• State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 97 subscribers
  • Views 11026 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to provision account definitions dynamically depending on assigned permissions of Targetsystem?

edi.imhof
over 8 years ago

Hi

We have some target systems, mainly LDAP based and SAP, where an account shall only be provisioned if an entitlement is assigned to the identity.

This is how ist supposed to work:
User orders a business role or gets a business role dynamically assigned.
Business roles contain one or more a system roles.
System Roles contain one or more entitlements of a target system System X.

The idea would be
Create a separate Role classe "Account Assignments"
Create a business role "Account Definitions System X"
Assign the Account Definition for System X to the Business role.
Create dynamic Role for the Business role.
In the dynamic Role:

-> Evaluate all Identities with any entitlements for System X.

so all Identities with any entitlement would get an account.

Someone has an idea how to
-> Evaluate all Identities with any entitlements for System X.

Is this a good approach, or are there better methods?

Any help or comments are greatly appreciated.

Very kind regards,

Edi.

 

Parents
  • 0 over 8 years ago
    Hello Edi,

    I suggest you following approach:

    - Create a new business role (Org) that is assigned to your Account Definition
    - Create a new dynamic rule (DynamicGroup) that is assigned to your new created business role
    - Define in the dynamic rule based on the person table all persons that have an role, including an entitlement of your target system
    - Example for LDAP:
    select * from person where
    exists (select 1 from PersonHasESet phe join Eset e on phe.UID_ESet = e.UID_ESet
    join ESetHasEntitlement ehe on e.UID_ESet = ehe.UID_ESet
    join LDAPGroup l on ehe.Entitlement = l.XObjectKey)

    This Sql determine all Persons that have an role (PersonHasEset) that is associated to an LDAP entitlement (EsetHasEntitlement)

    HTH Fatih
Reply
  • 0 over 8 years ago
    Hello Edi,

    I suggest you following approach:

    - Create a new business role (Org) that is assigned to your Account Definition
    - Create a new dynamic rule (DynamicGroup) that is assigned to your new created business role
    - Define in the dynamic rule based on the person table all persons that have an role, including an entitlement of your target system
    - Example for LDAP:
    select * from person where
    exists (select 1 from PersonHasESet phe join Eset e on phe.UID_ESet = e.UID_ESet
    join ESetHasEntitlement ehe on e.UID_ESet = ehe.UID_ESet
    join LDAPGroup l on ehe.Entitlement = l.XObjectKey)

    This Sql determine all Persons that have an role (PersonHasEset) that is associated to an LDAP entitlement (EsetHasEntitlement)

    HTH Fatih
Children
No Data