Frank,

Thanks for the update... Here is another conversation I am having. Maybe you can shed some additional light on this.

Provisioning user groups requires RAR LDAP connector:

1472228 - "Error creating request" when trying to provision LDAP group

It seems that all your questions can be answered by the Configuration Guide - SAP GRC Access Control 5.3 starting on page 181.

1) Does the LDAP ID for each LDAP connection need to be read/write? Yes. Communication user needs read/write.

Thanks!

2) When pulling LDAP groups into CUP which connector would you pull from? (See Guide (Import the user groups via template.)

I would like to pull directly from the backend LDAP (we can do this because I can search a particular naming convention. My guess is I would import using the EP LDAP connection I created (and this connection is linked to a particular LDAP). Since the guide indicate this is the system you need to choose when requesting this access. If I use the template I am guessing I would need to use the specific ldap as the system? The doesnu2019t make sense to me since it would then be associated with that connector in CUP.

3) Where does the mapping of LDAP groups to Enterprise Portal roles take place? LDAP? CUP? EP? (See guide) You cannot directly provision to LDAP. EP has to connect to LDAP. See Configuration Guide 5.3 page 181 under heading u201CConfiguring Provisioning for LDAP User Groups to Usersu201D.

I must have an old config guide because there is no mention of this within mine. Version 3.00. Maybe I need to clarify. I understand we donu2019t write directly to LDAP. What I am asking is how do we associated portal roles with LDAP groups? So if we provision a user to an existing LDAP group how do they will get the portal role associated with it. Sounds like what you are saying it that this is done via EP.

Let me know if this sounds correct.

1) EP is connected to LDAP and can pulls in LDAP groups

2) CUP pulls these in via EP LDAP connector

3) Within EP you would associated LDAP groups with portal groups (see above)

4) When you select EP LDAP within a request you see all roles for EP LDAP. You select this for assignment

5) This LDAP group is then assigned to the user ID in EP

6) When creating a request to assign a user a LDAP group do you use this connection or the direct AD connection? (See Guide)You can provision existing LDAP user groups to existing users. You do this by creating a standard LDAP connector and linking the LDAP connector to the SAP EP LDAP connector.

Says EP LDAP connector

7) Does CUP assign users to existing groups through LDAP directly or does it do this through EP? (See Guide)

How will this work if we have 3 LDAP connectors? (See Guide) You can configure the LDAP mapping in the connector to link it to the SAP EP LDAP connector.

Sounds like it does this assignment through EP which brings in AD groups?

Hi Kyle

I am not able to understand all of your conversation but please find my answers below.

2) When pulling LDAP groups into CUP which connector would you pull from? (See Guide (Import the user groups via template.)

I would like to pull directly from the backend LDAP (we can do this because I can search a particular naming convention. My guess is I would import using the EP LDAP connection I created (and this connection is linked to a particular LDAP). Since the guide indicate this is the system you need to choose when requesting this access. If I use the template I am guessing I would need to use the specific ldap as the system? The doesnu2019t make sense to me since it would then be associated with that connector in CUP.

*AA: Make a SAPEPLDAP connector in case you want to just provision ldap groups to the users. As SAPEPLDAP connector gives you fleibility to assign groups to users directly. If you want to connect ldap with ume then you have to use the SAPEP connector.*

3) Where does the mapping of LDAP groups to Enterprise Portal roles take place? LDAP? CUP? EP? (See guide) You cannot directly provision to LDAP. EP has to connect to LDAP. See Configuration Guide 5.3 page 181 under heading u201CConfiguring Provisioning for LDAP User Groups to Usersu201D.

I must have an old config guide because there is no mention of this within mine. Version 3.00. Maybe I need to clarify. I understand we donu2019t write directly to LDAP. What I am asking is how do we associated portal roles with LDAP groups? So if we provision a user to an existing LDAP group how do they will get the portal role associated with it. Sounds like what you are saying it that this is done via EP.

Let me know if this sounds correct.

1) EP is connected to LDAP and can pulls in LDAP groups

2) CUP pulls these in via EP LDAP connector

3) Within EP you would associated LDAP groups with portal groups (see above)

4) When you select EP LDAP within a request you see all roles for EP LDAP. You select this for assignment

5) This LDAP group is then assigned to the user ID in EP

*AA: Yes you are right.*

6) When creating a request to assign a user a LDAP group do you use this connection or the direct AD connection? (See Guide)You can provision existing LDAP user groups to existing users. You do this by creating a standard LDAP connector and linking the LDAP connector to the SAP EP LDAP connector.

Says EP LDAP connector

*AA When ldap is connected to ume at that time if you provision ldap group to a user.Then you have to use EP connector. EP connector will assign group to the user. It can be done as ume is connected to ldap. Thus no external or direct call tpo ldap connector is made.*

7) Does CUP assign users to existing groups through LDAP directly or does it do this through EP? (See Guide)

How will this work if we have 3 LDAP connectors? (See Guide) You can configure the LDAP mapping in the connector to link it to the SAP EP LDAP connector.

Sounds like it does this assignment through EP which brings in AD groups?

*AA Can be achived both ways. Use a SAPEPLDAP connector to assign directly. Use SAPEP connector to provision to ume which will internally provision to ldap as ldap will be connected to ume.*