Skip to Content
Author's profile photo Ivan Petrov

SAP IDM – How to handle SAP roles

SAP IDM – How to handle SAP roles

I’m working on an IDM project and like many of you I had to solve the issue with SAP roles.

What were the issues in my case:

  • If you attach a role to a person in SAP, next role just replaces it.
  • If you have to first remove and then add same role in SAP, in some cases adding action passes before deletion and finally person has no roles attached in SAP

The first issue was easy to be solved. My solution includes some java scripting, but in simple cases can be handled with several tasks arranged in ordered task group or even with only one task. The idea is as follows:

  • Get currently attached privileges  for SAP
  • Get pending privileges for adding in SAP
  • Merge two lists
  • Set the result list of privileges in SAP

In order to speed things up I’m using grouping by “operation” for SAP privileges and get pending values in group script. This way I can handle all privileges per operation at once.

There are two ways to get currently attached privileges for person in IDM.

  • The first one is using custom SQL select in IDMV_LINK_EXT2. I’m using this one, because it contains MSKEYs and MSKEYVALUEs of person, pivileges and contexts together at one place. 
  • The second one is to use standard “TO IDENTITY STORE” pass functionality to “get” instead of “set” values from MXREF_MX_PRIVILEGE attribute. Something like following:


This will return VALIDTO, VALIDFROM, MSKEYVALUE and MSKEY of all privileges attached to a person. Of course different set of parameters is possible and for more information please check IDM help. There is a very good explanation there.

The second issue looks hard to implement at first glance, but finally my solution is as follows:

  • In attach privileges to SAP provisioning I’ve just added a check if there are pending values for deletion for current person.
  • If there are such than just use uSkip(1,1). This will skip all following tasks in ordered task group for this person and this way – the attachment of privileges, until all privileges for removal are done and you won’t see any red lines in log file.
  • When there are no more pending privileges for remove, the attachment of new privileges will be executed at regular bases.
  • In order to loop I’ve set in case of fail task to be executed 20 times in interval of 5 minutes. Of course you should experiment with this values in order to find the right once for your scenario. 

As a conclusion in my scenario the steps are two: first delete old privileges, than add new once. But it is possible in simple cases to merge these two steps in only one. In this case the grouping of privileges will be not by “action”, but by “application” and then each pending value might be analyzed if it is for deletion, then remove it from list with already attached privileges and if it is for add –
just add it to this list. At the end of analysis just set the result list in SAP and that is it.

I hope that everything is clear, but if it is not and you want help or you’ve got any remarks or additional questions, don’t hesitate to contact me.

Best Regards,


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Osvaldo Lopez
      Osvaldo Lopez

      Great post Ivan, thank you very much.

      Keep posting 😉


      Author's profile photo Murali Shanmugham
      Murali Shanmugham


      Thanks for sharing your experience. Could you please post your scripts with some screenshots.



      Author's profile photo Ivan Petrov
      Ivan Petrov
      Blog Post Author

      I don't think my scripts will be helpful for you, because my scenario is much more complex than the one I gave as example. Still if you want I can share a simple JavaScript example. So post an answer here if you need it.