Skip to Content

Re-provision privileges with OK status

Hi experts,

I would like to know the best practice on re-provision user access to a specific repository for all existing users.

A SAP connected system might be refreshed and all users and their roles are lost during this process. But the privileges are in OK status in IdM. What's the best way to re-provision their access?

Thanks,

Chenyang

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Feb 01 at 10:21 AM

    Hello Chenyang,

    I see 2 different tasks here:

    • create the accounts

    • provision the currently assigned privileges to the backend

    .

    The first one is the tricky one, because for IDM they are already created so you can't use the normal workflow to create them again. I would create a job (with the repository attached) where you search for all users with an account in that refreshed backend system (should be easy to get that user pool) and in the destination tab use the same information you find in your "CreateABAPUser" pass from the create-workflow. Since you only need IDM to create the accounts in the backend and not perform all IDM-related task, this should do it.

    .

    For the second task: we have created a dummy SAP role in most of our SAP systems. Of course IDM knows this as a privilege. The advantage, when provisioning to an ABAP system: ALL current privileges are provisioned down to the backend. So if you add one privilege in IDM to a user (or a whole lot of users), then IDM will take all of their privileges and push them into the backend system, deleting every SAP role that is assigned there currently. This way you have the same set of SAP roles for the users in IDM and the SAP backend.

    We even created a job for this, where this dummy privilege can be assigned to all users, who have an account in the repository you start the job with. The privilege will be assigned with the "valid from" and "valid to" date of the current day, so it will be automatically revoked the next day.

    Maybe this could be a way to go for you, too. :)

    .

    Regards,

    Steffi.

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Chenyang,

      For task 2: It's two steps/workflows for us, too. That's why I wrote about to tasks to perform: creation of accounts first and then assignment of privileges after that with a second job.

      For task 1: It's not really manual mapping. You can just copy&paste the destination info of the "create abap user" pass already used in your normal abap account creation workflow. ;)

      .

      And I would definitly seperate the two jobs. But that's your choice. I just shared how we do it. :)

      .

      Regards,

      Steffi.

  • Jan 26 at 07:47 AM

    Hello Chenyang,

    In this case, you need to manually call the create user and Assign membership task for the particular repository for the required users.

    Before starting the call the task to all users, please test it with one user first and if everything is fine then proceed for all users. Please mention the SAP IDM version for more helpful answer as there is slight difference between IDM 7.2 and 8.0

    Note - Based on my experience, I will suggest calling these 2 tasks/plugins during non-business hours.

    Regards,

    C Kumar

    Add comment
    10|10000 characters needed characters exceeded

    • C Kumar Chenyang Xiong

      Hello Chenyang,

      I asked for the error log as I used the uProvision internal function to call the PlugIns task several times manually for such cases and it always worked for me.

      Regards,

      C Kumar