on 07-18-2013 3:41 PM
Hello everyone,
we are running idm 7.2 sp8 and we are trying to provide an LDAP view of our productive identity store through the VDS so that a third party product can read our data (especially assignments data).
We also want the third party product to be able to send data to our staging area so we first used the standard VDS Template HCM LDAP EXTRACT for IDM 72 and then completed it (creating another datasource and another "branch" in our vitual tree), to reach our productive area.
We are now able to see every attribute of the user but we still have one problem, as you can see, we put a validity date on one assignment :
In my LDAP view, i am not able to retrieve it:
Do you know if it possible to do so or not?
Thanks a lot,
BR,
Clotilde Martinez
Hi Clotilde,
Well pulling out data from IDM is possible not only via VDS.
You can access IDM views directly using for example SAP JPA and JAVA code.
Storing data in IDM is also possible not only via VDS.
You can use either IDM REST API, or you can use again SAP JPA and java code to store data in IDM workspace in a custom table under RT user, than you can setup an external trigger on this table and "on change" event you can trigger IDM tasks.
Best regards,
Ivan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a lot to both of you,
I don't think i will be going for the specific java code to retrieve this data but i will see if i can for example maintain another custom attribute that will contain what i need or maybe not go through VDS but use csv file.
I'll try a little more to see what's possible with the current framework and then open an OSS message if i don't find anything that helps.
Best regards,
Clotilde
Ok, so I thought that this was not possible and I've been thinking about it for the past couple of weeks. I think I have created a VDS configuration that does what you are looking for. I've got it working in my test environment and will document it in a blog entry. I'm going to start writing it now, and hopefully it will be done soon.
, if you need this quicker, drop me an email and I will send you the configuration directly.
Matt
Hi Matt,
thanks for working on my issue In the end, i created a custom attribute z_ref_privileges that i feed with an sql query everytime something is provisioned.
Since my client is in its test phase i don't think i i would use your configuration right now but i would surely like to see it work.
Best regards,
Clotilde
You could also try to create a custom attribute with a SQL Query that dynamically looks up the current assignments using something like this as the query (and you can add whatever is needed from the view like assignment type, inherited or direct, context ....):
select mcOtherMskeyValue + '['+isnull(cast(mcValidFrom as varchar),'The big bang')+':'+isnull(cast(mcValidTo as varchar),'End of time')+']' as Assignment from idmv_link_ext_active with(nolock) where mcThismskey = %MSKEY%
(on Oracle use || instead of +, NVL instead of isnull and no with(nolock))
Then you dont need to feed the custom attribute by provision triggers.
Br,
Per Christian
Hello Clotilde,
how did you get to manage your VDS to return your privileges like shown in your screenshot above?
This is exaclty the scenario I am actually trying to achieve.
I've configured our VDS with the standard IDM Identity Center template where I receive all data of the entries but there is only MXREF_MX_PRIVILEGE and the MSKEY of the privilege shown.
I want to achieve to see the MSKEYVALUE of the privilege instead of the MSKEY by the reference attribute when I search for objectClass MX_PERSON in my attribute list.
I am also not able to search for the attribute MSKEY within my LDAP Client and I don't know why...
Would be creat if you could help me with the privilege problem I have.
Thanks a lot.
Kind regards,
Bastian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Clotilde,
thank you for the link to Matt's blog.
Unfortunately it didn't really help me finding a solution for what I am looking for.
I think it would help me if you could show me your old config file - if this is possible.
It would also help me if you - or anyone else - could tell me how to set a filter for a specific EntryType (e.g. MX_PERSON) in either a configuration done with the IDM Identity Center template or done like in the blog with the databases template (e.g. idmv_link_ext). The last configuration shows even all entries...
I've also configured the VDS with the IDM Identity Center template and connected via a LDAP browser where I set the filter objectClass = MX_PERSON which has shown me only entries of this EntryType. This also works for other EntryTypes, if I filter in the browser.
I tried to do this inside the VDS but didn't get it so far.
My set up was done with two branches, one for MX_PERSON and one for another EntryType, but I weren't able set that previously described filter inside the VDS.
I quite want to filter inside the VDS not later by LDAP.
Many thanks.
Kind regards,
Bastian
Hello Ian,
no, I am sorry, I didn't get any progress with this configuration.
We are now running two database data sources (one is connected to a view of the companies and another is connected to a view of our employees). Our privileges and roles are separated by ; which helps us to achieve a multivalue attribute on LDAP (using OpenLDAP - reads the data of our VDS, so that the VDS is just a middleware). This means we have an LDAP attribute privilege like this:
OpenLDAP: (one attribute for each privilege)
privilege - MX_PRIV:WD:TAB_TODO
privilege - MX_PRIV:WD:TAB_TRACE
privilege - MX_PRIV:WD:TAB_MANAGE
...
VDS: (all privileges in one attribute)
privilege - MX_PRIV:WD:TAB_TODO;MX_PRIV:WD:TAB_TRACE;MX_PRIV:WD:TAB_MANAGE;...
This is what we wanted (and I am asked for in this thread) and what we've got. Not directly inside VDS but with the help of OpenLDAP.
Clotilde,
Interesting question. The short answer is I don't think so.
The template for representing the Identity Store is pretty rigid and does not take to a lot of modification. I would not be surprised to find out that the assignment date is not included.
If you're not finding this information in the existing template, I'd suggest opening an OSS Note and/or adding the request to the SAP NW IDM Idea place.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.