This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to provision account definitions dynamically depending on assigned permissions of Targetsystem?

Hi

We have some target systems, mainly LDAP based and SAP, where an account shall only be provisioned if an entitlement is assigned to the identity.

This is how ist supposed to work:
User orders a business role or gets a business role dynamically assigned.
Business roles contain one or more a system roles.
System Roles contain one or more entitlements of a target system System X.

The idea would be
Create a separate Role classe "Account Assignments"
Create a business role "Account Definitions System X"
Assign the Account Definition for System X to the Business role.
Create dynamic Role for the Business role.
In the dynamic Role:

-> Evaluate all Identities with any entitlements for System X.

so all Identities with any entitlement would get an account.

Someone has an idea how to
-> Evaluate all Identities with any entitlements for System X.

Is this a good approach, or are there better methods?

Any help or comments are greatly appreciated.

Very kind regards,

Edi.

 

Parents
  • Hello Tarigh

    Unfortunately after looking into this in more depth, I've found that the solution won't work.
    The table PersonHasObject will only have the entries for LDAP Groups *after* the account definition is assigned to the Person.
    If no account Definition is assigned to the identity yet, there won't be any LDAP Groups assigned in this table for that Identity.
    So ist like the hen and egg Problem.

    Sorry, the Approach was really promising.
    If you or someone has another Approach, its really appreciated.

    Best regards,
    Edi
Reply
  • Hello Tarigh

    Unfortunately after looking into this in more depth, I've found that the solution won't work.
    The table PersonHasObject will only have the entries for LDAP Groups *after* the account definition is assigned to the Person.
    If no account Definition is assigned to the identity yet, there won't be any LDAP Groups assigned in this table for that Identity.
    So ist like the hen and egg Problem.

    Sorry, the Approach was really promising.
    If you or someone has another Approach, its really appreciated.

    Best regards,
    Edi
Children
No Data