cancel
Showing results for 
Search instead for 
Did you mean: 

Source for MX_ADMIN_UNIT

former_member91276
Active Participant
0 Kudos

Hi All,

IDM 7.2 sp8

I need to know the source of attribute MX_ADMIN_UNIT which is used for populating the user group.

I understand that it is populated during user creation. So, i have 2 sources of user creation: HR for Permanent and a form(on a server) itself for Contractors.

Let us consider only permanent users. I do not find any field in HR source tables, which serves as a source for MX_ADMIN_UNIT

I hope this inf. is sufficient enough.

Regards

Plaban

Accepted Solutions (1)

Accepted Solutions (1)

devaprakash_b
Active Contributor
0 Kudos

Hi Plaban,

As per my understanding, you would like to know how the user group (MX_ADMIN_UNIT) field is maintained for users at the time of creation in IDM. Usually, the user groups wouldn't be sent from HR system, but it would be maintained in IDM based on the certain attributes or some default values. As you have stated users are being created from HR system, I would suggest you check using the reverse engineering approach.

  1. If you are using a staging area, entries will be first created under MX_HCM_EMPLOYEE entry Type and later would be created in the main identity store.
  2. So check if any attribute is maintained in the ToIdentityStore Pass under the task WriteHCMEmployeeUserInToIDM during user creation or modification process or workflow.
  3. If MX_ADMIN_UNIT attribute is maintained then you would get to what value is being maintained and based on which criteria.

FYI.. IF you would like to check the list of user groups maintained in IDM, then Navigate to Identity Store Schema -> select MX_ADMIN_UNIT Attribute -> Attribute Values Tab -> Here you can kind find the list of values maintained to be maintained for the attribute. Usually, the user groups would be maintained in mxi_attrValueHelp table.

Regards,

Deva

Answers (4)

Answers (4)

lambert-giese
Active Participant

MX_ADMIN_UNIT corresponds to the so-called "User Group for Authorization Check" in the AS ABAP user administration. This is a technical concept for delegated administration, i.e. one admin is reponsible for user group A, another admin is responsible for user group B. More details about this concept can be found in SAP note 2658656 - How to control user administration by user group and authorization object S_USER_....

As far as I know, there is no source information in HR that could be used to meaningfully fill the User Group for Authorization Check in AS ABAP by default. It's typically populated using customer-specific logic, or not at all.

former_member91276
Active Participant
0 Kudos

Hi All,

Thank you very very much, for your time and efforts in explaining in detail. I found that the user group is taken from a Country field(applicable for both permanent and temporary) and also via a script.

I have taken note of the valuable alternate approaches that have been suggested here.

Regards

Plaban

former_member201064
Active Participant
0 Kudos

As your source for the internals is the HR I assume you have a limited range of values for function / departments. You could set up a matching table which then automatically assigns the wanted user group for that. Or maybe deduct it from the manager additionally.

Well, there are downsides, of course. Every time a new function / department appears you would have to set the user group for them. Could be managed via an own entry type and an approval on it, where you chose the user group and then write that to your matching table. Or use an own entry type instead of a database table. Could do such thingys within half a day I guess.

I wish I could do such a matching, but without a worldwide HR and the functions / departments as free texts it's just a dream. We're updating the user groups within excel when we role out our Global Template for another company code. Then we put them into a new format (<Company code>_<SAP modules, IT and TEC for special users>). Then I import them and clean up the remaining users / user groups after provisioning inside our CUA. Step by step we get better user groups, but it takes its time.

former_member91276
Active Participant
0 Kudos

Hi Lambert,

I am pretty well aware about user group in ABAP. i only need the source field from IDM, which populates this value.

Regards

Plaban

Steffi_Warnecke
Active Contributor
0 Kudos

If you are aware, then you should know, that there is no "source field" in IDM. The user group is saved in MX_ADMIN_UNIT for the identity. The source is the user group in the ABAP backend. And it can pretty much be anything the people responsible for creating and using them in the backend want it to be.

We have a custom entrytype to hold the data and a custom connector in IDM that can create and delete user groups. It just needs the name and description for creation and that's it.

.

Regards,

Steffi.