on 11-12-2010 12:37 PM
Hi,
I just wanted to know, based on what primary key, CUP will pull the user details from the User Detail Source.
Suppose If I kept my User Data Source as SAP R3 System, User Detail Source as LDAP and if the user IDs are not same for users in R3 system & LDAP, in that case CUP will be able to pull the user details?
Regards
Dasarad
Hi Dasrad,
I believe you will also have to do a user mapping for the users that are not in sync.
Thanks,
Chinmaya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
To continue beating a dead horse:
- the request in CUP needs to start with some kind of user ID. As you do need that to be the SAP user ID for provisioning purposes, you'll be netering the SAP user ID in CUP
- for authentication purposes (logging in) you can either map the UME to ActiveDirectory, mapping the SAP user name to an AD field other than sapAccountName, or configure a similar LDAP connector in CUP using the same mapping
In any case, for this to work you need to maintain an extra field in ActiveDirectory where you maintain the SAP user ID for each user with SAP access (for mass maintenance purposes you could populate it with the samAccountName initially to also make it work for non-SAP users as approvers).
This also allows you to start a migration process to harmonize user IDs without having to change the configuration over time.
Frank.
Hi Everyone,
Sorry for the delay in my response.
@frank:
As you suggested:
"The only way to make this setting work is if you have a field in LDAP that has the SAP user ID - then you can map this in CUP to tell CUP to use it as the search key"
In our case, we are maintaining the SAP user ID in one of the LDAP field called "pager". Actually this helps for change requests in CUP if we map it with CUP user ID field. but I just wanted to know the following question based on this scenario:
1) How the data will be pulled by CUP from LDAP for the new users in SAP whose profiles are already there in LDAP. I mean for New account requests in CUP?
My 2nd question is related to manager details from LDAP
My LDAP team has mentioned that there is only one field called "manager" in a user profile in LDAP corresponding to manager details. Also This single field contans full name of the manager like first name, last name.
When I checked in CUP request, I found that it is having 3 fields corresponding to manager i.e Manager first name, Manager Last name, Manager Email.
Now my 2nd question is
2) How should I map these three fields (corresponding to manager) in CUP to LDAP field so that these three CUP fields will be automatically populated from LDAP?
Looking for sugessions to these problems.
Hi,
you will want to make sure that the new SAP user ID also ends up in ActiveDirectory. You can either make the existing SAP ID a prerequisite (i.e. if you have a new hire, make the Windows user ID the SAP user ID immediately in AD), or you can make the field editable, which creates two issues: you need to make sure someone (...) thinks of putting the SAP user ID into AD later, and people may enter bogus IDs.
Usually creating the User ID involves stuff like rule conformance and checking for duplicates, so you can't just have people coming up with one. As your Windows ID is different than the SAP user ID you also can't take the Windows ID for new users, as it might conflict with an existing SAP ID.
Technically you can just make the field editable, but I would suggest you come up with a medium term strategy of how you get away from having multiple user IDs for the same person, it's going to come back to bite you time after time. Then make sure that whoever creates the Windows user also sets the SAP user ID, and you're fine.
Second question: if you only have the manager's name, but not a user ID it's going to be difficult. Normally you'll identify the manager user ID field and configure it in LDAP mapping, and CUP would pull that ID's data from ActiveDirectory and populate the other fields.
Again, as a workaround: maybe it's possible to run a script that resolves the managers name (what do you do now if you have people with the same name??) into their user ID and stores it in yet another AD field which you then can use.
Frank.
CUP will always use whatever user ID you gice it.
If you enter JSCHMOE as your user ID, but in LDAP it's j.schmoe at company.com, it will OF COURSE not find the user in the data source.
The only way to make this setting work is if you have a field in LDAP that has the SAP user ID - then you can map this in CUP to tell CUP to use it as the search key.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.