Skip to Content
avatar image
Former Member

NW IDM Role based Provisioning to AD

Hi there!

I'm seeing an interesting issue occurring with IDM SP2 (6753-SQL-04.2008) on a SQL Server 2000 (SP) database. (Schema update: 198)

I have a job feeding new entries to the Identity Store database. The To IdentityStore pass works perfectly except for role assignment.

I pass the MSKEY of the Role using the MXREF_MX_ROLE attribute which has a privilege attached to a provisioning task that creates the user in AD. When the job is run, the users are created in the Identity Store, but not in AD. The task creating the AD user is never called and there is no entry in the job log.

I know that the AD task is ok since I disabled the MXREF_MX_ROLE attribute and attached the provisioning task to the entry type (MX_PERSON) which worked fine.

Is there something I'm missing in attaching the privilege to the role? Or could this be a bug?

Thanks,

Matt

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 10, 2008 at 07:22 AM

    Hi Matt,

    1 Have you configured the constants MX_PROVISIONTASK etc. for your AD repository? You can set up your scenario like in the document about the SAP Provisioning Framework.

    2 For what entry / attribute exactly have you set the Provisioningtask, which isn't called? Try to call it from MXREF_MX_ROLE if you haven't done this already.

    3 Your created entries in the ToIdentityStore pass - are they persons or privileges?

    4 If you assign roles to privileges: Have you assigned the roles also to persons so that the privileges can be provisioned based on the provisiontask of your repository?

    5 Can you see in the monitoring component that your assignments between your entry types are correct? E.g. Priv -> Roles via MXREF_MX_ROLE. Roles -> Priv via MXMEMBER_MX_PRIVILEGE.

    Best regards,

    Nils

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Thomas,

      Yes, the auto attribute is populated.

      I can see that possible solution as working. Not sure why, but it certainly feels right. I'll let you know what happens.

  • avatar image
    Former Member
    Oct 13, 2008 at 01:47 PM

    Nils,

    Checked those out, thanks.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      I did evenrually get this working, but I actually don't recall how I fixed it. I know I tweaked something in the relationship between the role and the privilege, but I do not recall what...