Skip to Content
Sep 07, 2017 at 02:01 PM

SAP IDM 8.0.5 : AUTOASSIGN of business roles is not working with DYN groups


Hello experts,

I'm on the following platform :

- SAP IDM 8.0.5 SL3

- MS SQL 2012

- MS Windows 2012 R2

- RT Engine 8.0.5 too

For some time I'm working on a migration (manual) of an IDM 7.1 system to this platform.

From the previous system, we want to keep the segregation of access on the Web UI using dynamic groups and attenant business roles.

For cosmetic reason, we usee and intermediate attribute on MX_PERSON named POM_ACCESS_GROUPS which serves to resolve the Dynamic group name.

Here is our process (from 7.1) :

- We affect 'aaaaaaaa' to POM_ACCESS_GROUPS to an MX_PERSON

- Our script resolves 'aaaaaaaa' to 'ABCDEFG' (dynamic group) by uIS_ResolveDynamicGroup (stored procedure : mxi_Get_Rule_Members )

- The MX_PERSON is added to the Dyn group 'ABCDEFG'

- The POM_ACCESS_GROUPS is updated as well on the user with 'aaaaaaaa' value

- We have the corresponding roles 'R' with MX_ROLE_AUTOASSIGN_TO = 'ABCDEFG'

In the end, the user do not get the role 'R' and so cannot access the Web UI

I retro-engineered nearly all the SQL requests and nothing seems wrong.

What have been changed from 7.1 to 8 that may need to be added for this process to work again ?

Thanks for your help