on 01-26-2018 5:59 AM
Hi experts,
I would like to know the best practice on re-provision user access to a specific repository for all existing users.
A SAP connected system might be refreshed and all users and their roles are lost during this process. But the privileges are in OK status in IdM. What's the best way to re-provision their access?
Thanks,
Chenyang
Hello Chenyang,
I see 2 different tasks here:
.
The first one is the tricky one, because for IDM they are already created so you can't use the normal workflow to create them again. I would create a job (with the repository attached) where you search for all users with an account in that refreshed backend system (should be easy to get that user pool) and in the destination tab use the same information you find in your "CreateABAPUser" pass from the create-workflow. Since you only need IDM to create the accounts in the backend and not perform all IDM-related task, this should do it.
.
For the second task: we have created a dummy SAP role in most of our SAP systems. Of course IDM knows this as a privilege. The advantage, when provisioning to an ABAP system: ALL current privileges are provisioned down to the backend. So if you add one privilege in IDM to a user (or a whole lot of users), then IDM will take all of their privileges and push them into the backend system, deleting every SAP role that is assigned there currently. This way you have the same set of SAP roles for the users in IDM and the SAP backend.
We even created a job for this, where this dummy privilege can be assigned to all users, who have an account in the repository you start the job with. The privilege will be assigned with the "valid from" and "valid to" date of the current day, so it will be automatically revoked the next day.
Maybe this could be a way to go for you, too. 🙂
.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Steffi for your solution.
I understand the task2. If the target is of a buisnesssuite ABAP system, it automatically creates user account as well as refresh the role assignment. Everything is done in one step. However we are using stand alone ABAP system.
For task 1, I undersand you want to create a job to manually create user account. It could be tedious job to do all the attribute mapping manually I believe. If that's the way, I can also add role assignment to the same job. I think it is better to combine two tasks into one job. Next time all you need to is to execute one job and let IdM do the job for you.
Thanks again,
Chenyang
Hello Chenyang,
For task 2: It's two steps/workflows for us, too. That's why I wrote about to tasks to perform: creation of accounts first and then assignment of privileges after that with a second job.
For task 1: It's not really manual mapping. You can just copy&paste the destination info of the "create abap user" pass already used in your normal abap account creation workflow. 😉
.
And I would definitly seperate the two jobs. But that's your choice. I just shared how we do it. 🙂
.
Regards,
Steffi.
Hello Chenyang,
In this case, you need to manually call the create user and Assign membership task for the particular repository for the required users.
Before starting the call the task to all users, please test it with one user first and if everything is fine then proceed for all users. Please mention the SAP IDM version for more helpful answer as there is slight difference between IDM 7.2 and 8.0
Note - Based on my experience, I will suggest calling these 2 tasks/plugins during non-business hours.
Regards,
C Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi C Kumar,
I tried your approach before posting. It doesn't work. It gives a warning something like - the user creation is already in progress, and then it stopped successfully. But it doesn't touch the backend record. I also tried to manually mark the assigned as failed and use the function retryPrivilegeAdd, also does not work.
Thanks,
Chenyang
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.