Skip to Content
Author's profile photo Simona Lincheva

SAP IdM 8.0 no master process (good practices)

Hi guys,

Here is one good tip, I wanted to share with you 🙂

Each time when I start a new project, I have to create the process, responsible for creating the user accounts into the back-end systems. In order to save some work/time, I have created a custom package responssible for the No Master Process:

  1. Create new custom package (….masterprocess)
  2. In this package create the process responsible for assigning the only privilege
  3. Link this process in each Repository type, then an automatic provisioning, will be triggered in case of assignment when the ONLY is missing:   


Hope you like it ?

Simona Lincheva

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Chenyang Xiong
      Chenyang Xiong

      Hi Simona,

      That's good practice. I also use a similar/same way to handle master privilege.


      BTW, how do you handle termination scenario? Do you remove all direct role/privilege assignments when identity is terminated? Some customer prefer to keep the account locked in the system.


      I would like to understand how you do it and the rationale behind it?





      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi  Chenyang,


      Thanks for the comment 🙂

      As for your question, depends on the customer (...and on the back-end licensing policy, as for the ABAP systems the only thing you need is to set validity and lock the user 🙂 ).

      Possible scenarios:

      1. lock the account and set validity (in this case you won't pay for licensing and if the account is activated you have the old access ... if needed, in case the old access is not needed you have to remove the old and provide the new one)
      2. remove all access, then lock the account and set validity (again no licensing and in case the account is activated you should assign the new access, but you skip the removal of the old access)

      Note: in case the back-end system is AD, some customers want to move the user accounts into an inactive OU (again keep or remove the access).

      In addition, now we should think about the GDPR :))), here again depending on the company policy we have to maintain the inactive accounts -




      Author's profile photo Felix Hahn
      Felix Hahn

      Hi Simona,


      thanks for sharing this practice 🙂

      In our current Business-Role-Design every Business Role has every ONLY-Privilege included. The problem is that sometimes the IDM tries to delete the user when a business role expired, although there are existing business roles with ONLY-Privileges.

      So I'm thinking to switch to your presented practice. Do you think it is possible to remove all ONLY-Privileges from the business roles without IDM deleting all users from the backend systems? Will the IDM trigger the no-master-process when there are no only-privs left?

      Hope you can answer my questions 🙂



      Best Regards,