• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 6827 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Converting directly assigned resources to indirectly assigned resources

robin.stone
over 6 years ago

We have a class of Employee that is assigned a business role that has no resources allocated but on occasion this Employee requests and is granted through an Exception policy access to our systems. Currently we have been manually assigning these necessary resources to this person via Manager. When their business role changes from one that must be manually assigned the resource to one that causes an indirect resource assignment D1IM handles this by making the resource both direct and indirectly assigned.

Q: How can I remove the directly assigned aspect so that my security trimming processes clean up the Employee appropriately? Can I set viInherite in PersonHasResourceTotal table to an appropriate value or is there a better way?

Parents
  • 0 over 6 years ago

    Hi Robin

    The TOTAL tables gives you an overview about how a role or resource is assigned to an account or a person. So, if you change the value viInherite it will only take effect that the overview does contains direct assigned roles and resources any more. But with the next automatic re-calculation (DBScheduler) viInherit will be set to its old value based on the real data in the System.

    So, you have to delete the data sets in the tables where the direct assignments will be stored. For each TOTAL table you will find a corresponding table for direct assignments (e.g.):

    PersonHasResourceTotal (TOTAL-Table)
    PersonHasResource (Direct Assignments)

    ADSAccountInADSGroupTotal (TOTAL-Table)
    ADSAccountInAdsGroup (Direct Assignments)

     

    The best way to make a cleanup is to do this via SQL (Note: In D1IM 7.x and higher it is no longer be possible to delete entries via SQL on assigment tables.) by using the following code:

    --Ressourcen Bereinigung
BEGIN TRANSACTION
DELETE PersonHasRessource WHERE EXISTS
(
	SELECT 1 FROM PersonHasRessourceTotal prt
	    WHERE
	        viInherite = 3
	        AND
	        prt.UID_Person = PersonHasRessource.UID_Person
	        and
	        prt.UID_Ressource = PersonHasRessource.UID_Ressource
)
--COMMIT TRANSACTION
ROLLBACK TRANSACTION

    The example given will delete all direct assignments where also the resource will be inherited. If you have another Scenario have a look at the following table, it shows you the possible assignment state in the TOTAL table.

    viInherit

    1 = Direct Assignment
    2 = Inherited
    3 = Direct Assignment + Inherited
    4 = Dynamic Group
    5 = Direct Assignment + Dynamic Group
    6 = Inherited + Dynamic Group
    7 = Direct Assignment + Inherited + Dynamic Group

     

    -
    Regards
    Sven

    P.S. For all 7.x and higher users we are talking about the technical solution in Q1IM 6.1.4 and lower. In 7.x we do not have any TOTAL tables and the column viInherit have been replaced by the column XOrigin and you have more than seven assignment state.

Reply
  • 0 over 6 years ago

    Hi Robin

    The TOTAL tables gives you an overview about how a role or resource is assigned to an account or a person. So, if you change the value viInherite it will only take effect that the overview does contains direct assigned roles and resources any more. But with the next automatic re-calculation (DBScheduler) viInherit will be set to its old value based on the real data in the System.

    So, you have to delete the data sets in the tables where the direct assignments will be stored. For each TOTAL table you will find a corresponding table for direct assignments (e.g.):

    PersonHasResourceTotal (TOTAL-Table)
    PersonHasResource (Direct Assignments)

    ADSAccountInADSGroupTotal (TOTAL-Table)
    ADSAccountInAdsGroup (Direct Assignments)

     

    The best way to make a cleanup is to do this via SQL (Note: In D1IM 7.x and higher it is no longer be possible to delete entries via SQL on assigment tables.) by using the following code:

    --Ressourcen Bereinigung
BEGIN TRANSACTION
DELETE PersonHasRessource WHERE EXISTS
(
	SELECT 1 FROM PersonHasRessourceTotal prt
	    WHERE
	        viInherite = 3
	        AND
	        prt.UID_Person = PersonHasRessource.UID_Person
	        and
	        prt.UID_Ressource = PersonHasRessource.UID_Ressource
)
--COMMIT TRANSACTION
ROLLBACK TRANSACTION

    The example given will delete all direct assignments where also the resource will be inherited. If you have another Scenario have a look at the following table, it shows you the possible assignment state in the TOTAL table.

    viInherit

    1 = Direct Assignment
    2 = Inherited
    3 = Direct Assignment + Inherited
    4 = Dynamic Group
    5 = Direct Assignment + Dynamic Group
    6 = Inherited + Dynamic Group
    7 = Direct Assignment + Inherited + Dynamic Group

     

    -
    Regards
    Sven

    P.S. For all 7.x and higher users we are talking about the technical solution in Q1IM 6.1.4 and lower. In 7.x we do not have any TOTAL tables and the column viInherit have been replaced by the column XOrigin and you have more than seven assignment state.

Children
No Data