cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to modify an attribute value without any impact on other attributes reading and writing in IC from a source file?

Former Member

on ‎04-04-2012 4:34 PM

0 Kudos

Hello,

I am currently implementing SAP IDM 7.2 SP4 and in particular working on my provisionning processes.

My IDM datasource is a cvs file in which are transcribed various users’ information both from HCM and other sources.

In addition, we created roles that are specified in the csv file to be assigned to the user. I creating my jobs in order to read in this file and write the informations in the Identity Center.  In order to ensure that role is replaced in the Identity Center and thus in the backends, I assigned a prefix {M} (I also tried with {E} and {R}) before MXREF_MX_ROLE attribute value.

The objective is:

-     To be able to assign in the UI  additional roles in complement of the one assigned through my csv file

-     To delete all the assigned roles (including the ones added in UI) when the role is modified in the file

-     Not to perform any modification on roles when another attribute from the file is modified (MX_MAIL_PRIMARY for example)

As of today, the first 2 points are working but I face a problem with the last 1. Indeed, when I modify the email address, it also modify the MXREF_MX_ROLE attribute and remove all the roles added in the UI.

How can I manage to be able to only modify in the Identity Center the attribute modified in the source file?

Thank you in advance for your help.

Very best regards,

Estelle

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎04-05-2012 8:54 AM
0 Kudos

Hi Estelle,

If you separate the role update out from the other attributes into a separate "to IDS" pass, and then put a delta on it, the roles will only be updated when the roles are changed.

Hope that helps?

Thanks,

Ian

Show replies
Show replies
Former Member
‎04-05-2012 10:22 AM
0 Kudos

Hello Ian,

Thank you for your answer.

Creating a new pass and a delta was also my first thought that I hope would solve the issue but that creating a new problem.

I created a new path in my job but then after some tests, I observe that my job is only going through the first pass and not through the second.

Thus when I modified a role in my file, nothing happened as it is not launching the pass if the first pass “modify Identity Data” is not launched.

I tried to modify the order of passes but then roles modifications are provisioned but not identity modifications.

I made things work is to separate not in different passes but in different jobs and now have to create an event so that “role” job will start after “identity” job.

However, I would prefer to use passes.

Have I missed something?

I am new on SAP IDM and thus really appreciate your help.

Thank you for your help.

Best regards,
Estelle

Former Member
‎04-05-2012 10:31 AM
0 Kudos

Hi,

Is there anyway you can put in a screenshot of your 2 passes in the job and the job log? My guesses would be

  1. Does the source on the Roles pass contain the correct SQL to find the data
  2. Are you using a dot (.) on any of the passes for the roles or the other attributes

Hope that helps?

Ian

Former Member
‎04-05-2012 11:13 AM
0 Kudos

Hello,

Please find attached screenshots of the passes I implemented.

I verified and there is no dot in any pass.

Thank you in advance for your help

Best regards,
Estelle



Former Member
‎04-11-2012 4:10 PM
0 Kudos

Hi,

Can you also post your job log when you try to execute the job which includes two passes?

Thanks.

Former Member
‎04-11-2012 6:09 PM
0 Kudos

Hello,

Thank you for your feedback.

Job logs does not report any errors, it appears to be working fine and even to identify new entries or modified entries :

But then it does not launch the job to implement those modifications in the Identity Center and thus in the SAP Backends.

Do you know what could be the issue?

In addition, I choose random names for my delta Identifiers and marked only “Skip unchanged entries”. Could it have an impact?

Thank you in advance for your help.

Very best regards,

Estelle

Former Member
‎04-11-2012 6:18 PM
0 Kudos

Hi,

The passes are running, but they don't have anything to process.  Your select statements in the source must be returning 0 entries.  Try running them against the database so you can determine how exactly you want to write them.  They seem more complicated than they need to be as well.

You might want to try putting a delta only on the  "To IDStore" passes.  And when you read in the files, write to a temporary table in the identity center database.  Verify that the temp table is being written.  Then for the write passes, do a very basic select statement out of the temp table, and have let the delta handle if it should process it or not.  Do it just like the import jobs are written.

Regards,

Chris

Former Member
‎04-11-2012 9:47 PM
0 Kudos

Hi,

It's quite hard to see from the screenshots, but the delta's in each pass must have a different name - is that the case?

Cheers,

Ian

Former Member
‎04-12-2012 9:16 AM
0 Kudos

Hi

I am not working on IdM 7.2 yet, but in your second role pass you set the mskeyvalue on the destination tab to %%. Should that not be the current mskeyvalue instead? Like you do it in the identity passes.

Kind regards

Heidi Kronvold

Former Member
‎04-12-2012 9:20 AM
0 Kudos

Also you could consider not using the delta functionality and instead design your sql on the source tab so that it only finds entries that has been changed and need to be updated. Then on the source tab only these entries are affected and that should solve your problem?

Kind regards

Heidi Kronvold

Former Member
‎04-12-2012 3:02 PM
0 Kudos

Hello,

Indeed I inactivated the delta and I appear to work better but one issue remains:

  • - On the first case : When I perform a modification on a user for example on validity dates or last name, it perform also modifications on roles
  • - On the second case (I selected “write only when adding entry” in front of the Attribute MXREF_MX_ROLE in the first pass), Role is not written in the user at creation.

I also tried to add the changetype “Add” in the first pass but then nothing is working anymore and the modifications in the users are not detected.

Thank you very much for your help.

Former Member
‎04-13-2012 7:43 AM
0 Kudos

Hi

The first case: You probably need to set the global constant MX_PRIV_MODIFY_POLICY. Whenever modifications are done on a user, provisioning of assigned roles will be started depending on what MX_PRIV_MODIFY_POLICY is set to.

Take a look at this from the documentation:

The global constant MX_PRIV_MODIFY_POLICY specifies how to handle modify events on privileges. Modify events on all other entry types are not affected.

The default behavior is that the modify event task is executed for all attributes of the privilege. You can also select a number of attributes that should trigger the modify event task.

With the global constant MX_PRIV_MODIFY_POLICY you can specify the following behavior:

  •   0 (or missing)
    Use the default behavior (the modify event task is executed for all attributes or for the attributes specified with MX_MODIFYTASK_ATTR).
  •   1
    Do not execute the modify task for privileges. This will improve performance, as all checking for modify events are skipped, and can be used if you do not rely on modify events.
  •   3
    Modify event tasks are only triggered if the attribute is listed by MX_MODIFYTASK_ATTR. 

    If there is no MX_MODIFYTASK_ATTR, the modify task will not be started.

    Note: This behavior is the reverse of MX_PRIV_MODIFY_POLICY=0, where the lack of MX_MODIFYTASK_ATTR means that every attribute will trigger the modify task.

    Using this strategy will also improve performance, compared to 0.

Kind regards

Heidi Kronvold

Ask a Question