Interesting bug in Microsoft BHOLD Suite concerning permission deprovisioning

While working on a BHOLD implementation, I found an interesting bug:

If you’re getting to know BHOLD, you’ll soon find out that it consists out of (among others) these object types:

  • User; An employee in your organization, mostly imported to BHOLD by the FIM Synchronization engine through the ‘FIMEmployees’ table.
  • Org.Unit; An organizational unit. Your BHOLD environment will probably contain an entire tree structure of org.units. An Employee should have a reference to an Org.Unit object.
  • Role; A role that can be assigned to an employee. It can be assigned to an employee based on his/her position in the Org.Unit structure, or based on an attribute of the user (basically, the assignment of roles is one of the main features of BHOLD).
  • Permission; A role consists out of 1 or more permissions. Linked to Active Directory, this would be the same as a ‘Group’. Other applications might have different names for this.

Basically, through his/her role membership, an employee is entitled to a set of permissions. To export these permissions to your target system, you will need to synchronize them using the FIM Synchronization service. FIM Sync imports the permissions and memberships through the ‘tblObjects’ and ‘tblReferences’ tables, where ‘tblObjects’ contains the users and permission objects and ‘tblReferences’ contains the link between the two objects.

That’s it for the technical explanation, let’s continue to the details of the bug: The tblReferences table is filled by a BHOLD service (the ‘BFPC’) once a user is entitled to a certain permission, which works as intented. Apparently, it doesn’t do a good job of deleting a record once the user is not entitled to a permission anymore.

I’ve contacted someone from BHOLD, who says this is a known bug. He tells me there is a patch available to fix this issue, but this patch is not generally available. You can however request the patch by creating a service call at Microsoft. Service Pack 1 of the BHOLD suite will contain a fix for the issue, but this service pack is not yet released for production environments.

If you’re experiencing the issue, or if you want to know more technical details about it, let me know. Hang in there: a production-suitable fix is on the way!!

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s