Skip to Content

SAP IDM 8.0.5 : AUTOASSIGN of business roles is not working with DYN groups

Sep 07, 2017 at 02:01 PM


avatar image

Hello experts,

I'm on the following platform :

- SAP IDM 8.0.5 SL3

- MS SQL 2012

- MS Windows 2012 R2

- RT Engine 8.0.5 too

For some time I'm working on a migration (manual) of an IDM 7.1 system to this platform.

From the previous system, we want to keep the segregation of access on the Web UI using dynamic groups and attenant business roles.

For cosmetic reason, we usee and intermediate attribute on MX_PERSON named POM_ACCESS_GROUPS which serves to resolve the Dynamic group name.

Here is our process (from 7.1) :

- We affect 'aaaaaaaa' to POM_ACCESS_GROUPS to an MX_PERSON

- Our script resolves 'aaaaaaaa' to 'ABCDEFG' (dynamic group) by uIS_ResolveDynamicGroup (stored procedure : mxi_Get_Rule_Members )

- The MX_PERSON is added to the Dyn group 'ABCDEFG'

- The POM_ACCESS_GROUPS is updated as well on the user with 'aaaaaaaa' value

- We have the corresponding roles 'R' with MX_ROLE_AUTOASSIGN_TO = 'ABCDEFG'

In the end, the user do not get the role 'R' and so cannot access the Web UI

I retro-engineered nearly all the SQL requests and nothing seems wrong.

What have been changed from 7.1 to 8 that may need to be added for this process to work again ?

Thanks for your help

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Benoit Cappez Oct 06, 2017 at 12:46 PM

Hello all,

This issue have been solved, at last.

The main Business Role wasn't clean (it was linked to a repository for example). We dropped it, recreated it and the IDM triggers do the job wonderfully afterwards.

Thanks for your help.

10 |10000 characters needed characters left characters exceeded
C Kumar Sep 11, 2017 at 04:20 PM

Hello Benoit,

Please check my blog on dynamic group in SAP IDM 8.0 and compare with your configuration. Hope it will help to find the issue and fix it.


C Kumar

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello kumar,

Thanks for your blog, quite usefull and well done. Just 1 typo here is the script name (Z_Resolve... Z-Calculate...) from your screenshots and your text. Nothing huge, as you can see.

My issue is not that the users are not added to the Dynamic Group, this is working just fine.

It's just that each one of them must get a BUSINESS ROLE from being added to the DYN GRP, which is not working, even with the 'MX_ROLE_AUTOASSIGN_TO' set to the DYN GROUP name (MSKEYVALUE) in the BUSINESS ROLE attributes.

I'm still trying to figure out why.

[edit] I follow your process and in fact, it works and show me that the error isn't in the dynamic group resolution but on the AUTOASSIGN of the BR to the DG members.

Chenyang Xiong Sep 11, 2017 at 03:46 AM

hi Benoit,

I implemented the dynamic group for a customer using the very similar configuration, and it works. The customer was using IDM 8.0 sp4.

I feel that you did nothing wrong, and there should not be any change of the dynamic group concept in 8.05. I guess you should check if all the housekeeping activities are working properly or not.



Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Chenyang,

Seems like you're right. I'll check further on because the configuration I set up is fairly standard. Thank you for your advice.


Benoit Cappez Sep 14, 2017 at 04:03 PM

Hi experts,

Exploring in depth the IDM Schema, I follow the link here :

It is said that :

..."Whenever a dynamic group is resolved (when the filter determining its members is resolved), the MXREF_MX_DYNAMIC_GROUP attribute is set on all the group members."

But, when I check this attribute in my DB :

select searchvalue from idmv_value_ext_active where attrname='MXREF_MX_DYNAMIC_GROUP'

... Nothing is returned.

So, for some still obscure reason, the MXREF_MX_DYNAMIC_GROUP is not updated after the Dyn Groups are resolved.

Show 3 Share
10 |10000 characters needed characters left characters exceeded

hi Benoit,

you should check idmv_link_ext table because it is a link attribute.

select * from idmv_link_ext where mcThisMSKEYVALUE = 'aaaaaa' and mcOtherOcName = 'MX_DYNAMIC_GROUP'



thanks for your hint.

I made this request (to provide MSKEY from my dynamic group) to see the role and the MXREF_ attributes :

select mcUniqueID as UnID,mcLinkState as LkS,mcLinkType as LkT,mcOtherMSKEYVALUE as OValue,mcOtherEntryType as OEnTy,mcDirty as Dirt,mcAttrName as Attrname,mcThisOcName as AttrTy,mcThisMSKEYVALUE as MSKEYVALUE

from idmv_link_ext

where mcOtherMSKEY in (select mcMSKEY from idmv_entry_simple where mcEntryType='MX_DYNAMIC_GROUP')

And it returns this :

UnID LkS LkT OValue OEnTy Dirt Attrname AttrTy MSKEYVALUE


And for a user it looks like this :


So all seems to be fine. the Role are linked to the BR and the MXREF_MX_DYNAMIC_GROUP is provisioned for each user with the correct Dyn group...

I hope my OSS message will get an answer because all semms fine but nothing works.


So you are saying the user - role mapping can be found in this table, but the roles are not assigned to the backend? Did you check the role assignment status, are they pending for the master privileges?