SAP IDM – How to handle SAP roles
I’m working on an IDM project and like many of you I had to solve the issue with SAP roles.
What were the issues in my case:
- If you attach a role to a person in SAP, next role just replaces it.
- If you have to first remove and then add same role in SAP, in some cases adding action passes before deletion and finally person has no roles attached in SAP
The first issue was easy to be solved. My solution includes some java scripting, but in simple cases can be handled with several tasks arranged in ordered task group or even with only one task. The idea is as follows:
- Get currently attached privileges for SAP
- Get pending privileges for adding in SAP
- Merge two lists
- Set the result list of privileges in SAP
In order to speed things up I’m using grouping by “operation” for SAP privileges and get pending values in group script. This way I can handle all privileges per operation at once.
There are two ways to get currently attached privileges for person in IDM.
- The first one is using custom SQL select in IDMV_LINK_EXT2. I’m using this one, because it contains MSKEYs and MSKEYVALUEs of person, pivileges and contexts together at one place.
- The second one is to use standard “TO IDENTITY STORE” pass functionality to “get” instead of “set” values from MXREF_MX_PRIVILEGE attribute. Something like following:
This will return VALIDTO, VALIDFROM, MSKEYVALUE and MSKEY of all privileges attached to a person. Of course different set of parameters is possible and for more information please check IDM help. There is a very good explanation there.
The second issue looks hard to implement at first glance, but finally my solution is as follows:
- In attach privileges to SAP provisioning I’ve just added a check if there are pending values for deletion for current person.
- If there are such than just use uSkip(1,1). This will skip all following tasks in ordered task group for this person and this way – the attachment of privileges, until all privileges for removal are done and you won’t see any red lines in log file.
- When there are no more pending privileges for remove, the attachment of new privileges will be executed at regular bases.
- In order to loop I’ve set in case of fail task to be executed 20 times in interval of 5 minutes. Of course you should experiment with this values in order to find the right once for your scenario.
As a conclusion in my scenario the steps are two: first delete old privileges, than add new once. But it is possible in simple cases to merge these two steps in only one. In this case the grouping of privileges will be not by “action”, but by “application” and then each pending value might be analyzed if it is for deletion, then remove it from list with already attached privileges and if it is for add –
just add it to this list. At the end of analysis just set the result list in SAP and that is it.
I hope that everything is clear, but if it is not and you want help or you’ve got any remarks or additional questions, don’t hesitate to contact me.