cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Identity Center LDAP view through VDS, how to show assignments validity

Go to solution
clotilde_martinez
Participant

on ‎07-18-2013 3:41 PM

0 Kudos

Hello everyone,

we are running idm 7.2 sp8 and we are trying to provide an LDAP view of our productive identity store through the VDS so that a third party product can read our data (especially assignments data).

We also want the third party product to be able to send data to our staging area so we first used the standard VDS Template HCM LDAP EXTRACT for IDM 72 and then completed it (creating another datasource and another "branch" in our vitual tree), to reach our productive area.

We are now able to see every attribute of the user but we still have one problem, as you can see, we put a validity date on one assignment :

In my LDAP view, i am not able to retrieve it:

Do you know if it possible to do so or not?

Thanks a lot,

BR,

Clotilde Martinez

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

ivan_petrov
Active Participant
‎07-21-2013 8:54 AM
0 Kudos

Hi Clotilde,

Well pulling out data from IDM is possible not only via VDS.

You can access IDM views directly using for example SAP JPA and JAVA code.

Storing data in IDM is also possible not only via VDS.

You can use either IDM REST API, or you can use again SAP JPA and java code to store data in IDM workspace in a custom table under RT user, than you can setup an external trigger on this table and "on change" event you can trigger IDM tasks.

Best regards,

Ivan

Show replies
Show replies
clotilde_martinez
Participant
‎07-26-2013 9:05 AM
0 Kudos

Thanks a lot to both of you,

I don't think i will be going for the specific java code to retrieve this data but i will see if i can for example maintain another custom attribute that will contain what i need or maybe not go through VDS but use csv file.

I'll try a little more to see what's possible with the current framework and then open an OSS message if i don't find anything that helps.

Best regards,

Clotilde

former_member2987
Active Contributor
‎09-17-2013 6:54 PM
0 Kudos

Ok, so I thought that this was not possible and I've been thinking about it for the past couple of weeks.  I think I have created a VDS configuration that does what you are looking for.  I've got it working in my test environment and will document it in a blog entry.  I'm going to start writing it now, and hopefully it will be done soon.

, if you need this quicker, drop me an email and I will send you the configuration directly.

Matt

clotilde_martinez
Participant
‎09-18-2013 8:59 AM
0 Kudos

Hi Matt,

thanks for working on my issue In the end, i created a custom attribute z_ref_privileges that i feed with an sql query everytime something is provisioned.

Since my client is in its test phase i don't think i i would use your configuration right now but i would surely like to see it work.

Best regards,

Clotilde

former_member2987
Active Contributor
‎09-18-2013 1:43 PM
0 Kudos

Clotilde,

No worries I figured you had moved on with this, but it had been gnawing at me and I needed to resolve it.

It was good to stretch the VDS muscles again, and we need more VDS content here anyway.

Good luck with the rest of your project!

Matt

Former Member
‎09-19-2013 8:29 AM
0 Kudos

You could also try to create a custom attribute with a SQL Query that dynamically looks up the current assignments using something like this as the query (and you can add whatever is needed from the view like assignment type, inherited or direct, context ....):

select mcOtherMskeyValue + '['+isnull(cast(mcValidFrom as varchar),'The big bang')+':'+isnull(cast(mcValidTo as varchar),'End of time')+']' as Assignment from idmv_link_ext_active with(nolock) where mcThismskey = %MSKEY%

(on Oracle use || instead of +, NVL instead of isnull and no with(nolock))

Then you dont need to feed the custom attribute by provision triggers.

Br,

Per Christian

Answers (2)

Answers (2)

bastian_hickl
Explorer
‎08-29-2014 2:13 PM
0 Kudos

Hello Clotilde,

how did you get to manage your VDS to return your privileges like shown in your screenshot above?

This is exaclty the scenario I am actually trying to achieve.

I've configured our VDS with the standard IDM Identity Center template where I receive all data of the entries but there is only MXREF_MX_PRIVILEGE and the MSKEY of the privilege shown.

I want to achieve to see the MSKEYVALUE of the privilege instead of the MSKEY by the reference attribute when I search for objectClass MX_PERSON in my attribute list.

I am also not able to search for the attribute MSKEY within my LDAP Client and I don't know why...

Would be creat if you could help me with the privilege problem I have.

Thanks a lot.

Kind regards,

Bastian

Show replies
Show replies
former_member2987
Active Contributor
‎08-29-2014 3:33 PM
0 Kudos

Bastian, that's a view from an LDAP browser.  Apache and Softerra both make good browsers.

Matt

bastian_hickl
Explorer
‎08-29-2014 3:49 PM
0 Kudos

Hi Matt,

maybe I got misunderstood.

I get the attribute MXREF_MX_PRIVILEGE with the corresponding MSKEY but what I want is the MSKEYVALUE of the privilege instead.

How do I have to configure the VDS to achieve this while I am using the Identity Store as data source?

Thanks.

Regards,

Bastian

clotilde_martinez
Participant
‎09-08-2014 1:10 PM
0 Kudos

Hi Bastian,


Matt did a blog about this configuration, did you check it? You can find it there :

If this doesn't help, i'll try to have access to my old config as i don't really recall how i did it in the first place.

Regards,

Clotilde

bastian_hickl
Explorer
‎09-10-2014 5:11 PM
0 Kudos

Hi Clotilde,

thank you for the link to Matt's blog.

Unfortunately it didn't really help me finding a solution for what I am looking for.

I think it would help me if you could show me your old config file - if this is possible.

It would also help me if you - or anyone else - could tell me how to set a filter for a specific EntryType (e.g. MX_PERSON) in either a configuration done with the IDM Identity Center template or done like in the blog with the databases template (e.g. idmv_link_ext). The last configuration shows even all entries...

I've also configured the VDS with the IDM Identity Center template and connected via a LDAP browser where I set the filter objectClass = MX_PERSON which has shown me only entries of this EntryType. This also works for other EntryTypes, if I filter in the browser.

I tried to do this inside the VDS but didn't get it so far.

My set up was done with two branches, one for MX_PERSON and one for another EntryType, but I weren't able set that previously described filter inside the VDS.

I quite want to filter inside the VDS not later by LDAP.

Many thanks.

Kind regards,

Bastian

former_member188338
Explorer
‎03-20-2015 6:13 PM
0 Kudos

Hi Bastian,

I am trying to achieve exactly the same thing, did you make any progress in producing a filter inside of the VDS so it only shows a subset of ID Store entries - MX_PERSON,as you suggested.

If you didn't, may be would be kind enough to point us in the right direction?

Thanks,

Ian

former_member2987
Active Contributor
‎03-20-2015 7:35 PM
0 Kudos

Hi Ian,

For the most part when using VDS with IDM Entrytype is mapped to objectClass.  So set the filter to ENTRYTYPE=MX_PERSON and you should be good to go.

Matt

former_member188338
Explorer
‎03-20-2015 8:27 PM
0 Kudos

Hi Matt,

That's the question, where in the VDS config do you add the filter, I couldn't work that bit out.

Thanks,

Ian

former_member2987
Active Contributor
‎03-20-2015 8:37 PM
0 Kudos

Hi Ian,

Can you start this as a separate thread? Also what's the complete scenario?  What's querying VDS? That could make the difference how we approach this.

In the meantime, I'll start looking into it.

Matt

bastian_hickl
Explorer
‎04-13-2015 8:54 AM
0 Kudos

Hello Ian,

no, I am sorry, I didn't get any progress with this configuration.

We are now running two database data sources (one is connected to a view of the companies and another is connected to a view of our employees). Our privileges and roles are separated by ; which helps us to achieve a multivalue attribute on LDAP (using OpenLDAP - reads the data of our VDS, so that the VDS is just a middleware). This means we have an LDAP attribute privilege like this:

OpenLDAP: (one attribute for each privilege)

privilege - MX_PRIV:WD:TAB_TODO

privilege - MX_PRIV:WD:TAB_TRACE

privilege - MX_PRIV:WD:TAB_MANAGE

...

VDS: (all privileges in one attribute)

privilege - MX_PRIV:WD:TAB_TODO;MX_PRIV:WD:TAB_TRACE;MX_PRIV:WD:TAB_MANAGE;...

This is what we wanted (and I am asked for in this thread) and what we've got. Not directly inside VDS but with the help of OpenLDAP.

former_member2987
Active Contributor
‎07-19-2013 1:59 PM
0 Kudos

Clotilde,

Interesting question.  The short answer is I don't think so.

The template for representing the Identity Store is pretty rigid and does not take to a lot of modification. I would not be surprised to find out that the assignment date is not included.

If you're not finding this information in the existing template, I'd suggest opening an OSS Note and/or adding the request to the SAP NW IDM Idea place.

Matt

Show replies
Show replies
Ask a Question