Skip to Content
0

Remove Direct assigned privileges whenever user attributes like cost center and position changes?

Apr 10 at 12:09 PM

44

avatar image

Dear Experts,

Currently roles are being assigned to users via dynamic groups and DG's has been created on filters like cost center, employee type and position. whenever any of these attributes changes the previous roles are being removed and new roles are being assigned. During initial load few privileges are assigned to user as direct assignments and idm business roles are assigned via dynamic groups.

Issue: Now whenever users position or cost center changes, roles are being removed vy recalculating dynamic groups once in a day, but how to remove the direct assigned privileges rather a manual clean up.

Available solutions:

Solution 1:

create an process and link it as modify even to cost center and position attribute which calculates the directly assigned privileges and removes them. If i link the same process as an event task for position and cost center attributes, if both the attributes get modified then the same task would be triggered twice.

Is there any possibility to trigger this tasks once?


Solution 2:

Mass clean up of the direct assigned privileges, which gonna consume a lot of time and customer doesn't want this solution as there would delay in creating the roles.


If there is any another solution please do let me know

Thanks in Advance


Regards,

Deva

10 |10000 characters needed characters left characters exceeded

Hello Deva,

are those directly assigned privileges always the same for alle the users? A specific set of privileges or can they vary (one user gets those 10, another gets those 4)?

.

Regards,

Steffi.

0

Hi Steffi,

It varies from user to user

Regards,

Deva

0
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Steffi Warnecke
Apr 11 at 07:55 AM
0

Hello Deva,

normally costcenter and position are linked as far as I know, aren't they?

I think position would be the content that is changed more often. So maybe just link the delete task to the position attribute and after that trigger another tasks that calculates the new direct assignments? You just remove all direct assignments and after that assign them again on the base of the new costcenter/position.

.

Regards,

Steffi.

Share
10 |10000 characters needed characters left characters exceeded
Matt Pollicove
Apr 10 at 12:50 PM
0

Option 1 makes the most sense to me, Deva. I prefer that model to Dynamic Groups. I don't care for DG's and the performance hits that they create.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yes Matt, But i am just thinking that the same task would be run twice if cost center and position both are changed at once.

0
Thomas Golaszewski 6 days ago
0

A third option would be a maintenance job, who is triggered in a period of time (every hour/day....).

There you could check for example the modifytime at both user attributes (costcenter/position) and react on it with deprovisioning directly assigned privileges. Also checking the old values would be possible.

This solution has the disadvantage that deprovisioning the directly assigned privileges would not trigger live, like it's done at event tasks.

Once I was searching the same solution you need at the moment -> an individual configuration of the event tasks.

Event tasks are really a great tool, but you have to use it carefully, otherwise your job log could explode in future because every attribute modification triggers a process. Like a domino effect one trigger, will trigger another one. We had this case once.

If there is a possibility to configure event tasks more specifically, I would be very interested in it.

Share
10 |10000 characters needed characters left characters exceeded