cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP NW IdM - Terminate Identity

Go to solution
Former Member

on ‎06-15-2014 12:51 PM

0 Kudos

Hello Gurus,

We are implementing a process for identity termination. SAP security team wants the Id to be deleted from the system as part of the process whereas other applications have requested for removal of groups, change in status etc. The Id termination should be approved by line manager as first level approver.

We are using an action task with "To Identity Store" pass to remove the PRIV:<REPOSITORY>:ONLY privilege for the SAP Id to delete the account from SAP repository.

We need your advice for:

- Is the implementation approach for deletion of SAP ids correct?

- How do we configure the approval task for this process, It seems that it cannot be an assignment approval task in this case.

- There is a task "SetABAPRole&ProfileforUser" in the SAP provisioning framework which is executed following the user deletion. This task fails because it is not able to locate the MSKEY after the user has been deleted. How do we control this task?

Your help in this regard is much appreciated.

Regards,

Subramaniam Iyer

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

ChrisPS
Contributor
‎07-02-2014 8:46 PM
0 Kudos


Hello Subramaniam,
                            one way to terminate an identity would be to set the MX_INACTIVE attribute to 1 on the identity. This will then trigger removal of all privileges assigned to the identity.

For setting up approvals see the IdM Documentation area

http://scn.sap.com/docs/DOC-8397 -> SAP NetWeaver Identity Management - Creating Role Approvals

Thanks

Chris

Show replies
Show replies
Former Member
‎07-25-2014 4:00 PM
0 Kudos

Thanks Christopher for your reply.

Will the MX_INACTIVE not delete the identity from IdM? We wanted to retain the identity information in IdM and only delete/deactivate users from the connected systems.

We found a way out by removing the role assignments (authorization privileges) from the user first which triggered manager approvals as per the validation event task for assignment removals.
Using BYPASS_MEMBER_TASK in a script we are ensuring that the privileges only get removed from IdM and not from SAP after approval. The next step is to remove the SAP account privilege (rep ONLY priv) which deletes the account from SAP.

Regards,

Subramaniam Iyer 

terovirta
Active Contributor
‎07-27-2014 5:41 PM
0 Kudos

The identity remains hidden in IdM DB and to reuse the same record you must remove mx_inactive-flag.

regards, Tero

Former Member
‎07-28-2014 5:50 PM
0 Kudos

Thanks Tero for your imputs. Although it does not help us in this case, it is something I was not aware of before.

IdM is connected to multiple systems SAP and Non-SAP and each have their own policies for termination. For example SAP team wants the ids to be deleted immediately and AD team would like to retain the account as disabled for 90 days before deletion. Hence, we could not set the flag in IdM.

Regards,

Subbu

terovirta
Active Contributor
‎07-29-2014 12:24 PM
0 Kudos

That requirement sounds pretty normal.. Just define the grace period  / period when the user entry remains disabled in IdM after which the user can be inactivated.

What is your leading identity system? SAP HCM? You could hook up the disabling, SAP deprovisioning and start of the grace period to the "withdrawn" employment status.

I think you're just missing some work on the requirements side and some configuration/testing effort.

regards, Tero

former_member2987
Active Contributor
‎11-21-2014 4:01 PM
0 Kudos

Tero,

What about the fact that using MX_INACTIVE starts immediate deprovisioning on all systems?  Wouldn't dropping the ACCOUNT[SYSTEM] attribute for the user along with the ONLY priv make more sense?

Matt

jonathon_sells3
Participant
‎05-05-2015 10:14 PM
0 Kudos

Hi Chris,

Setting the MX_INACTIVE attribute to a user is something we are trying to do. However we are getting errors that seem to imply the user is not an MX_PERSON entry type. Please refer to this new thread I created.

Thanks

Jon

former_member198652
Active Participant
‎05-25-2015 11:23 AM
0 Kudos

Hi Subbu,

One more option as I know is, we can keep lock for the users who are suppose to be deleted(90 days for your case). So that these identities will loose access but still present in the IDM, if needed we can enable. For this, you use mx_disable attribute, instead of mx_inactive, as it will removes all the previlges/roles immediately.

Regards,

Jaya

Answers (0)

Ask a Question