none
Maintaining Role End Dates for end users RRS feed

  • Question

  • We are maintaining SAP Roles read from an SAP Portal as Security groups in the FIM Portal (FIM 2010 R2). The members of the roles are maintained as members of these security groups and all the members are also users on the Portal.

    Now we have a requirement where we also need to read the date the role expires for a user (end date) from the SAP Portal and show it to the user in the "My Security Groups" page against every role that he may have.

    The major problem here is how do we maintain this many-to-many (many users have many different roles with different end dates) relationship in an attribute. Since each user will have multiple roles and for each of these roles his membership for it will have a different expiration date, then how do we capture this in FIM. The current set up does not provide any attribute which will help us to maintain this information for every role for a user.

    Any suggestions on what kind of custom attributes we can use or is there any other workaround to this problem?

    The next step is to also display that end date information for each role of every user in the My Security Groups page. I tried to test it by adding a dummy attribute in the configuration file but it is not showing up in that page. What could I be missing here?

    Tuesday, October 20, 2015 11:50 AM

All replies

  • 1. User View.

    Where is the data available? What are you to do with this data, simply show it ?

    You need an attribute that has both Role and Date, either a multivalued string  attribute or a simple String with a delimiter.  To populate it, use an Action WF.  

    2. Group View

    The next step is to also display that end date information for each role of every user in the My Security Groups page. I tried to test it by adding a dummy attribute in the configuration file but it is not showing up in that page. What could I be missing here?

    This is a little more involving.  You will need to write a custom WF. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, October 20, 2015 5:19 PM
  • There isn't any native way in the FIM Portal to store metadata (like an end date) alongside someone's group membership.

    In the past, I've built solutions for this where we create a new object type in the Portal to track Group Memberships. This way, there's a way to attach metadata to the membership. You could then build a Search Scope to show these membership objects in lieu of the native My Security Groups interface. The downside is the Join/Leave buttons won't be there anymore on that screen.


    Thanks,
    Brian

    Consulting | Blog

    Tuesday, October 20, 2015 9:15 PM
    Moderator
  • User View:

    The data is available in a SAP Portal. Right now we only have to store it in FIM and display the role name and end date for that user for that role in the "My Security Groups" page. We are reading the data through a webservice which connects to the SAP Portal and fetches the data from there.

    If I store it in a string delimiter, how do I show it in the portal on the page I mentioned above against each role?

    Group View:

    What kind of custom WF would that entail? I had modified the User Viewing config file similarly but I didn't require any custom WF to get that change reflected.

    • Marked as answer by nikhil23 Wednesday, October 21, 2015 7:15 AM
    • Unmarked as answer by nikhil23 Wednesday, October 21, 2015 4:03 PM
    Wednesday, October 21, 2015 7:15 AM
  • 1. I am not sure why you marked your own post as ANSWER, and still have questions.

    2. If I store it in a string delimiter, how do I show it in the portal on the page I mentioned above against each role?

    As I mentioned before, what are you going to do with this data besides showing it? If it is for showing only, a string attribute like this would do.

    Role1, 1-1-2015

    Role2, 2,3,2015

    3. What kind of custom WF would that entail? I had modified the User Viewing config file similarly but I didn't require any custom WF to get that change reflected.

    You need to understand the relationship between USER and GROUP.  EndDate is a user attribute, so a property of user. Group is a consumer of that data. 

    The workflow should be looking at the group and read each member and investigate the User object to get the end date.

    .....

    Nosh Mernacaj, Identity Management Specialist


    Wednesday, October 21, 2015 1:53 PM