on 03-13-2009 3:13 PM
In the CUP interface, under Configuration->Workflow->Auto Provisioning->By System, one configures the autoprovisioning for the IDM system.
There is an option labeled "Create If User Does Not Exist". When this option is set to "Yes" and I approve a user account modification request, GRC does not send the searchRequest, it simply sends an addRequest for the already-existing user (which fails in eDirectory, since the user does exist).
When the option is set to "No" GRC does send the searchRequest (malformed).
Perhaps the UI wording is incorrect, or perhaps I misunderstand what this option is supposed to control, but it seems to me that the boolean sense of the option is reversed. I would expect "Yes" to cause the searchRequest to be sent. (It doesn't seem to be a problem in translation...auf Deutsch: "Anlegen, falls Benutzer nich vorliegt"
Is there somebody who can explain that to me?
- Holger
I am afraid not ..there is very less documentation available around IDM integration. You can send feedback to the author of this document to include more info in this doc itself.
Regards
Harleen
SAP GRC RIG
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Holger,
The issue might have been in the Search Criteria or other Search parameters defined in the Connector of CUP. It could be that the search request was failing earlier due to incorrect parameters set in the connector. But this option (if set to YES)searches for user first and only if the user does not exist it creates the user.
Hope this helps
Regards
Harleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Harleen,
'search_criteria' is the right track. We meanwhile figured out, that we missed the SEARCH:_CRITERIA in the IDM connector definition. After adding it, the soap request does look much better.
We used the 'GRC-AC-IDM Web Service.pdf' document for the configuration. But this document does miss some parameters, as they are described in https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e....
Some of the parameters described their are specific to NetWeaver IDM integration, but some aren't described very well.
Do you have a better source for the parameter description?
Thanks
Holger
Hi Holger,
Can you make sure that your "Change Account" request type does not have CREATE_USER action assigned to it.
It should have only CHANGE_USER and ASSIGN_ROLES actions assigned .
This should resolve the issue.
Regards
Harleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Holger,
Your understanding is correct and that is how this option works for SAP systems. I have not tried it for IDM and as IDM is latest addition, there might be some issue with it.
Did you open a message with SAP and see what the response is?
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.