Filter SAP Roles To import in One Identity.

Hi, 

I'm using One Identity Manager 9.1. 

I'm going to synchronize SAP Roles memeberships but i want to filter memeberships to insert. I want to Insert only SAP Role memeberships of user Accounts linked to an employee ed exclude all the other memeberships. 

I tried Creating a virtual property on UserInRole Mapping on One Idenitty Manager side. The virtual property returns true or false if the user in the membership is linked to an Identity or Not. 

Unfortunately it doesn't work if i try to create a condition on the Workflow, during the insert operation, because the object it's not on One Identity Database yet. So the only possible filter i can create should be based on a left Sided property (Other.Property) . 

I tried also with the creation of a Virtual property on the Right Side of the mapping. This virtual property reads another virtual property (tipe script) on the user object. This virtual property contains the info of the Employee identifier that we use as matching info.  If I check with a browse on SAP Roles Memeberships, i can see that the  role membership has this virtual property correctly populated with the identifier of the employee. 

If I create a filter on Scope or a condition in Worklfow's insert operation it really slows down end makes quite impossible to browse the target system or create a simulation. This happens obviusly depending on the amount of user account and memeberships on target system 

Did anyone ever tried to implement a filter like this? Is there any way I can set a condition to check objects in One Identity before importing another related object from Target System?

Thank You, 

Enrico. 

Parents
  • Hi Enrico,

    to run a script on every membership object will be horrible slow as you mentioned. If there is a better solution it would base on a property of SAP accounts in target system side. Most effective filtering is described in One IM administration guide for SAP, ref. "Restricting synchronization objects using user permissions" (https://support.oneidentity.com/technical-documents/identity-manager/9.1.1/administration-guide-for-connecting-to-sap-r3/7#TOPIC-1993288)

    If you can find a set of user groups that have assigned SAP accounts relevant for synchronization, then you can use filtering by means of authorization object S_USER_GRP. This way the irrelevant SAP accounts will not be imported to One Identity at all.
    This filtering is very fast because it is executed directly when accessing the SAP accounts as ABAP code.

    regards,

       Tino

  • Hi Tino, 

    Thank You.

    Right now I'm Synchronizing SAP Users filtering By SAPUserType to insert only Dialog Accounts.

    Most of them are Orphaned and disabled accounts but I had to import them.

    I don't want to import the role memberships for this orphaned Accounts. But i can't create an efficent filter on UserInRole to do this. Using a User Group would not be so useful. 

    Possible Solution:

    I was thinking about setting up a scope on One Identity Manager Side: TABLE is SAPUSER and CONDITION IS UID_PErson NOT NULL (or something similar).

    This means that when I Sync, only users with linked Identity can be seen as already in One Identity. 

    So, to avoid errors during the sync, I have to filter the User objects to insert with a similar condition. This way, the syncronization does't try to insert objects already in One ID but not visible due to the scope. Only new Dialog accounts that respect the condition would be inserted. 

    For SAPUserINSAPRole, only Memeberships with a user account in One Idenitty Would be inserted and the other ones would generate a warning in Logs

    What Do you think about this solution?

    Enrico

Reply
  • Hi Tino, 

    Thank You.

    Right now I'm Synchronizing SAP Users filtering By SAPUserType to insert only Dialog Accounts.

    Most of them are Orphaned and disabled accounts but I had to import them.

    I don't want to import the role memberships for this orphaned Accounts. But i can't create an efficent filter on UserInRole to do this. Using a User Group would not be so useful. 

    Possible Solution:

    I was thinking about setting up a scope on One Identity Manager Side: TABLE is SAPUSER and CONDITION IS UID_PErson NOT NULL (or something similar).

    This means that when I Sync, only users with linked Identity can be seen as already in One Identity. 

    So, to avoid errors during the sync, I have to filter the User objects to insert with a similar condition. This way, the syncronization does't try to insert objects already in One ID but not visible due to the scope. Only new Dialog accounts that respect the condition would be inserted. 

    For SAPUserINSAPRole, only Memeberships with a user account in One Idenitty Would be inserted and the other ones would generate a warning in Logs

    What Do you think about this solution?

    Enrico

Children
No Data