Documente Academic
Documente Profesional
Documente Cultură
Identity Center
Tutorial
- Working with roles and privileges
Page 3 of 96
Preface
The product
SAP NetWeaver Identity Center is a high-end identity management solution, capable of
handling a large amount of repositories containing an unlimited amount of information. The
Identity Center offers a robust, flexible and scalable high-availability solution for workflow,
provisioning, data synchronization and joining for a large number of data repositories. The
Identity Center provides a framework for a number of jobs.
The reader
This manual is written for people who need an introduction to the SAP NetWeaver Identity
Management User Interface and the managing of roles and privileges.
Prerequisites
To get the most benefit from this manual, you should have the following knowledge:
General knowledge about the Identity Center and job definitions for instance as described in
SAP NetWeaver Identity Management Identity Center Initial Configuration and SAP
NetWeaver Identity Management Identity Center Tutorial: Basic Synchronization.
General knowledge about provisioning and task definitions as described in SAP NetWeaver
Identity Management Identity Center Tutorial Provisioning.
Knowledge of Microsoft SQL Server or Oracle.
The following software is required:
SAP NetWeaver Identity Management Identity Center version 7.2 or newer must be
correctly installed and licensed.
SAP NetWeaver Identity Management User Interface must be installed and configured for
this Identity Center and identity store (according to SAP NetWeaver Identity Management
Identity Center: Installing the Identity Management User Interface).
An Identity Center where at least one dispatcher has been configured and is running.
The data source used in this tutorial (hr.csv) is stored together with this document on the
SAP Developer Network, SDN (https://www.sdn.sap.com/).
The manual
The manual is a tutorial giving an introduction to the privileges, roles and workflow functions of
the Identity Center.
This tutorial is not a substitution for training.
Person names used in this tutorial are fictional.
Page 5 of 96
ii
Related documents
You can find useful information in the following documents:
SAP NetWeaver Identity Management Identity Center: Installation overview
SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft
SQL Server/Oracle)
SAP NetWeaver Identity Management Identity Center: Installing the Identity Management
User Interface
SAP NetWeaver Identity Management Identity Center Initial Configuration
SAP NetWeaver Identity Management Identity Center Tutorial: Basic Synchronization
SAP NetWeaver Identity Management Identity Center Tutorial Provisioning
For information on SAP NetWeaver see http://help.sap.com.
iii
Table of contents
Introduction ..................................................................................................................................
Roles and role-based provisioning.........................................................................................................
The identity store ..................................................................................................................................
Identity Management User Interface.....................................................................................................
Access control on tasks .........................................................................................................................
Use case ...............................................................................................................................................
Tasks, roles and privileges ...................................................................................................................
The data source.....................................................................................................................................
The data flow and the task structure ......................................................................................................
Preparations ..........................................................................................................................................
Section overview ................................................................................................................................
1
1
2
3
3
4
5
7
8
8
12
13
13
14
16
22
24
26
26
27
29
30
30
32
46
47
51
55
56
68
69
76
84
86
88
Page 7 of 96
iv
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Introduction
The purpose of this tutorial is to give an introduction to managing and assigning roles and
privileges, and the SAP NetWeaver Identity Management User Interface. The tutorial shows
how to create roles and privileges, and how to define mechanisms for assigning these to identity
store entries using the User Interface. We create User Interface tasks to create roles and manage
the roles and privileges. The privileges and provisioning tasks are created directly in the Identity
Center Management Console.
Page 9 of 96
2
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
The use of temporary roles is also supported for cases where a role should be assigned for a
limited time. A role can be defined with a time limit, and when this time limit is reached, the
account is automatically de-provisioned.
This entry type is used to hold a value which may be added to the entry in
the future, either as part of an approval process at a given time, or by a
manual operation.
MX_PERSON
A person entry with attributes describing a person, such as first name, last
name, telephone number, e-mail address etc. In addition, it can be assigned
to any number of roles and privileges.
MX_PRIVILEGE
MX_ROLE
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
The SAP NetWeaver Identity Management User Interface is configured from the Management
Console. A workflow is started every time a provisioning request is initiated. The User Interface
can be used to:
Collect identity information from the specific individuals.
Enforce single- or multi-stage approvals from authorized personnel.
Generate notifications to designated users when manual actions need to be performed, or
report the outcome of completed tasks.
Execute new workflow tasks (such as notifications and escalation) when pre-defined timeouts are reached.
Page 11 of 96
4
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Referral, where the access is given through a referral via an attribute specified with the
"Referral attribute" field. The task is available to all users who are referred to by the given
referral attribute.
The MSKEYVALUE attribute of the entry is used for identification. Also note that multiple
access control rules can be defined in each task.
When defining on which (on behalf of which) entries a task can be executed, the following
options can be used:
Everybody.
Logged-in user or identity store entry/self service a given user, privilege or role, meaning
that the task can be executed on the given user, all users with the given privilege or all users
with the given role.
Relational access control, e.g. subject-object relations determine the access rights the
subject has on the object. The subject is always a person, which is the logged in user (Self,
Manager, Owner, Role Manager, Group Manager, Dynamic Group Manager, Privilege
Manager, Role Member, Dynamic Group Member, Privilege Member, Group Member,
Member of same role/privilege/group/dynamic group, Anonymous).
Filter a filter (typically an SQL statement) can be used to define a set of entries on behalf
of which the task can be executed. Use of complex access control (filters) should be avoided
due to very costly runtime, and the use of relational access control is preferred whenever
possible.
Use case
Use case used in this tutorial is modeling a physical access control in a building (workplace).
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
This task is used to create roles in the identity store. The attribute
MSKEYVALUE is used to identify the roles and the typical value could be
ROLE:Employee.
Delete role
This task is used to manage the roles to modify some information about
the role. Here we can build the hierarchy by adding child roles and we
can connect privileges to the role.
Assign role
This task is used to assign a role to a user. You can add new or remove
existing role members.
Edit user
This task is used to edit information about users, e.g. phone number,
email, privileges and roles.
Page 13 of 96
6
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Two provisioning tasks are also created, one for provisioning and one for de-provisioning of
users for the repository definition BUILDING. Every time a user is given a particular privilege,
a file will be created (containing the timestamp of when the privilege was assigned to the user)
and provisioned to the respective folder:
#Building_AddEntry
#Building_RemoveEntry
ROLE:IT
ROLE:Adm
ROLE:Manager
This role has two child roles ROLE:IT and ROLE:Adm, and thus
inherits the privileges PRIV:MainEntrance, PRIV:ServerRoom and
PRIV:ArchiveRoom.
This privilege gives the users the right to access the building (main
entrance).
PRIV:ServerRoom
The privilege gives the user access to the server room. Often given to
IT personnel.
PRIV:ArchiveRoom
The privilege gives the user access to the archive. Often given to the
administration staff.
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Page 15 of 96
8
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
There is a job (Employees to identity store) that reads the data from the source file hr.csv and
updates the entries in the identity store. The entry type for these entries is MX_PERSON.
We create three privileges (PRIV:MainEntrance, PRIV:ServerRoom and PRIV:ArchiveRoom)
that we can assign to the entries. The privileges contain links to the repository definitions which
again contain links to the tasks that are executed when the privilege is assigned or removed.
The task structure is shown in the illustration above.
Preparations
Before you proceed with the tutorial, there are a couple of things that must be specified:
We create a global constant containing the path to the directory where the data source file
hr.csv (downloaded together with this tutorial) is to be stored.
To be able to reference the files created in this tutorial in a uniform way, we create a global
constant containing the path to the directory where the target repository for the files (folder
building) is to be placed.
To be able to view the log information shown in this tutorial, you must make sure that the
log level for the system log is set to "Info".
When a user is given a particular privilege, a file is created (containing the timestamp of
when the privilege was assigned to the user) and provisioned to the respective folder. Name
of the file has the following naming convention <MSKEYVALUE of the provisioned user><cleaned MSKEYVALUE of the privilege>.txt, e.g. 3001-PRIV_MainEntrance.txt. Cleaned
MSKEYVALUE of the privilege is MSKEYVALUE where the colon (":") is replaced by
the underscore ("_") for MSKEYVALUE "PRIV:MainEntrance" the cleaned
MSKEYVALUE will be "PRIV_MainEntrance". The reason is that it is not possible to use
the colon (":") in a file name. Two Java scripts are used for this purpose
SavePrivilegeMSKEYtoContextVar and GetPrivilegeMSKEYVALUEclean.
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
Specify the name of the constant and the directory where the file is to be stored. Make sure
that the directory actually exists (create the folders Tutorial and Source).
2. Choose "OK" to close the dialog box and add the constant.
Specify the name of the constant and the directory where the folders are to be stored. Make
sure that the directory actually exists (create the folder Target).
2. Choose "OK" to close the dialog box and add the constant.
Page 17 of 96
10
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
11
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
3. Choose "OK".
Define the following script (you can copy and paste the script defined under and replace the
template definition):
// Main function: SavePrivilegeMSKEYtoContextVar
function SavePrivilegeMSKEYtoContextVar(Par){
//--- Save the assigned privilege (MSKEY) to context variable
OutString = uSetContextVar("AssignedPrivilege", Par);
return Par;
}
Page 19 of 96
12
Introduction
SAP NetWeaver Identity Management Identity Center Tutorial - Working with roles and privileges
3. Choose "OK".
Define the following script (you can copy and paste the script defined under and replace the
template definition):
// Main function: GetPrivilegeMSKEYVALUEclean
function GetPrivilegeMSKEYVALUEclean(Par){
//--- Got MSKEY of the assigned privilege (stored in the context
//
variable "AssignedPrivilege"), now get the MSKEYVALUE
PrivilegeMSKEY = uGetContextVar("AssignedPrivilege");
PrivMSKEYVALUE = uIS_GetValue(PrivilegeMSKEY, 0, "MSKEYVALUE");
//--- Replace : with _ in MSKEYVALUE, to make it more "file name friendly"
PrivMSKEYVALUEclean = uReplaceString(PrivMSKEYVALUE, ":", "_");
return PrivMSKEYVALUEclean;
}
Section overview
The tutorial consists of the following sections:
Section 1: Building the identity store
13
Page 21 of 96
14
15
Fill in the file name. Use the context menu to insert the global constant
TUTORIAL_SOURCE created earlier.
5. Choose "Next >", and then "Finish" to insert the new repository definition.
Page 23 of 96
16
Modify the name of the job in the console tree (to Employees to identity store).
Enable the job and select a dispatcher.
3. Choose "Apply".
This job will contain two passes; one to read the source (ASCII) file hr.csv into the temporary
table (tutorial_employees), and another to read from this table into the identity store. This must
be done in a single job. The reason is that the first pass will delete the temporary table every
time it executes, and then fill it with the data from the hr.csv file. If the second pass was a
separate job (which could then be run asynchronously from the first), it could start just when the
table was deleted or just partly filled, and then remove the missing people from the identity
store.
17
Enter Read employees as the name of the pass in the console tree.
Repository
Select the "EMPLOYEES" in the "Repository" list.
Page 25 of 96
18
File name
Use the context menu to insert the repository constant %$rep.FILENAME% that refers to
the file name.
Field separator
Enter a comma sign (,) as the field separator.
Header line
Make sure that "Header line" is selected.
19
Page 27 of 96
20
Database
Use the context menu to insert the system parameter %$ddm.identitycenter%.
SQL statement
Enter the SQL statement to select all rows from the table created in the previous pass
(SELECT * FROM tutorial_employees).
21
Identity store
Make sure that the identity store "Enterprise People" is selected.
Entry type
Select the entry type "MX_PERSON".
Definitions
Choose "Insert template" and select "Data source template" to insert the definitions for the
pass.
Modify the definition to use the attributes from the entry type. You can use the context
menu to find the destination attributes. Give the attribute MSKEYVALUE the EmployeeID
values, and add the attribute DISPLAYNAME constructed of employee's first and last name
(as shown above).
3. Choose "Apply".
Page 29 of 96
22
Provide the credentials in the log-in window (of the user with access to "Manage" tab in the
User Interface).
2. Choose "Log on".
23
Make sure that the "Person" is selected in the "Show" field and choose "Go".
4. Verify that the entries are present in the identity store.
Page 31 of 96
24
25
Run the job a couple of times and view the job log. You can observe that the first time the job is
run after the delta is enabled, 50 entries are modified, while the next time, the job detects that
the entries are unmodified.
Note:
The count is the total for the job, including the entries handled by the "Read employees" pass.
These entries are always included in the "Add" column, as no delta has been defined for this
pass.
Page 33 of 96
26
27
Page 35 of 96
28
Specify the name of the constant (PATH) and the directory where the target files are to be
stored. Use the context menu to insert the constant %$glb.TUTORIAL_TARGET%.
6. Choose "OK" to close the dialog box and insert the constant.
29
Name
Enter the name of the privilege.
Repository
Select the correct repository definition for this privilege. By adding the repository reference
to the privilege, you could re-use the tasks for other privileges controlling other folders.
2. Choose "OK" to close the dialog box and insert the new privilege.
3. Repeat the process for privileges PRIV:ServerRoom and PRIV:ArchiveRoom.
Page 37 of 96
30
31
Page 39 of 96
32
Modify the task name in the console tree (to Create role) and enable the "UI task" option.
33
Page 41 of 96
34
Select "Logged-in user or identity store entry" in the "Allow access for" list.
Enter the name of the identity store user with the access to the "Manage" tab in the User
Interface (here Administrator). You might use "Check name" to ensure that the name you
entered is correct and exists. This allows the administrator user to create new roles.
5. Choose "OK".
35
6. Choose "Apply".
Page 43 of 96
36
Modify the task name in the console tree (to Edit role properties) and enable the "UI task"
option.
37
Page 45 of 96
38
Modify the task name in the console tree (to Assign role).
39
Page 47 of 96
40
Modify the task name in the console tree (to Delete role) and enable the "UI task" option.
41
Select "MX_ROLE" as entry type. If necessary, use "Up" or "Down" buttons to arrange the
attributes as shown above.
3. Choose "Apply".
4. Select the "Access control" tab and define access for the administrator user as done for the
previous tasks.
5. Choose "Apply".
To be able to actually delete a role, it is necessary to create a separate action task and job for
doing this.
Page 49 of 96
42
6. Select the task and choose New/Action task/Empty job from the context menu.
The task and the job are inserted in the console tree.
7. Select the job in the console tree:
8. Enable the job, select the dispatcher to run the job, and choose "Apply".
Copyright 2011 SAP AG. All rights reserved.
43
9. Select the job in the console tree and choose New/To Identity store from the context menu.
Page 51 of 96
44
Modify the task name in the console tree (to Edit user) and enable the "UI task" option.
45
Page 53 of 96
46
47
Creating roles
Use the User Interface task Create role to create the following roles:
ROLE:Employee
ROLE:IT
ROLE:Adm
ROLE:Manager
To create the roles in the User Interface do the following:
1. Access the User Interface (enter http://<host>:<port>/idm in your browser, provide the
credentials and log in).
2. Select the "Manage" tab.
Make sure that the "Role" is selected in the "Show" field and choose "Go". Since we have
no roles in the identity store yet, an empty list will be returned.
Page 55 of 96
48
3. Choose "Create" or "Choose Task" (both will display the same in this case).
Tasks available for the entry type MX_ROLE will be displayed in the "User Interface tasks"
folder. Expand the folder and select the task "Create role".
49
Note:
By choosing "Add to Favorites" you can add a task button for easier access to the task:
4. Choose "Choose Task" and the Create role task will open in a new window:
Fill in the fields "Unique ID" and "Display name" as shown above. Optionally, a short
description of the role can be given.
5. Choose "Save" and then close the task.
6. Repeat this until all four (4) roles are created.
Page 57 of 96
50
Note:
You may have to choose the "Refresh" button to update the User Interface. After refreshing,
choose the "Manage" tab, make sure that the "Role" is selected in the "Show" field and choose
"Go".
51
Page 59 of 96
52
Tasks available for the chosen entry will be displayed. Expand the folder "User Interface
tasks" to see the tasks available.
3. Select the task "Edit role properties".
Note:
You can add a shortcut button for the task Edit role properties by adding the task to
favorites as done for the task Create role in the previous section.
53
4. Choose "Choose Task" and the task Edit role properties will open in a new window.
In the left pane (Available) in the "Child Roles" section, choose "Search". This lists all
available roles.
5. Select the role "ROLE:Employee" and choose "Add" to add it as the child role.
6. Choose "Save" and then close the task. The role ROLE:Employee is now added as the child
role of the role ROLE:IT.
7. Repeat the steps for other roles to complete the hierarchy:
Role name
ROLE:Adm
ROLE:Employee
ROLE:Manager
ROLE:Adm, ROLE:IT
Page 61 of 96
54
In the Identity Center Management Console (Identity store metadata\Roles), you can
observe the role hierarchy you just built:
55
In the left pane (Available) in the "Assigned privileges" section choose "Search" to list all
privileges available.
3. Select the privilege "PRIV:MainEntrance" and choose "Add".
4. Choose "Save" and then close the task.
5. Repeat the steps for other roles:
To the ROLE:IT role, add the privilege PRIV:ServerRoom
To the ROLE:Adm role, add the privilege PRIV:ArchiveRoom
Page 63 of 96
56
Deselect "Show folder in User Interface" as the tasks in this folder should not be displayed
in the User Interface.
3. Choose "Apply".
57
The ordered task group #BUILDING_AddEntry will create a file in the building folder. The
contents of the file are date and time when the user was provisioned.
The task group contains two tasks:
The task Get privilege MSKEY: the task operates on the pending value object (entry type
MX_PENDING_VALUE) to retrieve the MSKEY of the assigned privilege and save it to a
context variable by calling a script SavePrivilegeMSKEYtoContextVar. A "To Generic" pass
(rather than a "To Custom" pass) is used, which provides a simple way of implementing
this. Information provided by the Get privilege MSKEY task is used to create the filename,
by the next task Add file to building folder.
The task Add file to building folder: the task operates on the entry type MX_PERSON and
adds the file with the following naming convention <MSKEYVALUE of the provisioned user><cleaned MSKEYVALUE of the privilege>.txt to a specified directory.
Note:
This is given as an example only, and that there are no checks for illegal characters in the file
name.
To create the ordered task group "#BUILDING_AddEntry":
1. Select the folder you just created and choose New/Ordered task group from the context
menu.
Page 65 of 96
58
Select "Wait for event tasks". This specifies that the result handling should wait for all
related event tasks to be completed before any result handling is performed.
3. Choose "Apply".
The ordered task group is now created and the two tasks can be added.
59
Modify the task name in the console tree (to Get privilege MSKEY).
Page 67 of 96
60
Modify the job name (Get privilege MSKEY) and the properties:
Enabled
Select this check box to enable the job to be run by a dispatcher.
Run by dispatchers
Select a dispatcher that should be responsible for running this job.
4. Choose "Apply".
61
5. Select "Scripts" in the console tree (under the job), then choose New/Link global script and
select "SavePrivilegeMSKEYtoContextVar" to establish the link to the global script
SavePrivilegeMSKEYtoContextVar:
Page 69 of 96
62
6. Create a new script (select New/Script from context menu) called "Dummy", which
returns no values (will be used by the pass created below):
7. Select the job and choose New/To Generic to create a pass in the console tree.
In the "Source" tab, make sure that the "Retrieve attributes from pending value" option is
enabled.
63
In a "To Generic" pass, for each entry in the temporary database the script specified in the
"Next data entry" field is run and the destination is updated using the contents of the
"Definitions" field. In this example, the script "Dummy" is not returning any values and an
attribute is defined in the definitions storing the privilege MSKEY by calling the global
script SavePrivilegeMSKEYtoContextVar:
In the "Next data entry" field, enter the script "Dummy" created previously.
In the definitions, add the attribute "PrivilegeMSKEY" and as the value define
$FUNCTION.SavePrivilegeMSKEYtoContextVar(%MX_ATTRIBUTE_VALUE%)$$. Use the context menu to
insert the script call and the attribute MX_ATTRIBUTE_VALUE.
9. Choose "Apply".
Page 71 of 96
64
Modify the task name in the console tree (to Add file to building folder).
65
Modify the job name (Add file to building folder) and properties:
Enabled
Select this check box to enable the job to be run by a dispatcher.
Run by dispatchers
Select a dispatcher that should be responsible for running this job.
4. Choose "Apply".
Page 73 of 96
66
5. Select "Scripts" in the console tree (under the job), then choose New/Link global script and
select "GetPrivilegeMSKEYVALUEclean" to establish the link to the global script
GetPrivilegeMSKEYVALUEclean:
67
6. Select the job and choose New/Shell execute to create a pass in the console tree. Select the
"Source" tab:
Select "MX_PERSON" in the "Source entry type" field and make sure that "Retrieve
attributes from pending value" is deselected.
7. Select the "Destination" tab:
Page 75 of 96
68
Add the following line to the definitions (you can use the context menu to insert the
constants/attributes/scripts or copy and paste the lines below):
cmd /c echo Privilege assigned %$ddm.date% %$ddm.time% >
"%$rep.PATH%\%MSKEYVALUE%-$FUNCTION.GetPrivilegeMSKEYVALUEclean(???)$$.txt"
8. Choose "Apply".
Choose "" to the right of the "Add task" field to browse for the correct add member task
(#BUILDING_AddEntry).
2. Choose "Apply".
Now the link is defined on the BUILDING repository definition.
69
Running #BUILDING_AddEntry
To run the ordered task group "#BUILDING_AddEntry", use the task "Assign role" in the User
Interface to assign a role to an entry:
1. In the User Interface, select "Manage" tab:
2. Make sure that the "Person" is selected in the "Show" field and choose "Go".
Page 77 of 96
70
Tasks available for the entry type MX_PERSON will be displayed in the "User Interface
tasks" folder. Expand the folder and select the task "Assign role".
71
Note:
By choosing "Add to Favorites" you can add a task button for easier access to the task:
Page 79 of 96
72
4. Choose "Choose Task". The "Assign role" task opens in a new window.
73
Note:
Multiselect of the roles is enabled.
Page 81 of 96
74
6. Choose "Next". As the next step, you are asked to enter details for the assignment.
75
9. Repeat the process for the other roles provisioning to the building folder:
Entry "3002"
Entry "3003"
Entry "3004"
ROLE:IT
ROLE:Adm
ROLE:Manager
Page 83 of 96
76
Troubleshooting
If any problems should occur during the execution, you can check some of the following:
Verify that the dispatcher is running and that it is enabled for provisioning jobs.
Verify that all tasks and jobs are enabled.
Verify that the job has been defined for the given dispatcher.
View the logs.
System log
Verify that the dispatcher has requested the given job.
Job log
View any error messages in the job log to see if you can find the cause of the problem.
If you need to investigate a job more thoroughly, you can specify a different log file name
for the job in the "Logging" tab of the job properties. You can also deselect the check box
"Reset log file" to avoid overwriting the log file each time the job is run. This can be useful
when debugging a provisioning job that may be run several times in sequence.
If you need more logging info from a specific job, you can create a specific dispatcher and
increase the log level in the dispatcher's .prop file. Specify that the job is to be run by this
specific dispatcher. Make sure that the dispatcher is not running. To run the job, start the
dispatcher from the command line with the following command:
dispatcher_service_<dispatcher name> test runonce
The job will then be run once and a detailed log file will be created.
77
Page 85 of 96
78
79
Modify the task name in the console tree (to Delete file from building folder).
Page 87 of 96
80
Modify the job name (Delete file from building folder) and the properties:
Enabled
Select this check box to enable the job to be run by a dispatcher.
Run by dispatchers
Select a dispatcher that should be responsible for running this job.
4. Choose "Apply".
81
5. Select "Scripts" in the console tree (under the job), then choose New/Link global script and
select "GetPrivilegeMSKEYVALUEclean" to establish the link to the global script
GetPrivilegeMSKEYVALUEclean:
Page 89 of 96
82
6. Select the job and choose New/Shell execute to create a pass in the console tree. Select the
"Source" tab:
Select "MX_PERSON" in the "Source entry type" field and make sure that "Retrieve
attributes from pending value" is deselected.
7. Select the "Destination" tab:
83
Add the following line to the definitions (you can use the context menu to insert the
constants/attributes/scripts or copy and paste the lines below):
cmd /c Del "%$rep.PATH%\%MSKEYVALUE%$FUNCTION.GetPrivilegeMSKEYVALUEclean(???)$$.txt"
8. Choose "Apply".
Now #BUILDING_RemoveEntry can be defined on the repository definition BUILDING as the
remove member task:
Page 91 of 96
84
Running #BUILDING_RemoveEntry
To run the ordered task group "#BUILDING_RemoveEntry", use the task "Edit user" in the
User Interface to remove a role from an entry:
1. Remove "ROLE:Employee" from entry "3001":
Under "Member of Role", in the right pane (Assigned) the roles assigned to the entry are
displayed. Select the assigned "ROLE:Employee".
85
2. Choose "Delete".
Page 93 of 96
86
Expand the "User Interface tasks" folder and select the task "Delete role" in the list of the
available tasks.
87
Page 95 of 96
88
Provisioning and de-provisioning tasks for entries defined on the repository definition AD.
89
Master privilege
Here the master privilege is defined. Choose "" to open the "Add entry" dialog box. Search
for and select the master privilege, then choose "OK" to close the dialog box.
Missing
This policy setting is used when assigning a privilege and the master privilege is not (yet)
assigned. The only privilege policy setting option available is "Wait". This means that the
pending value object for the privilege is created and the task is in the "Wait" mode, waiting for
the master privilege to be assigned. The execution of the pending value object task is started as
soon as the master privilege is assigned. If the master privilege is already defined, the execution
continues immediately.
Pending
This policy setting is used when the status of the master privilege is "pending", i.e. the add
member event task is still executed. The only privilege policy setting option available is "Wait".
This means that the pending value object for the privilege is created and the task is in the "Wait"
mode, waiting for the master privilege to be assigned. The execution of the pending value object
task is started as soon as the master privilege is assigned. If the master privilege is already
defined, the execution continues immediately.
Page 97 of 96
90
Removing
This policy setting is used when the status of the master privilege is "removing", i.e. the
privilege has been removed and the removal task (remove member event task) is still executing
(pending remove). The only privilege policy setting option available is "Wait". This means that
the pending value object for the privilege is created and the task is in the "Wait" mode, waiting
for the master privilege to be assigned. The execution of the pending value object task is started
as soon as the master privilege is assigned. If the master privilege is already defined, the
execution continues immediately.
Timeout
The timeout (MX_PRIV_REQ_TIMEOUT) indicates how long the task should wait for the
missing, pending or removing master privilege. Default value is two weeks. If the value is "0"
(zero) or missing, it means no timeout. When the time expires, the task will enter error state, and
the error processing will be executed. The task may then assign/not assign the privilege.
No master task
Here a task is defined, which is executed if the master privilege is missing and the policy is
"Wait". This task is executed when a privilege that requires the presence of the master privilege
is assigned. The "No master" task is typically used to assign the master privilege by assigning
the privilege directly or by assigning a role that references the privilege. When the master
privilege is assigned, any assignments waiting for the master privilege will also be assigned.
Choose "" to open the "Select task" dialog box, then browse and select the task. Choose "OK"
to close the dialog box.
Note:
There is no automatic removal of a master privilege assigned with the "No master" task if all
depending privileges are removed from an entry.
Check interval
This attribute is used to define the check interval when waiting for the master privilege to be
assigned. Default check interval value is 30 seconds.
Choose "Apply" to save the configuration on the repository definition.