Hi gurus,
I'm trying to change the validity of a role (or privilege) assignment on a "to identity store"-pass using the {M}-operator. It's not working because I always get the infamous "Overlapping assignment validity" error. (IDM 7.2 SP9, patch level 11, running on a DB2)
Here's what I do:
According to the SAP IDM Help, I'm trying to change the validity of roles which are already assigned to the user. The string, I'm trying to write into the MXREF_MX_ROLE attribute looks like this:
| Attribute | Value |
|---|---|
| MSKEYVALUE | %MSKEYVALUE% |
| MXREF_MX_ROLE | {M}{VALIDTO=2015-05-08}93735|{VALIDTO=2015-05-08}93731| |
The user already has assigned the prevailing roles 93735 and 93731 and I only want to change the Valid to-date. According to the SAP documentation, this should work. After executing the pass, both roles should have Valid to-date = 2015-05-08. However, it's not working, due to the "Overlapping Assignment validity" error.
I also tried this:
| Attribute | Value |
|---|---|
| MSKEYVALUE | %MSKEYVALUE% |
| MXREF_MX_ROLE | {M}{VALIDTO=2015-05-08}93735|{M}{VALIDTO=2015-05-08}93731| |
and this:
| Attribute | Value |
|---|---|
| MSKEYVALUE | %MSKEYVALUE% |
| MXREF_MX_ROLE | {R}{VALIDTO=2015-05-08}93735|VALIDTO=2015-05-08}93731| |
None of the options above work. I know there's been an issue with the {M}-operator, described in SAP note 2008106, but it refers to another kind of error and to patch level 2. I suppose that this issue should be sorted out with patch 11.
We now implemented a work-around, which is working fine but due to using several jobs and delays, it is very time-consuming. This is why those questions popped up in my mind:
Does anyone else have problems working with the {M}-operator?
Do I have a wrong understanding what the {M}-operator actually is doing?
Are the strings I'm trying to write into the MXREF_MX_ROLE attribute correct?
Would be nice to get some feedback or suggestions on that issue.
Best,
Steffen