cancel
Showing results for 
Search instead for 
Did you mean: 

Two validity ranges - race condition?

0 Kudos
212

Hi experts,

in IdM 8 if a role is assigned to a user with two validity ranges that are next to each other, e.g.

01.01.2018 - 20.01.2018 and then

21.01.2018 - 28.01.2018

what happens is that at midnight on the 20.01.2018 the role will be removed and immediately after it, it will be assigned to the user again. Depending on the order how the deprovisioning / provisioning tasks are triggered and executed it can happen that first the new assignment gets provisioned to the backend system and a couple of seconds later comes the de-provisioning. Which means that the employee at the end does not have the permissions in the backend, however IdM "thinks" everything is OK and shows the role in assigned state.

Any ideas how to solve this? I tried to change the validity range in the background by adding one hour to the "valid from" date to have it like: 21.01.2018 01:00:00 which would give the automatic process running at midnight one hour to finish with the deprovisioning, but IdM does not accept time in the validity range (only full days as far as I can see).

Thanks,

zkormany

View Entire Topic
devaprakash_b
Active Contributor
0 Kudos

Hi Zoltan,

Can you please specify your support pack and let me know whether you are using provisioning framework version 2.

If you are using provisioning framework version 2, then just extend the validity end date or else you can update validity using {A}{linkid=<mcuniqueid from idmv_link_ext2>!!validfrom=new valid from date!!validto=new valid to date!!reason=provide reason}<privilege/role mskeyvalue>

Regards,

Deva