on 06-15-2014 12:51 PM
Hello Gurus,
We are implementing a process for identity termination. SAP security team wants the Id to be deleted from the system as part of the process whereas other applications have requested for removal of groups, change in status etc. The Id termination should be approved by line manager as first level approver.
We are using an action task with "To Identity Store" pass to remove the PRIV:<REPOSITORY>:ONLY privilege for the SAP Id to delete the account from SAP repository.
We need your advice for:
- Is the implementation approach for deletion of SAP ids correct?
- How do we configure the approval task for this process, It seems that it cannot be an assignment approval task in this case.
- There is a task "SetABAPRole&ProfileforUser" in the SAP provisioning framework which is executed following the user deletion. This task fails because it is not able to locate the MSKEY after the user has been deleted. How do we control this task?
Your help in this regard is much appreciated.
Regards,
Subramaniam Iyer
Hello Subramaniam,
one way to terminate an identity would be to set the MX_INACTIVE attribute to 1 on the identity. This will then trigger removal of all privileges assigned to the identity.
For setting up approvals see the IdM Documentation area
http://scn.sap.com/docs/DOC-8397 -> SAP NetWeaver Identity Management - Creating Role Approvals
Thanks
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Christopher for your reply.
Will the MX_INACTIVE not delete the identity from IdM? We wanted to retain the identity information in IdM and only delete/deactivate users from the connected systems.
We found a way out by removing the role assignments (authorization privileges) from the user first which triggered manager approvals as per the validation event task for assignment removals.
Using BYPASS_MEMBER_TASK in a script we are ensuring that the privileges only get removed from IdM and not from SAP after approval. The next step is to remove the SAP account privilege (rep ONLY priv) which deletes the account from SAP.
Regards,
Subramaniam Iyer
Thanks Tero for your imputs. Although it does not help us in this case, it is something I was not aware of before.
IdM is connected to multiple systems SAP and Non-SAP and each have their own policies for termination. For example SAP team wants the ids to be deleted immediately and AD team would like to retain the account as disabled for 90 days before deletion. Hence, we could not set the flag in IdM.
Regards,
Subbu
That requirement sounds pretty normal.. Just define the grace period / period when the user entry remains disabled in IdM after which the user can be inactivated.
What is your leading identity system? SAP HCM? You could hook up the disabling, SAP deprovisioning and start of the grace period to the "withdrawn" employment status.
I think you're just missing some work on the requirements side and some configuration/testing effort.
regards, Tero
Hi Subbu,
One more option as I know is, we can keep lock for the users who are suppose to be deleted(90 days for your case). So that these identities will loose access but still present in the IDM, if needed we can enable. For this, you use mx_disable attribute, instead of mx_inactive, as it will removes all the previlges/roles immediately.
Regards,
Jaya
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.