So you were saying there is no other option for this scenario other than the going with IDM.

Thanks,

JP

>

> So you were saying there is no other option for this scenario other than the going with IDM.
> 

No, I am just saying that it will be a pain to maintain the data in the AD groups, instead of tapping in directly to the business events in the source systems.

Typically, HR knows about such events before any manager checks their roles or IT cleans up before an audit...

The bugger with AD groups and CUA driven by the AD is that you need to map the lot. Perhaps you should show this thread to your AD folks, who typically have little understanding for the intimate workings of SAP systems and technical application specific role names and their attributes.......

Cheers,

Julius

Edited by: Julius Bussche on Jul 7, 2009 10:56 PM

ps: Are you trying to use an ABAP CUA master to maintain AD groups which are not SAP (CUA child) related?

Perhaps I misread your question?

Cheers,

Julius

No,

Let's say we have a pre-existing AD group (XXX_AC_YYY) now I want to add users which are mainted in AD and these users have a CUA role (Z:SAP_XXX_abc). Now all those users which have this CUA role need to be added to that AD group. Right now those users with in AD does not belong to that AD group. Just wondering if I can do this with LDAP connector. If so any specific LDAP mapping that I need to look into.

Thanks,

JP

To my knowledge, only a user sync is possible.

For a given AD group, you will need to constantly read the CUA role information and map their names, either technically or via attributes.

How scalable does this solution need to be?

Cheers,

Julius

I know this is not a scalable solution but untill we have longterm solution (going with IDM) we need to have a short term solution.

Can't we use LDAP connector attributes for this kind of configuration. What do you mean by attribute settings?

Thanks,

JP