Small tip: Setting the System Privilege Modify Trigger Attributes programatically
I recently joined a nicely ongoing IdM 7.2 project and one of my tasks is to load contact information to all existing users from phone book type of application that is about to be killed. This bulk load will naturally trigger lot of update operations unless attention is paid to what attribute modification should actually be replicated to target system.
One of my own “rules” with SAP IdM is to avoid any un-necessary processing and running modify tasks to repositories where those particular attributes may not even be relevant (or isn’t even mapped in the toSAP/toLDAP etc pass) is such action.
The standard initial load job template sets the Trigger Attributes for System Privileges via script that I’ve found a little awkward, so thought it is best to create my own job that would also give the customer more control and actually a way to maintain the trigger attributes. The list of attributes can be maintained in MMC / Privilege Metadata, but selecting the attributes from long list is bit tedious.
So as it looks like today that I am going to use the job again, thought about sharing it here if it helps anyone else.
What the job simply does is that it fetches all the System Privileges, gets the comma separated list of attribute names from repository constant (or from global constant if the repository constant is missing/not defined for that particular repository), gets the matching Id Store specific attribute ids and stores them to System Privilege’s MX_MODIFYTASK_ATTR-attribute.
The source SQL is just example of getting the names of the System Privileges.
The target tab handles each of the System Privileges and sets the attributes.
The script “setAttrs” sets the trigger attributes. The name of the System Privilege the job is currently processing is passed in the Par-parameter, the script gets the repository name from the privilege name, tries to get the repository constant/global constant, gets the attribute ids from attribute names from SAP Master Id Store and returns them in pipe-separated multivalue string.
The u-function uGetRepositoryVar works with passed that are working in repository context but for a standalone job you need to write you own script that takes the repository and variable/constant names as parameter. “NULLATTR” is special hardcoded value for SAP IdM that acts as a “do nothing” value for attribute, handy to return in error case when you want to make sure nothing gets updated.