Dynamic Group in SAP IDM 8.0
I have seen several thread related to Dynamic Group Creation and Resolve issue so thought to jot down the steps here to Create and Resolve Dynamic Group in SAP IDM 8.0
To create Dynamic group in SAP IDM 8.0
- Login to SAP IDM UI
- Manage -> Dynamic group
- Hit the Create… button
- Select the Create Dynamic Group task
- Hit Choose Task
A new tab/window Create Dynamic Group will open
6. Enter Dynamic Group Unique ID, Display Name and Description (Optional) under General tab
7. Select the Attribute Name and Attribute value in Target Definition tab
Note – Alternatively, you can also select advanced mode and write the SQL query. While writing SQL query, please ensure that your query must return MSKEY.
- Hit Save
Dynamic Group has been created now.
- To view the newly created dynamic group, go to Manage tab and search for the Dynamic Group.
- Select the newly created Dynamic Group DGROUP_IDM_TEST1 to view the details
In Target Definition tab, you can see that IDM automatically created a SQL query based on the attribute name and value selected.
Visiblity tab is blank as we didn’t define anything here while creating Dynamic Group.
Assigned Users tab is also Blank.
Now to get the users in the Assigned Users tab, we need to resolve the newly created Dynamic Group.
To Resolve the Dynamic Group
- Login to IdM Developer Studio Eclipse Plugins
- Create a New Job with a To Generic Pass under any existing/new package.
- Create a New Script under Scripts tab with following code
- In the Source tab of To Generic Pass “Calculate Dynamic Group”, enter the SQL which returns the MSKEY of the newly created dynamic group.
- In the Destination tab of To Generic Pass, select the Z_CalculateDynamicGroup script in the Next Data Entry and enter the attribute and value.
- Save the changes and run the job
- After the successful execution of job, go to Manage tab of IDM UI and search the Assigned users under Assigned Users tab
It will show all the users assigned to the Dynamic group.
As per business requirement, Calculate Dynamic Group job can be scheduled on periodic interval to calculate the Assigned users automatically.
Note – My Database is MS SQL so I have used with(nolock) in my query. I have used SAP IDM 8.0 SP4 for this blog.
Regards,
C Kumar
Thanks, this is well done! 5 stars! *****
Thanks Matt
Hey there,
I remember from training with the no-no 8.0 SP 0 version, that the target filter with the SQL query was read-only (even in Advanced mode). Do you know which SP changed that? On which SP did you create this docu? Maybe you could add that to the blog, too, since I've seen several people still using the 8.0 version without any service packs.
.
Regards,
Steffi.
Thanks Steffi!
I have used SAP IDM 8.0 SP4 on Windows machine. The same has been updated in the blog now.
Hi kumar,
Nice post!! I have one question. Suppose i have created a dynamic group to filter identities based on the location.
whenever any new identity is created, how the system is automatically assigning the dynamic group to the user, where recalculate dg groups is not scheduled.
If the location of the user is changed why the existing dg group is not being removed until recalculate is done.
We are usin dg groups based on location where it gets assigned for new identies but when modifed it doesnt get assigned with new dg or remove existing dg.
Regards DP
Hello DP,
SAP IDM always assign the entries to Dynamic group after resolving the dynamic group. uISResolveDynamicGroup is the internal function which is finally responsible for resolving the Dynamic group.
Q) whenever any new identity is created, how the system is automatically assigning the dynamic group to the user, where recalculate dg groups is not scheduled.
Ans - If in your IdM landscape, system is automatically assigning the dynamic group to the new user even though recalculate dg groups is not scheduled then there are high probability that they must be running uISResolveDynamicGroup function on MX_PERSON ADD event task.
Q) If the location of the user is changed why the existing dg group is not being removed until recalculate is done.
Ans- Until unless uISResolveDynamicGroup function will not run there will be no any changes in the Dynamic group members.
Q) We are usin dg groups based on location where it gets assigned for new identies but when modifed it doesnt get assigned with new dg or remove existing dg.
Ans - Please clarify what is getting modified - User or Dynamic Group and what data get modified.
Regards,
C Kumar
Hello Kumar,
Thank you for the steps which is really helpful, we tried to implement the same and we were able to successfully create and resolve one dg.
But if we wanted to resolve multiple dynamic groups, can we use the same job? or should we create different jobs for different dg? we tried to resolve multiple groups with the same job but it does not work. Can you please give your feedback?
Thanks
Hello Rajendra,
Ideally, to resolve the multiple dynamic groups, you need to write the new Query in the source tab of the Calculate Dynamic Group pass. The query must return all the Mskeys of the DG which you want to resolve.
As you said - "we tried to resolve multiple groups with the same job but it does not work." Could you please share how you try to resolve multiple DGs and what issues/errors you got.
Regards,
C Kumar
Dear Kumar,
Yes, we tried to use a query that returns all the Mskeys of the DG, Please see the screenshot below
query
The job runs successfully with all entries but the users are not populated in the dynamic groups, and it works only when we try to resolve each group individually(as per your steps), should we change the script or any other settings for resolve multiple dynamic groups in single job?
Thank you.
Hi Rajendra,
There are 2 Jobs coming with the BES (https://github.com/SAP-samples/idm-business-extensions-service) package named com.sap.rds.idm.rule.engine.v2.2 as below:
Both helps to execute calculation for all available DGs.
Regards