Skip to Content

IdM 7.2 - prevent mass operation

Hello together,

we have scheduled daily jobs to synchronize our IdM data with the satelite systems. It is possible that through these jobs many data will be modified. Therefore we want to build a functionality which checks how many data will be changed.

For example:

One pass creates a table "A" with all roles/profile from ABAP system.
Another pass creates a table "B" with all roles/profiles from this ABAP system stored in IdM.
The third task compares table "A" with table "B" and synchronize the data.

At the moment we have two scripts configured in the third task:

Initialization script: define global var counter
Entry script: check counter and stop job if the counter has a specific value; otherwise counter ++

Is it possible to check how many data will be changed through a pass? Something like a count of rows/entries of the sql statement in the source tab..

How do you prevent your landscape/system regarding undesired mass operations?

Thanks in advance


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Dec 14, 2016 at 08:25 PM

    Hello Michael,

    that should be possible. I don't think the B pass is needed, I'd replace the table select by a larger query in the C pass or something like that. If you don't have too many users the performance in the end should be quite good.

    I did something similar without a counter. I set up a reprovisioning of not changed extensionAttributes in the AD compared to the IdM values every hour. If I'd wanted to use a counter I would do some precheck with a count(*) in the query I use. I guess giving an example is better then blank theory. Add with (nolock) when you have an MSSQL, Oracle syntax may be a bit different though (been almost two years since I last did something in an Oracle system...):

    Example for changes on firstname I assume MSKEYVALUE = logonuid. If not you would have to add a join which then compares ACCOUNT<repName> and logonuid. Hm, might be useful anyway, or joining on the system priv or something.

    select count(*) from (
    select e.mcmskey, e.mcmskeyvalue,
    (select avalue from idmv_value_ext where mskey = mcmskey and attrname = 'MX_FIRSTNAME') firstnameIdM,
    (select firstname from sap<repName>user where logonuid = mcmskeyvalue) firstnameSAP  
    from idmv_entry_simple e where mcEntryType = 'MX_PERSON'
    ) allrows
    where not firstnameSAP = firstnameIdM

    Should be quite fast. Do this for all wanted attributes. Summing them up either via SQL. Has to be some union stuff, but I would have to google it, too. Or more simple inside the init script of the last pass.

    Maybe you even can set up an SQL function which contains that code and takes attrname and table name as value. The column name has to be given, too. Does it work? I don't know by hand, but somehow it should be possible. A function saves no execution time whatsoever, but increases the codes readability to the max. I did this e.g. for switch tasks which not only reduced each of the queries in length, but also unified the queries for 150+ tasks (a no to the query builder!).

    I actually neither have a real prevention of mass changes, nor do I want this. Sometimes I even trigger mass changes like correcting telephone numbers, locking of users or other stuff. The only thing I do is delaying some actions by 5 minute per 50 entries. I even have a calculation script which does this :)

    Using the Delta mechanism? I say no thanks.

    Best regards


    Add comment
    10|10000 characters needed characters exceeded