Skip to Content

If you like to set user attributes out of your role model then maybe attribute privileges are for you. For instance you want to set automatically for all members of a role the ABAP user group.  Or you plan to deactivate the password for some roles. However, every attribute of the MX_PERSON object can be manipulated by the attribute privileges.

This tutorial shows how to implement attribute privileges. It is based on SAP Identity Management 7.2. If you need help for implementing the tasks on IdM 7.1 contact me.

I assume you know how to use the identity center, i.e. how to create tasks and attributes, etc..  Some scripting is needed as well.

Following steps give an overview of the things to be done:

  1. Create two attributes for the entry type MX_PRIVILEGE. This will be an attribute for the attribute name and one for the attribute value.
  2. Create an add member task, which sets the attribute for an user when the privilege is assigned.
    Create a del member task, which will remove the attribute when the user has lost the privilege.
  3. Create  a user interface task for creating attribute privileges on a comfortable way.



1. Adding attributes to the privilege entry type

In your master identity store add a general text attribute 

  • name = Z_PRIV_AUTO_ATTRIBUTE
  • Entry types tab: link it to MX_PRIVILEGE
  • Presentation tab: use SingleSelect
  • Attribute values tab: select SQL query and the stament
    SELECT DISTINCT attrname FROM MXI_Attributes where is_id=1


The attribute Z_PRIV_AUTO_ATTRIBUTE will contain the name of the attribute to be manipulated. The SQL statement  offers all existing attribute names in your master identity store (check the correct is_id).

Add one more  general text attribute: 

  • name =Z_PRIV_AUTO_VALUE
  • Entry types tab: link it to MX_PRIVILEGE
  • Presentation tab: use SingleLine

The attribute Z_PRIV_AUTO_VALUE will contain the value of the attribute to be manipulated.

If you check the entry type MX_PRIVILEGE you will find both added attributes:

2. Adding the AddMember and DelMember tasks

Now, it is time for the core mechanism of the attribute privileges. So add two ordered task groups to your provisioning framework. I use my own sub folders ‘Entry Type Tasks’ -> ‘MX_PRIVILEGE’. Name them ‘Add Attribute Privilege‘ and ‘Remove Attribute Privilege‘. Note the task id’s as we will need them later.

To both tasks you add a ‘To Generic’ pass.

The tasks will work on pending value objects, which hold the information of the user and the assigned attribute privilege.

On the Destination tab of the ‘To generic’ pass enter two parameter, one for the user mskey and one for the attribute privilege mskey:

  • MSKEY    = %MX_ENTRY_REFERENCE%
  • PRIV        = %MX_ATTRIBUTE_VALUE%

Note: for IdM 7.1 unfortunately you need to check if a user has assigned a privilege or a privilege has got a new member, as the pending value attributes are inverted.

For the Add Attribute Privilege Pass now enter a new local scrip under ‘Next data entry’ called ‘z_setPrivilegeAttribute‘ and press edit. Here is the source code:


function z_setPrivilegeAttribute(Par){
var mskey=Par.get("MSKEY");
var priv = Par.get("PRIV");
//get Attributename
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_ATTRIBUTE'";
var attrname = uSelect(sql);
if(attrname==null || attrname==""){
     var msg="z_setPrivilegeAttribute: Attr Z_PRIV_AUTO_ATTRIBUTE missing for priv="+priv;
     uError(msg);
     uSkip(2, 2, msg);
     return;
}
//get Attributevalue
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_VALUE'";
var value = uSelect(sql);
if(value==null || value==""){
     var msg="z_setPrivilegeAttribute: Attr Z_PRIV_AUTO_VALUE missing for priv="+priv;
     uError(msg);
     uSkip(2, 2, msg);
     return;
}
//get current value
sql = "select aValue from idmv_value_basic_active where mskey="+ mskey +" \
and attrname='"+ attrname +"' and searchvalue='"+ value +"'";
var currentValue = uSelect(sql);
if(currentValue==null || currentValue==""){
     //set Attribute
     uIS_SetValue(mskey,1, attrname, value, "ATTRIBUTE PRIVILEGE", 0);
}else{
     uWarning("z_setPrivilegeAttribute: nothing to be done for user "+mskey+" "+ attrname +"="+value+".");
}
return;
}








The script reads the attribute name and value from the attribute privilege and compares it to the current value of the user. If it is not the same or missing the script sets the attribute accordingly.

For the Remove Attribute Privilege pass you do the same like above, except a different name for the script ‘z_removePrivilegeAttribute‘. The source code looks similar:


function z_removePrivilegeAttribute(Par){
var mskey=Par.get("MSKEY");
var priv =Par.get("PRIV");
//get Attributename
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_ATTRIBUTE'";
var attrname = uSelect(sql);
if(attrname==null || attrname==""){
     uError("z_removePrivilegeAttribute: Attr Z_PRIV_AUTO_ATTRIBUTE missing for priv="+priv);
     return;
}
//get Attributevalue
sql  = "select aValue from idmv_value_basic_active where mskey="+ priv +" and attrname='Z_PRIV_AUTO_VALUE'";
var value = uSelect(sql);
if(value==null || value==""){
     uError("z_removePrivilegeAttribute: Attr Z_PRIV_AUTO_VALUE missing for priv="+priv);
     return;
}
//get current value
sql = "select aValue from idmv_value_basic_active where mskey="+ mskey +" \
and attrname='"+ attrname +"' and searchvalue='"+ value +"'";
var currentValue = uSelect(sql);
if(currentValue==value){
     //remove Attribute
     uIS_SetValue(mskey,1, attrname, value,"",2);
}else{
     uWarning("z_removePrivilegeAttribute: user "+ mskey +" attribute "+attrname+"="+value+" not found.");
}
return;
}







The script only removes the attribute from the user, if the user owns the attribute exactly with the same value like the value of the attribute privilege.

3. Adding a User Interface Task for creating attribute Privileges

In your user interface folder create a new ordered task ‘new attribute privilege’. Insert a ‘To Identity Store” pass.

The ordered tasks group is set to an UI task by simply mark the ‘UI task’ check box of the Options tab.

Now, it is possible to configure the Attributes tab. Select ‘MX_PRIVILEGE’ for entry type and mark ‘This task creates a new entry’. For the visible attributes select  Z_PRIV_AUTO_ATTRIBUTE and  Z_PRIV_AUTO_VALUE and make them mandatory. Add more attributes to show, if you like.

Down in the ‘To Identy store’ pass you configure the pass, so it will automatically add the add member and del member tasks to the new privilege. Therefore,  these lines are needed at least:

  • MSKEYVALUE =        %MSKEYVALUE%
  • MX_ADD_MEMBER_TASK = (enter the task id of your Add attribute privilege task group )
  • MX_DELL_MEMBER_TASK = (enter the task id of your Remove attribute privilege task group )

Enter some more default settings if needed.

I do not explain how to make a fancy design or administrate the access control list of the UI task. You already know it or you will find out. Finally, it maybe looks like this example:

Here I use the attribute privilege to enable a password access for a sap backend IT0. Every member of this privilege has set the attribute Z_PASSWORD_ENABLED_IT0=1 to allow password access.

Be creative with your new possibilities in your role model!

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Norman Nürnberger

    Hi Andreas,

    this is really a great tutorial. And the idea is great as well. Really nice!

    However, I have to post one improvement proposal: You should always check the return value of uIS_SetValue, otherwise you will not recognice any errors when setting/deleting the actual attribute values.

    Regards

    Norman Nürnberger

    (0) 

Leave a Reply