Skip to Content

SAP IDM 8.0.5 : AUTOASSIGN of business roles is not working with DYN groups

Hello experts,

I'm on the following platform :

- SAP IDM 8.0.5 SL3

- MS SQL 2012

- MS Windows 2012 R2

- RT Engine 8.0.5 too

For some time I'm working on a migration (manual) of an IDM 7.1 system to this platform.

From the previous system, we want to keep the segregation of access on the Web UI using dynamic groups and attenant business roles.

For cosmetic reason, we usee and intermediate attribute on MX_PERSON named POM_ACCESS_GROUPS which serves to resolve the Dynamic group name.

Here is our process (from 7.1) :

- We affect 'aaaaaaaa' to POM_ACCESS_GROUPS to an MX_PERSON

- Our script resolves 'aaaaaaaa' to 'ABCDEFG' (dynamic group) by uIS_ResolveDynamicGroup (stored procedure : mxi_Get_Rule_Members )

- The MX_PERSON is added to the Dyn group 'ABCDEFG'

- The POM_ACCESS_GROUPS is updated as well on the user with 'aaaaaaaa' value

- We have the corresponding roles 'R' with MX_ROLE_AUTOASSIGN_TO = 'ABCDEFG'

In the end, the user do not get the role 'R' and so cannot access the Web UI

I retro-engineered nearly all the SQL requests and nothing seems wrong.

What have been changed from 7.1 to 8 that may need to be added for this process to work again ?

Thanks for your help

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Oct 06, 2017 at 12:46 PM

    Hello all,

    This issue have been solved, at last.

    The main Business Role wasn't clean (it was linked to a repository for example). We dropped it, recreated it and the IDM triggers do the job wonderfully afterwards.

    Thanks for your help.

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 11, 2017 at 04:20 PM

    Hello Benoit,

    Please check my blog on dynamic group in SAP IDM 8.0 and compare with your configuration. Hope it will help to find the issue and fix it.

    Regards,

    C Kumar

    Add comment
    10|10000 characters needed characters exceeded

    • Hello kumar,

      Thanks for your blog, quite usefull and well done. Just 1 typo here is the script name (Z_Resolve... Z-Calculate...) from your screenshots and your text. Nothing huge, as you can see.

      My issue is not that the users are not added to the Dynamic Group, this is working just fine.

      It's just that each one of them must get a BUSINESS ROLE from being added to the DYN GRP, which is not working, even with the 'MX_ROLE_AUTOASSIGN_TO' set to the DYN GROUP name (MSKEYVALUE) in the BUSINESS ROLE attributes.

      I'm still trying to figure out why.

      [edit] I follow your process and in fact, it works and show me that the error isn't in the dynamic group resolution but on the AUTOASSIGN of the BR to the DG members.

  • Sep 11, 2017 at 03:46 AM

    hi Benoit,

    I implemented the dynamic group for a customer using the very similar configuration, and it works. The customer was using IDM 8.0 sp4.

    I feel that you did nothing wrong, and there should not be any change of the dynamic group concept in 8.05. I guess you should check if all the housekeeping activities are working properly or not.

    Cheers

    Chenyang

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 14, 2017 at 04:03 PM

    Hi experts,

    Exploring in depth the IDM Schema, I follow the link here :

    https://help.sap.com/doc/b4c9306d80a3471aa0ae48511e725b43/8.0/en-US/5a62edd3332f4462bcddc3cc396051dc.html

    It is said that :

    ..."Whenever a dynamic group is resolved (when the filter determining its members is resolved), the MXREF_MX_DYNAMIC_GROUP attribute is set on all the group members."

    But, when I check this attribute in my DB :

    select searchvalue from idmv_value_ext_active where attrname='MXREF_MX_DYNAMIC_GROUP'

    ... Nothing is returned.

    So, for some still obscure reason, the MXREF_MX_DYNAMIC_GROUP is not updated after the Dyn Groups are resolved.

    Add comment
    10|10000 characters needed characters exceeded