Skip to Content
0

Re-provision privileges with OK status

Jan 26 at 05:59 AM

76

avatar image

Hi experts,

I would like to know the best practice on re-provision user access to a specific repository for all existing users.

A SAP connected system might be refreshed and all users and their roles are lost during this process. But the privileges are in OK status in IdM. What's the best way to re-provision their access?

Thanks,

Chenyang

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Steffi Warnecke
Feb 01 at 10:21 AM
0

Hello Chenyang,

I see 2 different tasks here:

  • create the accounts

  • provision the currently assigned privileges to the backend

.

The first one is the tricky one, because for IDM they are already created so you can't use the normal workflow to create them again. I would create a job (with the repository attached) where you search for all users with an account in that refreshed backend system (should be easy to get that user pool) and in the destination tab use the same information you find in your "CreateABAPUser" pass from the create-workflow. Since you only need IDM to create the accounts in the backend and not perform all IDM-related task, this should do it.

.

For the second task: we have created a dummy SAP role in most of our SAP systems. Of course IDM knows this as a privilege. The advantage, when provisioning to an ABAP system: ALL current privileges are provisioned down to the backend. So if you add one privilege in IDM to a user (or a whole lot of users), then IDM will take all of their privileges and push them into the backend system, deleting every SAP role that is assigned there currently. This way you have the same set of SAP roles for the users in IDM and the SAP backend.

We even created a job for this, where this dummy privilege can be assigned to all users, who have an account in the repository you start the job with. The privilege will be assigned with the "valid from" and "valid to" date of the current day, so it will be automatically revoked the next day.

Maybe this could be a way to go for you, too. :)

.

Regards,

Steffi.

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Thank you Steffi for your solution.

I understand the task2. If the target is of a buisnesssuite ABAP system, it automatically creates user account as well as refresh the role assignment. Everything is done in one step. However we are using stand alone ABAP system.

For task 1, I undersand you want to create a job to manually create user account. It could be tedious job to do all the attribute mapping manually I believe. If that's the way, I can also add role assignment to the same job. I think it is better to combine two tasks into one job. Next time all you need to is to execute one job and let IdM do the job for you.

Thanks again,

Chenyang

0

Hello Chenyang,

For task 2: It's two steps/workflows for us, too. That's why I wrote about to tasks to perform: creation of accounts first and then assignment of privileges after that with a second job.

For task 1: It's not really manual mapping. You can just copy&paste the destination info of the "create abap user" pass already used in your normal abap account creation workflow. ;)

.

And I would definitly seperate the two jobs. But that's your choice. I just shared how we do it. :)

.

Regards,

Steffi.

0
C Kumar Jan 26 at 07:47 AM
1

Hello Chenyang,

In this case, you need to manually call the create user and Assign membership task for the particular repository for the required users.

Before starting the call the task to all users, please test it with one user first and if everything is fine then proceed for all users. Please mention the SAP IDM version for more helpful answer as there is slight difference between IDM 7.2 and 8.0

Note - Based on my experience, I will suggest calling these 2 tasks/plugins during non-business hours.

Regards,

C Kumar

Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hi C Kumar,

I tried your approach before posting. It doesn't work. It gives a warning something like - the user creation is already in progress, and then it stopped successfully. But it doesn't touch the backend record. I also tried to manually mark the assigned as failed and use the function retryPrivilegeAdd, also does not work.

Thanks,

Chenyang

0
Chenyang Xiong

Hello Chenyang,

Strange! It always worked for me.

For more insight into the issue could you please post the job logs when you manually call the create user and Assign membership task.

Regards,

C Kumar

0

Hi C Kumar,

you can try this function on a user and a account privilege with OK status. You will see the error I believe.

uProvision(Int MSKey, Int TaskID, Int RefAudit, Int Repository, String UserID, Int Delay[, Int Standalone);

Thanks,

Chenyang

0
Chenyang Xiong

Hello Chenyang,

I asked for the error log as I used the uProvision internal function to call the PlugIns task several times manually for such cases and it always worked for me.

Regards,

C Kumar

0