on 09-07-2017 3:01 PM
Hello experts,
I'm on the following platform :
- SAP IDM 8.0.5 SL3
- MS SQL 2012
- MS Windows 2012 R2
- RT Engine 8.0.5 too
For some time I'm working on a migration (manual) of an IDM 7.1 system to this platform.
From the previous system, we want to keep the segregation of access on the Web UI using dynamic groups and attenant business roles.
For cosmetic reason, we usee and intermediate attribute on MX_PERSON named POM_ACCESS_GROUPS which serves to resolve the Dynamic group name.
Here is our process (from 7.1) :
- We affect 'aaaaaaaa' to POM_ACCESS_GROUPS to an MX_PERSON
- Our script resolves 'aaaaaaaa' to 'ABCDEFG' (dynamic group) by uIS_ResolveDynamicGroup (stored procedure : mxi_Get_Rule_Members )
- The MX_PERSON is added to the Dyn group 'ABCDEFG'
- The POM_ACCESS_GROUPS is updated as well on the user with 'aaaaaaaa' value
- We have the corresponding roles 'R' with MX_ROLE_AUTOASSIGN_TO = 'ABCDEFG'
In the end, the user do not get the role 'R' and so cannot access the Web UI
I retro-engineered nearly all the SQL requests and nothing seems wrong.
What have been changed from 7.1 to 8 that may need to be added for this process to work again ?
Thanks for your help
Hello all,
This issue have been solved, at last.
The main Business Role wasn't clean (it was linked to a repository for example). We dropped it, recreated it and the IDM triggers do the job wonderfully afterwards.
Thanks for your help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Benoit,
Please check my blog on dynamic group in SAP IDM 8.0 and compare with your configuration. Hope it will help to find the issue and fix it.
Regards,
C Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello kumar,
Thanks for your blog, quite usefull and well done. Just 1 typo here is the script name (Z_Resolve... Z-Calculate...) from your screenshots and your text. Nothing huge, as you can see.
My issue is not that the users are not added to the Dynamic Group, this is working just fine.
It's just that each one of them must get a BUSINESS ROLE from being added to the DYN GRP, which is not working, even with the 'MX_ROLE_AUTOASSIGN_TO' set to the DYN GROUP name (MSKEYVALUE) in the BUSINESS ROLE attributes.
I'm still trying to figure out why.
[edit] I follow your process and in fact, it works and show me that the error isn't in the dynamic group resolution but on the AUTOASSIGN of the BR to the DG members.
Hi experts,
Exploring in depth the IDM Schema, I follow the link here :
It is said that :
..."Whenever a dynamic group is resolved (when the filter determining its members is resolved), the MXREF_MX_DYNAMIC_GROUP attribute is set on all the group members."
But, when I check this attribute in my DB :
select searchvalue from idmv_value_ext_active where attrname='MXREF_MX_DYNAMIC_GROUP'
... Nothing is returned.
So, for some still obscure reason, the MXREF_MX_DYNAMIC_GROUP is not updated after the Dyn Groups are resolved.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
thanks for your hint.
I made this request (to provide MSKEY from my dynamic group) to see the role and the MXREF_ attributes :
select mcUniqueID as UnID,mcLinkState as LkS,mcLinkType as LkT,mcOtherMSKEYVALUE as OValue,mcOtherEntryType as OEnTy,mcDirty as Dirt,mcAttrName as Attrname,mcThisOcName as AttrTy,mcThisMSKEYVALUE as MSKEYVALUE
from idmv_link_ext
where mcOtherMSKEY in (select mcMSKEY from idmv_entry_simple where mcEntryType='MX_DYNAMIC_GROUP')
And it returns this :
UnID LkS LkT OValue OEnTy Dirt Attrname AttrTy MSKEYVALUE
18254 0 0 POM_GROUP_CONSULTATION 16 0 MX_ROLE_AUTOASSIGN_TO MX_ROLE ROLE:SAP_IDM:CONSULTATION
And for a user it looks like this :
18714 0 2 POM_GROUP_ADMIN_SITE 16 0 MXREF_MX_DYNAMIC_GROUP MX_PERSON tdungrp123
So all seems to be fine. the Role are linked to the BR and the MXREF_MX_DYNAMIC_GROUP is provisioned for each user with the correct Dyn group...
I hope my OSS message will get an answer because all semms fine but nothing works.
So you are saying the user - role mapping can be found in this table, but the roles are not assigned to the backend? Did you check the role assignment status, are they pending for the master privileges?
hi Benoit,
I implemented the dynamic group for a customer using the very similar configuration, and it works. The customer was using IDM 8.0 sp4.
I feel that you did nothing wrong, and there should not be any change of the dynamic group concept in 8.05. I guess you should check if all the housekeeping activities are working properly or not.
Cheers
Chenyang
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.