Skip to Content
0
Jul 18, 2018 at 02:37 PM

system specific attribute handling vs. system privilege

134 Views

Hi all,
could someone plz explain the correct handling of system specifi attributes in IDM?
In our demo system I have imported the RDS package which allows system specific attributes (e.g. for validity) beside the global attribute. The system specific attributes are also assigned to the PRIV:SYSTEM:repo privilege.

Now, there's the ModifyUser plugin to handle the changes for the connected backend. There I have to steps, the regular ToSAP pass (in which already the value e.g. for validity is set based on the system specific value) and a second ToIdentityStore pass which sets the system specific attributes with respect to the global attribute, e.g.

SAPC_IDEN_REP_VALIDTO_%$rep.$NAME% = $FUNCTION.sapc_checkGlobalAttributeValue(VALIDTO!!%SAPC_IDEN_REP_VALIDTO_%$rep.$NAME%%!!%MX_VALIDTO%)$$

I do not understand this... when the system specific attribute is changed via job or UI task, the provision is handled via the system privilege. Doesn't the assignment trigger the provision again that should lead to infinite loops? We had a similar problem in another system where the SAP support advised either to deactivate the system specific handling pass or to deactivate the system specific attributes in the system privilege...

So, why's that setting delivered by default in the RDS package? I don't get the point...

Regards, Richard