on 04-04-2012 4:34 PM
Hello,
I am currently implementing SAP IDM 7.2 SP4 and in particular working on my provisionning processes.
My IDM datasource is a cvs file in which are transcribed various users’ information both from HCM and other sources.
In addition, we created roles that are specified in the csv file to be assigned to the user. I creating my jobs in order to read in this file and write the informations in the Identity Center. In order to ensure that role is replaced in the Identity Center and thus in the backends, I assigned a prefix {M} (I also tried with {E} and {R}) before MXREF_MX_ROLE attribute value.
The objective is:
- To be able to assign in the UI additional roles in complement of the one assigned through my csv file
- To delete all the assigned roles (including the ones added in UI) when the role is modified in the file
- Not to perform any modification on roles when another attribute from the file is modified (MX_MAIL_PRIMARY for example)
As of today, the first 2 points are working but I face a problem with the last 1. Indeed, when I modify the email address, it also modify the MXREF_MX_ROLE attribute and remove all the roles added in the UI.
How can I manage to be able to only modify in the Identity Center the attribute modified in the source file?
Thank you in advance for your help.
Very best regards,
Estelle
Hi Estelle,
If you separate the role update out from the other attributes into a separate "to IDS" pass, and then put a delta on it, the roles will only be updated when the roles are changed.
Hope that helps?
Thanks,
Ian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ian,
Thank you for your answer.
Creating a new pass and a delta was also my first thought that I hope would solve the issue but that creating a new problem.
I created a new path in my job but then after some tests, I observe that my job is only going through the first pass and not through the second.
Thus when I modified a role in my file, nothing happened as it is not launching the pass if the first pass “modify Identity Data” is not launched.
I tried to modify the order of passes but then roles modifications are provisioned but not identity modifications.
I made things work is to separate not in different passes but in different jobs and now have to create an event so that “role” job will start after “identity” job.
However, I would prefer to use passes.
Have I missed something?
I am new on SAP IDM and thus really appreciate your help.
Thank you for your help.
Best regards,
Estelle
Hello,
Thank you for your feedback.
Job logs does not report any errors, it appears to be working fine and even to identify new entries or modified entries :
But then it does not launch the job to implement those modifications in the Identity Center and thus in the SAP Backends.
Do you know what could be the issue?
In addition, I choose random names for my delta Identifiers and marked only “Skip unchanged entries”. Could it have an impact?
Thank you in advance for your help.
Very best regards,
Estelle
Hi,
The passes are running, but they don't have anything to process. Your select statements in the source must be returning 0 entries. Try running them against the database so you can determine how exactly you want to write them. They seem more complicated than they need to be as well.
You might want to try putting a delta only on the "To IDStore" passes. And when you read in the files, write to a temporary table in the identity center database. Verify that the temp table is being written. Then for the write passes, do a very basic select statement out of the temp table, and have let the delta handle if it should process it or not. Do it just like the import jobs are written.
Regards,
Chris
Also you could consider not using the delta functionality and instead design your sql on the source tab so that it only finds entries that has been changed and need to be updated. Then on the source tab only these entries are affected and that should solve your problem?
Kind regards
Heidi Kronvold
Hello,
Indeed I inactivated the delta and I appear to work better but one issue remains:
I also tried to add the changetype “Add” in the first pass but then nothing is working anymore and the modifications in the users are not detected.
Thank you very much for your help.
Hi
The first case: You probably need to set the global constant MX_PRIV_MODIFY_POLICY. Whenever modifications are done on a user, provisioning of assigned roles will be started depending on what MX_PRIV_MODIFY_POLICY is set to.
Take a look at this from the documentation:
The global constant MX_PRIV_MODIFY_POLICY specifies how to handle modify events on privileges. Modify events on all other entry types are not affected.
The default behavior is that the modify event task is executed for all attributes of the privilege. You can also select a number of attributes that should trigger the modify event task.
With the global constant MX_PRIV_MODIFY_POLICY you can specify the following behavior:
If there is no MX_MODIFYTASK_ATTR, the modify task will not be started.
Note: This behavior is the reverse of MX_PRIV_MODIFY_POLICY=0, where the lack of MX_MODIFYTASK_ATTR means that every attribute will trigger the modify task.
Using this strategy will also improve performance, compared to 0.
Kind regards
Heidi Kronvold
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.