cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sap identity management Remove Business Role when Dynamic Group is removed

Go to solution
gowri_rabendran
Explorer

on ‎02-23-2022 5:44 PM

0 Kudos

Hi All,

I am wondering if there is a way to remove business roles when the linked dyanmic group is removed manually or via task?

I have tried to remove dyanmic groups directly of the user record but does not trigger any reconciliation to remove the business roles it is linked to. As I cannot modify the DG's filter as we are trying to modify the assignments during provisioning, where we have users moving job contract types and therefore certain linked accounts are moved across.

Has anyone found a way to trigger assignment provisioning or deprovisioning without needing to run the uIS_ResolveDynamicGroup function as I dont want it processing it for all the 1000's of using during a provisioning task.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

5302925
Explorer
‎02-25-2022 1:35 PM
0 Kudos

Hi Gowri,

Maybe you need uResolveDGMembership function.

You can find more information here

Regards,

Kaloyan

Show replies
Show replies
gowri_rabendran
Explorer
‎02-28-2022 12:23 PM
0 Kudos

Thanks Kaloyan, this is exactly what I was after.

Answers (2)

Answers (2)

former_member431321
Participant
‎02-28-2022 4:07 AM
0 Kudos

Hi Gowri,

The DG membership is not updated automatically and you have to update the membership.

And the uIS_ResolveDynamicGroup is the function for this job.

To prevent your performance issue, I would suggest making one task that only updates a single or few Dynamic Groups involved.

Below is what I use.

You can modify the SQL query in the source tab of the pass below.

In my example, I only update the Dynamic Groups which start with "DG:HR:".

#1. job for DG update

#2. pass in the job

#3. source tab of the pass

#4. destination tab of the pass

#5. the script.

I hope it helps.

dongsu

Show replies
Show replies
gowri_rabendran
Explorer
‎02-28-2022 12:25 PM
0 Kudos

Thanks Dongsu, however I wanted a solution which I could implement as part of a provisioning process for individual users to remove their membership. The uResolveDGMembership function does this for me.

alexanderbrietz
Active Contributor
‎02-23-2022 6:16 PM
0 Kudos

Hi Gowri,

AFAIK DGs are assigned and unassigned by SQL statement. So a user is either an element of the result of the query or not. According to that the assigned roles or privileges of the DG are assined or unassigned to the user. That's what you use the recalculate DG for.

Maybe I did not understand your problem description...

Regards,

Alex

Show replies
Show replies
gowri_rabendran
Explorer
‎02-23-2022 8:00 PM
0 Kudos

Hi Alex,

The problem I have is when a person goes from an external user to permanent we transfer all accounts linked over to the new identity store record I want to understand if there is a way I can trigger role removal when we remove the user from DG without needed to run Resolve Dynamic function as that re-evaluates it for the full list and I can't do that as part of a provisioning task as that would have performance impact

alexanderbrietz
Active Contributor
‎02-24-2022 7:41 AM
0 Kudos

I don't see a decent way to do that.

As a workaround you could get the roles for that user and trigger the unassign membership tasks of the according backend system using uProvision.

Ask a Question