One of the benefits of SAP NetWeaver IDM is how it embraces not only SAP Systems, but other systems that can be found in the typical enterprise IT department. In a previous post, I described how one can use the embedded IDM scripting functions to search for an entry in the LDAP. However there is more that you can do with LDAP besides searching. Probably one of the LDAP functions I use the most is called modRDN (Some detailed definitions and examples can be found here and here). In a nutshell, executing a modRDN operation allows for changes to be made in the Relative Domain Name. This is always a unique value in the DIT structure; and usually one that changes during the Stages of Identity. These changes usually take one of two forms which I have specified below:
It’s not too hard to see why this would be an important operation during IDM related operations. People change names with some frequency and will change departments, locations and other defining components with greater frequency. So let’s take a moment and describe how this happens in IDM:
This screenshot comes from the IDM Job Wizard, which can be accessed after creating a new active task under any workflow task node (New->Job Wizard->Identity Center->Jobs->Active Directory->Modify RDN Active Directory.
You’ll notice that this is a pretty generic setup as with most of the included IDM templates. Before using the modRDN enabled task for the first time, make sure you set the correct repository (It is supposed to be set during the Wizard, but did not for me in a To LDAP pass using SAP IDM 7.2, SP4) and that your starting point is correct as the Wizard takes a slight Active Directory bias by defaulting to cn=users.
Then all that needs to be done is setting up for your use case, name change or organizational change. Let’s take a look at the name change scenario setup:
So what do we have?
This brings up a couple of other points that we should make about the modRDN function as it pertains to the Directory Service and to SAP IDM in general. First off, this process will not change the MSKEYVALUE or any other IDM attribute in your Identity Store. If you want that done, it will have to happen in subsequent passes / tasks. Nor will this process change other Directory Service attributes such as the Active Directory sAMAccountName. If there is a need to change the MSKEYVALUE, information can be found here; similarly if the sAMAccountName needs to be changed, that information can be found here. Also it’s a good idea to make sure that you update your IDM attribute that holds the dn with the new value (ACCOUNT$rep.$NAME).
Now if you need to make an organizational change, it would look like this:
Everything is pretty much the same here except for the newsuperior value which now reflects Will Riker’s transfer. Incidentally, I guess standards are different on the new ship since he also has a changed cn as well. This also shows that we can change multiple parts of the RDN in the same modRDN operation.
I hope that during this article I’ve been able to shed a little light on some things that you can do with your IDM and a connected Directory Service.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
9 | |
7 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |