Skip to Content

SAP IdM 7.2 SP9 - role assignment/removal issue in ABAP system

Hi experts..... my client is using SAP IdM 7.2 SP9, SQL DB.

I have an issue where when a business role is assigned with a future valid from date in IdM it does the assignment in IdM but does not make the assignment in the backend ABAP system.

When the business role assignment has an valid to date defined, the role assignment is removed in IdM when the date passes but the privilege does not get removed in the backend ABAP system.

Please could you let me know how to investigate this and fix.

Thanks

Ranjit

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Feb 09 at 04:42 AM

    Hi Ranjit,

    1) I have an issue where when a business role is assigned with a future valid from date in IdM it does the assignment in IdM but does not make the assignment in the back-end ABAP system.

    If any privilege is assigned to user with future validity date, then idm would provision the respective privilege to the backend system, once it reaches the valid from date. usually this setting is maintained in the repository level - go to repositories -> event tasks tab and check the execute list under the respective member event tasks.

    For more information kindly check the below links

    https://help.sap.com/viewer/4773a9ae1296411a9d5c24873a8d418c/8.0/en-US/8ced739a6a3e4f6b9dd9017ebaa4756e.html

    https://help.sap.com/viewer/4773a9ae1296411a9d5c24873a8d418c/8.0/en-US/790b46587d3c498bb33a265a5950edaf.html

    2) When the business role assignment has an valid to date defined, the role assignment is removed in IdM when the date passes but the privilege does not get removed in the backend ABAP system.

    Check if there are any orphan privileges assigned to to the user by using the below query

    Select * from idmv_link_ext2 with (nolock) where mcthismskey = <give user mskey without angular brackets> and mcorphan = 1.

    If this query returns any results, then compare the privileges returned in the mcOthermskeyvalue column with roles still not removed from the backend system. If matches please check the below post on how to clean up the orphan assignments.

    https://answers.sap.com/questions/388185/orphaned-privilege-removal-in-sap-idm-7280.html?childToView=387568#answer-387568

    Regards,

    Deva

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 25 at 07:59 PM

    Hi All.... just an update, I restarted the dispatchers and have completed a test. It seems to be doing the assignments and removals as expected. I will need to complete a few more tests to confirm that this is working as expected. Will let you know how I get on in the next few days.

    Thanks

    Ranjit

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 13 at 02:11 AM

    Hi Deva

    Thanks for your response and apologies for my late response. I checked the repository and these are the member event tasks defined. Question is, do I need to add validate tasks to resolve the issue I'm facing? Customer if not using GRC and there is no approval required for role/priv assignments and removals.

    I also checked the query you provided to check for orphan privileges and found none.

    Please advise

    Ranjit

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Steffi .... Sorry for my delayed response as I was running some more tests. It is inconsistent, one test I did with future dated role assignments worked as expected i.e. assigned and got de-assigned at the expected times.But the same test for another future date for the same role assigned at the right time but did not get removed when the assignment ended. The assignment in IdM works correctly, its just in the backend SAP system the role assignments & removals don't work most of the times for future dated assignments when they have start and end dates defined

      To answer your questions, its can't be a timezone issue as all systems in the NZ time zone.

      I think I have answered your other question as well above.

      Is there anything else that I can check? I have already started the below at the dispatcher level.