cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Technical roles and IDM Business roles mapping

Former Member

on ‎04-09-2009 4:40 AM

0 Kudos

Hi Guys

Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?

Cheers

Leo

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎04-14-2009 8:08 AM
0 Kudos

Thanks Guys,

Sorry for the late reply just got back from easter holidays, yes I get that technical roles are extracted from the initial loads or scheduled updates and through this are stored as privledges but I was wondering if there was a way to automatically map these privledges to business roles (which somehow is automactically created) which correspond to positions in sap (where position can contain technical roles). So I guess that all the role assignments need to be manually mapped to the business roles, but in an organisation that has several combinations of roles for each position, that would take ages to do.

One other thing, once the technical roles are imported into privledges on IDM do you need to configure a task for each privledge to do the provisioning of the technical role?

Regards

Leo

Show replies
Show replies
Former Member
‎04-14-2009 6:59 PM
0 Kudos

Leonard,

So I guess that all the role assignments need to be manually mapped to the business roles, but in an organisation that has several combinations of roles for each position, that would take ages to do.

This is usually a manual process although GRC might help or you could look into other role mining / reporting products. The problem is that not every organization uses the same model, which makes it tough to make "turnkey"

One other thing, once the technical roles are imported into privledges on IDM do you need to configure a task for each privledge to do the provisioning of the technical role?

It depends what the privilege will do. If it's just there as an indicator that you have access to something, then no. However if granting the privilege results in actions such as provisioning or account modification, then yes, tasks need to be created.

Just wondering, have you looked at the Roles/Privs tutorial that comes with IDM 7.x? It's fairly high level, but should give you an idea about how things work.

Hope this helps,

Matt

Former Member
‎04-17-2009 4:10 AM
0 Kudos

Thanks Matt,

I think get I the picture now

One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow

Here is what Ive done so far

1. HCM data loaded into productive identity store via vds

2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)

3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .

4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.

But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.

Thanks again for all your help!

Leo

former_member205095
Participant
‎06-03-2013 6:48 PM
0 Kudos

Hi Leo,

please where did you find the setABAPRole&ProfileForUser?

Arivind

Former Member
‎06-25-2013 2:34 AM
0 Kudos

Hi Arivind

It should be in the SAP provisioning framework -> system type specific tasks -> AS ABAP Tasks -> SetABAPRole&ProfileForUser

Former Member
‎04-10-2009 9:59 PM
0 Kudos

Hi Ankur

We cannot pull business roles from GRC since there is no business roles in GRC. Business roles concept is only in SAP Identity Management. The document you have specified is only talking about defining a enterprise wide business roles concept. We have to define enterprise wide business roles, define the owners and define the target technical roles on each target systems. Then this business roles and technical roles have to be mapped to the SAP IDM.

Leo, As Ankur said all the technical roles will be pull to SAP IDM and we have to manually map the technical roles to the business roles in SAP IDM.

Thank you.

Show replies
Show replies
former_member198313
Contributor
‎04-09-2009 1:00 PM
0 Kudos

Hi Leo,

All technical roles are maintained in the target system and are uploaded/refreshed in the Identity Center regularly.

ABAP authorization roles are uploaded from ABAP-based SAP systems. Portal roles, UME roles and UME groups are uploaded from Java-based SAP systems and other access information is uploaded from non-SAP systems.

You can pull out Business Roles from GRC.

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0c91c0c-6ada-2b10-0d9a-f6592053...

+ An

*This is NOT SAP official message

Show replies
Show replies
Ask a Question