Skip to Content
0

IDM role provisioning through TO CUSTOM pass

Mar 04 at 06:34 PM

78

avatar image

Hello All,

Please let me know if there is a way to provision roles through IDM to users in ABAP using To custom pass without touching identity store. We have tried it but this will remove the existing roles and will assign only the roles which was passed.

We want to add these roles along with the existing roles which were already present. Please let me know if anyone is has answers for this.

Regards

Vinay

10 |10000 characters needed characters left characters exceeded

Hello Vinay,

why would you want to bypass the identity store? That would mean, you have a different set of roles assigned in IDM and backend. If you provision this user again to the backend, only the current set of roles assigned in IDM will be written to the backend and all other roles will be deleted anyway. Or aren't you using IDM for this backend at all?

I'm a bit confused.

.

Regards,

Steffi.

0

Hello Steffi,

Actually in our landscape Identity store is not configured properly. And we were assigning roles bypassing identity store and roles of ABAP system are not in sync with IDM. Hence we wanted to know if there is any way for assigning roles by passing the identity store.

If above mentioned thing is not possible can you suggest any links for fresh identity store configuration for user creation, deletion and role assignment. So that we can perform new configuration of Identity store.

Regards

Vinay

0
Vinay Sathyanarayana Murthy

Hello Vinay,

if the IDM is not configured properly, I guess you need to start fresh. So just follow the standard documentation for the implementation. At the moment you are not really using what IDM is meant for, so you make your lifes a lot harder and complicated.

.

Regards,

Steffi.

1

Vinay, I have to agree with Steffi. One of the central purposes of IDM is SAP Role Management. You are losing all of the benefits of IDM this way.

If your organization has an incomplete role model, then it makes sense to begin or finish that effort before loading things into IDM.

Matt

0
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Deva Prakash B Mar 05 at 11:29 AM
1

Hi Vinay,

Did you create any non provisioning job and trying to push roles to backend SAP system? If yes, then pass the values as below in the roles attribute.

Attribute  	Value
logonuid  	%BNAME% 
roles  		role1|role2|role3

Example:

  • User has 2 privileges assigned in IDM (PRIV:ROLE:REP1:ROLE_A, PRIV:ROLE:REP1:ROLE_B assigned in IDM) and also in SAP system (ROLE_A, ROLE_B is assigned in SAP system).
  • Need to assign ROLE_C to user directly in SAP System, but via IDM.

Now if you want to assign additional role to user in SAP system via IDM without using IDM provisioning framework, (privilege is not assigned in IDM but directly in SAP system. This is not best practice, always ensure the roles assignments are in sync between IDM and Target system) then pass the roles as below in the non provisioning job.

Attribute  Value
logonuid   %BNAME% (hope you retrieving this value from a table using an SQL query in the source tab)
changetype  modify
roles       ROLE_A|ROLE_B|ROLE_C

Regards,

Deva

Share
10 |10000 characters needed characters left characters exceeded