is no task to chose from)

Help is much appreciated. If you need more specific information I'll gladly provide it.

Tobi

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Aug 14, 2017 at 12:46 PM

    Hi Tobias,

    For the second issue, please check the task AssignAllABAPPrivileges task under the abap connector package and check the script linked to the setABAPRoleforuser pass. In that please check if true value is being passed as parameter for that script.

    in the script sap_abap_getNameOfAssignedPendingPrivileges check how dates are being calculated under if (addValidityProperty) loop.

    If the below is maintained, then please convert it

    var validfrom = columnArray[1];

    var validto = columnArray[2];

    convert to

    var validfrom = columnArray[1].substring(0, 4) + "-" + columnArray[1].substring(5, 7) + "-" + columnArray[1].substring(8, 10);

    var validto = columnArray[2].substring(0, 4) + "-" + columnArray[2].substring(5, 7) + "-" + columnArray[2].substring(8, 10);

    Regards,

    Deva

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 20 at 04:35 PM

    Hi Tobias,

    I´m dealing with the same issue as you described in your issue number 1. Did you find a solution for this?

    Best Regards,

    Felix

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Felix,

      I wouldn't include the Master Privilege within the business roles, instead having it assigned to the user separately via a No Master Process.

      Regards,
      Adam