“No master task” setup in SAP Identity management after upgrade from 7.1 to 7.2 for successful provisioning to connected systems
On upgrade of IDM from 7.1 to 7.2
After upgrade of IDM from version 7.1 to 7.2, a mandatory system privilege “Priv:System name_Client no:only” (ex – Priv:EB7_057:only) comes in scenario for provisioning of created user record to backend system.Their are three different available option to include that newly introduced mandatory privilege Priv:System name_Client no:only (ex – Priv:EB7_057:only) in old existing data from IDM version 7.1
- Assign the ONLY privilege to the user ALONG with the business role.
- Manually include the ONLY privilege in the business role definition.
- Set a No Master task on the repository. That task will be executed every time a ROLE or GROUP privilege is assigned to a user, who doesn’t have the master privilege for this repository. You just need to set the ONLY privilege for the repository as master privilege (Privilege tab in the repository properties) and select a task to execute, if the master privilege is not assigned (this task can be a simple assignment of the ONLY privilege).
Here, we opt for 3rd option to set “No master task” for all existing repository to save time and efforts. However, option 1st and 2nd will introduce much additional work (adding mandatory privilege to all existing business role) and also increase IDM provisioning queue too long that it will hinder daily security user provisioning job.
Make Priv:System name_Client no:only (ex – Priv:EB7_057:only) visible in UI by selecting visibility “ALL” in entry visibility field for all only privilege (Priv:System name_Client no:only) for all defined/available repository
A) Select Repository –> Privilege –> Click rectangular box in “Master Privilege”
Insert entry in pop up window i.e ID store , Unique ID (Privilege) search and then select
from matching name windows
B) Create a custom Ordered task
C) Include a Empty job in Ordered task
D) Select pass “To Identity Store”
E) Insert values in Destination field of pass
F) Click Apply after select and inserting entries.
G) Go back to repository and select mandatory privilege for that specific repository which you have selected in “Master privilege” i.e for repository EE1_040, select “PRIV:EE1_040:Only” in Master privilege option and then select rectangular(Search) box in “No Master Task” and drill down and select created custom “Master
Priv Custom” ordered task and click Apply to save setting.
H) Now, whenever a user is assigned with any business role in User Interface, above created Master privilege will run to assign mandatory only privilege “Priv:System name_Client no:only” to user to provision technical role assignment in backend system.