SAP IDM 8.0 – How to handle active users in the target system when all roles/privileges (other than master & system privilege) for a particular system are revoked in IDM?
After working with multiple customers/clients implemented the following solution based upon their request and thought it would be a good idea to share with you all.
Depending upon the client license policy for individual system, it can be handled in different ways.
- Delete the user (By removing master privilege)
- Else Lock the user and set the account validity end date to previous or todays date in that particular system. (As per SAP Best Practices)
How do we usually assign Master Privilege (PRIV:%$rep.$NAME%:ONLY) for Users?
- As direct assignment by manually assigning it.
- As inherited assignment via IDM Roles.
- As direct assignment by automatically assigning it via No Master Process linked in the Privilege Policy Settings under the Privileges Tab for each repository type.
When all privileges are removed for a particular system, what will happen to Master Privilege?
- Master Privilege would be removed and user would be deleted in that particular system, when it is assigned as an inherited assignment through roles
- Master privilege would be still assigned to user as a direct assignment in idm when it is assigned manually or via no master process. This means the user is still available in the target system without any roles/privileges assigned in that particular system, but user might have access to other systems.
In this blog I would like to share with you all on how to delete the users automatically in the target system when all other privileges (expect system and master privilege) are removed from user in IDM.
IDM Version – SAP IDM 8.0 (SP4)
Target System – SAP ABAP Application Server
- User is assigned with three privileges (one role type privilege, master privilege & system privilege) as direct assignments and master privilege is assigned to user automatically via no master process.
- A request is place to remove the role type privilege from user from IDM UI. IDM would execute the Deprovision member event task and triggers the Revoke User Membership Plugin Task and deletes the request privilege in target system.
- After removing the privilege in the target system, IDM would check if there are any other privileges assigned to user for that particular system other than master & system privileges?
- If assigned, then IDM wouldn’t perform any action
- Else IDM would delete the master privilege which in turn would trigger the Delete ABAP User task and deletes the user in the target system.
- Finally the master privilege for that particular system would be removed and the user would be deleted in the target system.
- Create a new repository type constant as below for ABAPSpecificApplicationServer and ABAPLoadBalancedConnection repository types available under the sap standard abap connector package. If the constant is enabled for a particular repository IDM would remove the master privilege else it wouldn’t perform any action.
- Create a new process tasks as below and link it to the existing RemoveUserMembership Process Task
- All the action tasks which starts with name Log: are just created for logging purpose which only writes to log file and helpful during debugging process
Task – Check Whether Repository Flag is Set?
Task Type – Switch Task
- Checks whether the repository constant flag to delete users when no other privs are assigned is enabled or not.
- If the return value is 1, then it would check whether there are any other privileges (other than master and system privilege) are assigned to user for that particular system.
Task – Delete User?
Task Type – Switch Task
- This task checks whether are there any other privs assigned to user other than the
- Privs which are pending for removal (state 513/1536)
- Master/Only priv
- System Priv
- If the count is Zero (0) then the user will be deleted else, the IDM wouldn’t perform any action
Task – Delete User Master Priv
Task Type – Action Task
Pass Type – To Identity Store
- Request is placed to remove the master privilege from user, which would later trigger delete user plugin task and deletes the user in the respective target system.
Kindly provide your feedback regarding this blog and let me know in case of any suggestions or improvements further.
Do let us know how you would be handling the active users when all other privileges are removed.
thanks for this interesting explanations.
One thing is still important to mention: because of audit and compliance requirements it is not always allowed to also "delete" the user in a target system when the user does not have any access rights anymore.
Instead of deleting the user, the user record needs to be "locked" in the particular system. With this, any audit report will still be able to find user information but the user himself will not be able to logon anymore.
SAP IDM can also be configured to handle these type of "user lock mechanisms". You may want to dive deeper into this subject and maybe explain this in a separate blog?
Excellent Post !! Thanks for sharing.
Nice post! I have implemented IDM 8.0 and I'm able to sync an ABAP system however I want the users to be able to reset their password with the reset password form (http://host:50000/idm/pwdreset)... I'm unable to find documentation for this... any hint? is it possible? the ABAP users of the remote system mus exist in the database UME of the Java instance to be able to change the password trought pwdreset?
Thanks a lot!