Skip to Content

I have seen many people posting questions on how to copy User Roles and Privileges to a new user. In AS ABAP systems there is an option to do this using Transaction SU01. Its also there in AS Java systems too. I have seen this as common practice in many clients where when a new started joins the organization, the security team gets a reference user and creates a copy of that user. I thought I will share my experience on how I achieved this.

Navigate to Attributes and create a new one called ” Z_REFERENCE_USER”.

Maintain each of the tabs as shown below. In the “Storage” tab, set the below values

Data type = Entry Reference

Reference Entry Type = MX_PERSON

In the “Presentation” tab, set the value for Presentation to “Referral”. This will give you two buttons like

In the “Entry Types” tab allow it to appear for MX_PERSON.

Create a new Ordered Task group, task, Job  and attach a pass called “Copy Roles to a New User” of “To Identity Store” type.

Below are the setting for the Task Group. Mark it as a UI Task and ensure that it is enabled.

In the Attributes, select the Entry Type as “MX_PERSON” and maintain the attributes as shown below. Notice that the new attribute “Z_REFERENCE_USER” is also selected.

Provide values for access control

Maintain the Presentation

Below are the settings for the Task under the Task Group.

Maintain the Entry Type as “MX_PERSON” under attributes.

Maintain the access controls

Finally, lets look at the settings for the Job under this task.

Under Scripts, create a new function called “getmskeyvalue”

The purpose of this function is to take MSKEY as input and provide MSKEYVALUE as output. This will be used in the pass which I discussed below.

The pass “Copy Roles to a new User” is maintained with the below settings. MX_PERSON is the source entry type.

In the destination tab, refer MX_PERSON as the entry type and maintain the below settings.

Apply all the changes and navigate to the IdM UI and select a user who has got Business Roles/Privileges. In my example, the user is “TEST_PORTAL”. Click on “Choose task” and from the pop-up you should be able to find the new task called “Copy Roles to New User”. After you select this task, you would see the below screen

Notice the “Copy to User” field at the bottom. This field is referring to the new attribute “Z_REFERENCE_USER” created in the above steps. Click on the “Select” button, it will give a pop-up and you can search of all users. In my case, TEST4 is a new user without any roles and Privileges. Hence I select User Test4.

“Copy to User” field actually would return the MSKEY of the Test4 user. Hence, I have used a function to obtain the MSKEYVALUE for this Test4 user.

To elaborate more on the  above Pass, The MSKEYVALUE at runtime will be “Test4” because of the custom function. changeType is Modify as we are modifying the user identity Test4. In order to copy the selected users Roles and Privileges, use %MXREF_MX_PRIVILEGE% and %MXREF_MX_ROLE% . Use {A} operator in the front to indicate that this is an addition.

You could have one more pass at the end to clear the value of attribute “Z_REFERENCE_USER” so that next time when you open the above screen, the previous value will not remain.

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Carlo Mattioli

    Hi,

    Tried to get it to run after having done all the described steps. I’m able to save ok, but when I go to the job log, I see that it failed with the following error:

    IDStore returned error message: “Entry reference value is not numeric: Attribute: MXREF_MX_PRIVILEGE” when storing attribute ‘MXREF_MX_PRIVILEGE=(A)13200’

    Any idea?

    Regards,

    Carlo

    (0) 
    1. Tero Virta

      Carlo Mattioli wrote:

                             

      Hi,

      Tried to get it to run after having done all the described steps. I’m able to save ok, but when I go to the job log, I see that it failed with the following error:

      IDStore returned error message: “Entry reference value is not numeric: Attribute: MXREF_MX_PRIVILEGE” when storing attribute ‘MXREF_MX_PRIVILEGE=(A)13200’

      Any idea?

      Regards,

      Carlo

                         

      Wrong brackets, try { } instead of ( )

      (0) 

Leave a Reply