cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Any experience with IdM and SRM 7.0?

Go to solution
Former Member

on ‎08-31-2010 9:23 AM

0 Kudos

Hello all

We are currently testing a scenario where we need to provision users and their PFCG roles from IdM 7.1 SP05 to SRM 7.0. We have checked the information that can be found here:

http://help.sap.com/erp2005_ehp_04/helpdata/en/ed/cfd6edc19a435f9cf6bf0287cc5ce7/frameset.htm

But som unanswered questions remain.... In our scenario the users will access SRM from the portal, which means that the users password should be set to inactive. Apparently there is a setting in the profile parameters that needs to be set to the value 3 i.e. u2019login/password_change_for_SSOu2019 , but I suppose this will inactivate passwords for all users, right?

An alternative might be to provision an initial password with IdM and set the password to inactive in a BAdI on the SRM-side? I cannot find any documentation of how to handle this and I cannot find any parameters in BAPI_USER_CREATE1 that would allow me to convince the standard connector to set the user password to deactivated.

Any suggestions would be appreciated....

Best regards,

Anders

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-31-2010 10:21 AM
0 Kudos

Hi Anders,

the parameter u2019login/password_change_for_SSOu2019 applies only to users that are logging on using SSO.

Why don't you set this parameter to 0: in this case no password change dialog will be shown and the user is still able to logon without SSO using his password. From my understanding, setting the parameter to 3 will disable the user password, so that the user is no longer able to logon without SSO.

Best regards

Holger

Show replies
Show replies
Former Member
‎08-31-2010 10:31 AM
0 Kudos

Hello Holger

I'm afraid I have to deactivate the password on the users that I provision from IdM, as I am not allowed to change the profile parameter. The SRM system is used in an application service provider setting, so different clients on the system may have different needs.

However I researched a bit and found that the field USR02-CODVN seems to be set to 'X' once I deactivate the password in SU01. This means that I might be able to set the field usr02-codvn to 'X' using either the fm IDENTITY_MODIFY as described in the IdM developer guid or possibly by implementing an enhancement before BAPI_USER_CREATE1 or BAPI_USER_CHANGE is called on the ABAP side. Possibly a standard pass could even pass the correct parameter to the appropriate BAPI even though I cannot find it documented anywhere.

Best regards,

Anders

Former Member
‎01-19-2011 12:47 PM
0 Kudos

Everything turned out to be far less complicated than originally thought. By using the attribute MX_PASSWORD_DISABLED it is possible to provision ABAP users to SRM- and BI-systems with password deactivated which is the typical requirement when users only need to connect through the portal.

Best regards,

Anders

Answers (0)

Ask a Question