• State Suggested Answer
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 1900 views
  • Users 0 members are here
Options
Related

SAP Role removals - XisInEffect False

Enrico Baffa
over 1 year ago

Hi forum!

I’m using One Identity Manager 9.1. At the end of the first synchronization of an SAP Environment, I can see that some SAPUSerINSAProle_Delete processes are triggered.
For this SAP Connector I used a custom template I saved from a previous SAP connector configuration. It is a customized version of the Base administration template of SAP Connector. It simply contains some mapping disabled on SAP user and some disabled workflows of synchronization and provisioning.
I checked these Processes and they have been triggered after the user ‘SAP_ZUserInSAPRole’ updated the XIsInEffect field of the objects in SAPUserInSAPRole, setting the field as False.
Only a group of roles have been updated and deleted for a group of user accounts.
I checked these memberships, and the removed ones are ‘redundant’. This happened only for some users. 


Example:
User X has 200 role memberships. 10 single roles have been updated with XIsInEffext = ‘FALSE’ after synchronization.
If I check those single roles, they are part of two different composite roles assigned to User X.
So now user has 200 role memberships in One Identity, 10 of them are ineffective and only 190 role memberships are found in target system due to delete processes.
I checked the Config Parameters:
QER\Structures\Inherite\GroupExclusion = 1. No exclusion is defined in SAP Exclusion tables.
TargetSystem\SAPR3\KeepRedundantProfiles = 1. This means that redundant roles are kept and not removed.

Does anyone ever expirenced such a problem?

Thank you, 

Enrico. 

Parents Reply
  • 0 over 1 year ago in reply to tlindner

    Hello Tino,

    following the logic of the product, such redundant memberships get cleared by OIM (also in SAP) but it makes the whole even worse as OIM will recalculate and assign the single role permissions back to the user as soon as he/she looses the corresponding composite role membership making it even less transparent of why it happens.

    Best Regards,

    Alexey

Children
  • 0 over 1 year ago in reply to alexeyf

    Hi Alexey,

    the meaning behind the reassignment is this: in SAP you can create the constellation composite role + associated single role only if you first assign the single role to the user, then save it and add the composite role afterwards. Even if the composite role has the same validity period, the editor in the SAP GUI will not remove the single role (we think this is a bug, but it is reality). If you later remove the composite role again, the membership of the single role remains. So OneIM adds the membership of the single role again if the composite role has been removed.

    Thus the result is the same as in SAP, which may well be intentional.

    Regards,

       Tino

  • 0 over 1 year ago in reply to tlindner

    Hi Tino,

    you say you assume, the redundant single role assignments (having same validity dates) must be manually added assignments in SAP.

    I do think it must be something different (may be some sort of an another bug in SAP).

    It is actually not that important how they did appear in SAP, the bottom line they are there.

    The whole point would be, the functioning of OIM in this case is not transparent and this particular behavior is not described in documentation in any way.

    I believe, it is a common understanding that when you newly connect an SAP client to OIM you clearly do not expect that OIM immediately starts to manage anything in this SAP system and deprovision assignments (even if they are somewhat redundant) and later may start provision old assignments back to SAP. This is nothing any of us expects currently from the tool (at least me not).

    It would be not that critical if it at least it would be explained, described and emphasized in detail in documentation.

    And even worse, the documentation clearly states the opposite by saying "Ist der Parameter aktiviert, bleiben Einzelrollen oder Profile des Benutzers, die bereits Bestandteil von Sammelrollen des Benutzers sind, erhalten." (you did explain what the difference in reality is between the activated and deactivated parameter but this is nothing what documentation says).

    Best Regards,

    Alexey 

  • 0 over 1 year ago in reply to alexeyf

    Hi Alexey and Tino,

    I agree with Alexey's opinion.

    Right now I cannot synch or preform any operation on these accounts to avoid the removal of SAP Roles and probably this isn't a behaviour the customer wants to be applied to SAP roles.

    This Behaviour should be at least documented or configurable and not a default behaviour.

    Is there any way to customize this behaviour and avoid this removals?

    Probably setting up a condition in delete opertion of SAPUserINSAPRole Workflow or Generatingcondition of remove process would work. Someting like XISInEffect = 1 would perform the deletetion on target system only for effective memberships that are removed in One Identity. But, at every Synchronization or provisioning operation (for example user update or role assimgent to a user) this behaviour would be triggered again. This behaviour should be stopped in DBQueue tasks and Stored Procedures.

    Regards,

    Enrico

  • 0 over 1 year ago in reply to Enrico Baffa

    Hi Enrico,

    I do not think you can easily change this behavior to what you would like it to be, i.e. by simply adding a GenCondition etc. (next sync, at least in v9.1, will very probably set it back to 1, etc.).

    XIsInEffect and the default behavior are too fundamental to do such workarounds, I could think.

    Unless it will be changed in the product (what I think will not happen as it is a product feature), I could think it is a better approach to live with it (and to communicate about the behavior at SAP colleagues before connection).

    Best Regards,

    Alexey