Skip to Content

Two validity ranges - race condition?

Hi experts,

in IdM 8 if a role is assigned to a user with two validity ranges that are next to each other, e.g.

01.01.2018 - 20.01.2018 and then

21.01.2018 - 28.01.2018

what happens is that at midnight on the 20.01.2018 the role will be removed and immediately after it, it will be assigned to the user again. Depending on the order how the deprovisioning / provisioning tasks are triggered and executed it can happen that first the new assignment gets provisioned to the backend system and a couple of seconds later comes the de-provisioning. Which means that the employee at the end does not have the permissions in the backend, however IdM "thinks" everything is OK and shows the role in assigned state.

Any ideas how to solve this? I tried to change the validity range in the background by adding one hour to the "valid from" date to have it like: 21.01.2018 01:00:00 which would give the automatic process running at midnight one hour to finish with the deprovisioning, but IdM does not accept time in the validity range (only full days as far as I can see).

Thanks,

zkormany

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Dec 12, 2017 at 03:41 AM

    Hi,

    date and time is supported.

    Please use the format like {A}{VALIDFROM=2018-01-01T01:00:00}<your privilege ID>

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 13, 2017 at 07:46 AM

    Hi Zoltan,

    Can you please specify your support pack and let me know whether you are using provisioning framework version 2.

    If you are using provisioning framework version 2, then just extend the validity end date or else you can update validity using {A}{linkid=<mcuniqueid from idmv_link_ext2>!!validfrom=new valid from date!!validto=new valid to date!!reason=provide reason}<privilege/role mskeyvalue>

    Regards,

    Deva

    Add comment
    10|10000 characters needed characters exceeded