As all may know, managing the Business Roles in IdM is not an easy thing to do, especially if the client wants to update them each month/week for a business reasons. In that case we have to manage to provide an easy way for him not only to update the BRs, but to update the user's access accordingly and to have some trace back for the made changes.
First thing that comes to mind is something like that - How to do mass population of a Business Roles with privileges using txt file , but here we are more or less restricted and we don't have any real information, about the changes we made or any validations for the BRs.
So we decided to extend the standard IdM functionality by creating a custom tool for managing the BRs - Authorization Matrix.
The Authorization Matrix allows you to control the BRs within IdM. This tool provides validation rules, easily roll back to a previous version and automatic user access update after BR modification. IdM processes the submitted Matrix and updates the changed business roles, after that the user’s access is updated according the new Matrix. Back-end systems are updated.
1. First we started by separating the logic in three parts:
- SAPUI5/WD UIs with validation rules
- Back-end logic for UI validations(access validations, custom tables for managing the data)
- SAP IdM logic(processing the submitted matrix and updating the user access, creating automatic requests for history review of the user access, with custom Entry Type for the Matrix)
Note: more than one uploads can be executed by a number of users, as we have implemented a custom queue for managing the submitted matrix.
2. SAPUI5 UI - Authorization Matrix:
- main UI:
- the rest of the UIs:
3. WD UI - Authorization Matrix:
Note: not only we have the ability to monitor the changes directly from IdM, but we can load previous version of the Matrix and from there we can check the changes or re-submit the old version.
4. IdM customizations:
- custom Entry Type _Matrix
- custom job - managing the submitted matrix and managing the queue(more than one matrix can be submitted)
- custom IdM UI - displaying the requested created for the users(after the access is changed)
- custom javascript-s managing the logic
- custom UI tasks for the Matrix
Hope you like it
Simona Lincheva