Skip to Content
Technical Articles
Author's profile photo Simona Lincheva

SAP IdM Attestation (user access review) custom IdM processes, UI5 and reporting

Hi all,

This blog is related to the options we have with SAP IdM Attestation functionality, coming from the standard IdM processes and implemented with the additional customizations.

1st we have to decide between the Attestation options we have in IdM – Get Attesters from:SAP IdM Attestation task

attest%20process%20setup

attest process setup

We can choose between:

  • Task

The attesters are defined in the Attester field below (that is, on the attestation task itself).

Note: this will be one attester per attestation process set in the Attester field

  • Role/Privilege

The attesters are defined on the role or privilege with the attribute MX_ATTESTER.

  • Manager

The attester(s) will be the manager(s) defined on the user(s) with the attribute MX_MANAGER.

  • User Defined

The attesters are set with context variables with the preprocessing task.

 

Before starting the implementation we have to review the existing structure (we use SQL queries to get the report needed in order to select the best case):

  • Case 1 – if we have 1000 users assigned in 1 privilege and for those 1000 users we have 20 different managers, there will be 1 task per manager with around 50 users inside the task
    • but if each manager has 50 users under him/her and we execute attestation for all privileges in IdM and those 50 users have from 200 to 2000 different role/privs, then each manager will have from 200 to 2000 and more tasks
  • Case 2 – if we have 1000 users assigned in 1 privilege and we have the attester attribute set for this privilege (taking the attester from the privilege itself), we will have 1 task with 1000 users inside
    • in case 2 we can use the privilege approvers as attesters, but we have to validate the number of tasks that will be created for each attester
    • if we have attesters with more than 600 privileges to attest we might have to think of a way to separate the tasks between more attesters

Next step is building the custom UI supporting the Attestation process (we recommend SAPUI5 consuming the standard IdM rest generated from the attestation process):

Attestation%20UI%20home%20page

Attestation UI home page

UI%20overview

UI overview

UI%20overview%20option%202

UI overview option 2

In addition we can have some nice functionalities:

  • Additional user information
  • Role/privilege description, as the technical name might not be enough
  • In case of privileges – back-end system related to it

Additional%20user%20info

Additional user info

UI%20comment

UI comment

Info%20on%20delegated%20tasks

Info on delegated tasks

 Note: delegated users from each task are no longer visible in the initial attester Inbox, but we can still get the number and display a warning in case of delegation

 

Here are most of the rest calls in use from the SAPUI5 (examples):SAP IdM Attestation REST options

  • ToDo tab – attester overview (example):
    • /idmrestapi/v2/service/TaskCollection – GET
    • /idmrestapi /v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’NxNN’)/Assignments/$count – GET
  • Detail UI
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/Assignments – GET
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/CustomAttributeData – GET
  • Detail Delegate (example)
    • Get Users
      • /idmrestapi/v2/service/ET_MX_PERSON?filterBasic=USER_ID- GET
    • Delegate to User
      • /idmrestapi/v2/service/Decision?InstanceID=’NxNN’&SAP__Origin=’IDM’&DecisionKey=’DELEGATE’&DelegateId=’12312’&LinkId=’31231232112’&Comments=’test’ – POST
    • Assignments refresh after action
      • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/Assignments – GET
      • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN’)/CustomAttributeData – GET
  • Detail REST calls (overview with examples)
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN ‘)/Assignments – GET
    • /idmrestapi/v2/service/TaskCollection(SAP__Origin=’IDM’,InstanceID=’ NxNN ‘)/CustomAttributeData – GET
    • Detail Certify
      • /idmrestapi/v2/service/Decision?InstanceID=’ NxNN ‘&SAP__Origin=’IDM’&DecisionKey=’ATTEST’ &Action=’CERTIFY’&LinkId=’123123123’&Comments=’test’ – POST

 

Next step is to create and manage the process triggering the attestation in IdM:

%u0442%u0442%u0442

IdM UI managing attestations

Important customization here are the notifications, as the standard functionality is sending notifications per task (and in 99% of the cases one attester has from 20 to 100 tasks even more). The additional customization is sending those notifications per attester, each attester receives only one initial/reminder notification.

 

Final step of this implementation will be the reports covering the Attestation processes:

  1. report for active tasks – basic report
  2. report for active tasks – detail report with users inside and delegation info
  3. report for delegated tasks (admin report) – detail info with initial attester and delegated attester
  4. report for delegated tasks (self service) – executed from the attesters for themselves
  5. report of privilege/role attestation date
  6. report for expired tasks

I hope that this blog will presend a few options and better understanding of the functionality provided within SAP IdM Attestation. SAP IdM provides a number of possible scenarios and a great flexibility in the way you decide to implement the process.

This is one possible solution related to audit observation, as the yearly access review is an important process in each company.

I hope, this blog is useful and any feedback/question will be welcomed 🙂

 

Kind Regards,

Simona Lincheva

Assigned tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Sivajan Kumaran
      Sivajan Kumaran

      Excellent blog Simona. Thanks for sharing!

       

      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi Sivajan,

      Thanks, I’m glad you like it 🙂

      BR,

      Simona

      Author's profile photo Rahul Athwani
      Rahul Athwani

      Thanks for the blog...very useful.

      Author's profile photo Ranjan Kumar Dash
      Ranjan Kumar Dash

      Excellent Simona. How can we know which roles attested and which are not. MXI_ATTESTATION shows only the active attestations.

      Author's profile photo Simona Lincheva
      Simona Lincheva
      Blog Post Author

      Hi Ranjan,

       

      You can have a report listing the last attestation date of the role/privilege and if the attestation is active or not. Here are the attributes you can use for your report:

      MX_ATTEST_ACTIVE

      MX_ATTEST_NEXTDATE

      MX_ATTEST_LASTDATE

      Those attributes are updated from the standard attestation procedure and you can used them to get the attestation info you need.

       

      BR,

      Simona