- SAP Community
- Products and Technology
- Additional Q&A
- GRC 5.3 CUP SP16 - User info not loading from LDAP...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC 5.3 CUP SP16 - User info not loading from LDAP into CUP
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 09-14-2011 6:40 PM
Hello,
We have multiple LDAPS that we needed to connect to our CUP system to authenticate the userids before a request can be created for them. And also to bring in Manager ID and manager email from LDAP as the first level approver for requests.
My client hasn't maintained the actual LDAP userids, Manager and manager email fields correctly, so we utlized three other custom fields in LDAP and then did field mapping in CUP for those fields. But even when the connection to all the LDAPs is successful, there's no user information being pulled in from LDAP into CUP. I noticed that when I use our backend SAP QA system as 'User Data Source' while using multiple LDAPS for 'User Detail Source Data' , it only reads data from SAP QA system SU01 area and even when I'm trying to create requests, no Manager info is being pulled from LDAPS for that user id.
SAP does not allow the use of multiple LDAPS for the configuration-->User Data Source , top option. So, if a client has userids in multiple systems, it can only read from one data source. But even when I temporarily assigned one active directory LDAP to the 'user data source' option, it stated, no records found. So, something is up that no data is being pulled from LDAPs even when the connection to those systems is successful. I just asked our AD guy to temporarily assign domain admin rights to that LDAP connection ID to see if it's access issue, and still I am not getting any LDAP data to read into GRC CUP.
Anyone else has had this issue? Is there especial access that the LDAP connection id needs access in LDAP to be able to retreive data into GRC? Is there any jobs that need to be run to read LDAP data. I thought it should be live as the system is connected to LDAPs. I don't understand if the connection is successful, why the user info is not being pulled from there and even after the LDAP custom field mapping is done, those field values are not showing up on requests.
We need the following to happen:
1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
I will greatly appreciate anyone's help on how they got the LDAP field values to be read into GRC CUP for request processing and what type of encripted access can a LDAP connection id have without assigning it complete domain admin rights on an open port 389 for LDAP and GRC CUP connection.
Thanks and Regards,
Alley
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Alley,
1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
This is not possible. You can have only 1 LDAP. Why you want to authenticate the user in different sources?? CUP looks at only one user source, not many. The below wiki explains you the configuration part:
2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
Based on user group is not possible. However, if you wish to maintain the Manager's Field, ensure that the CUP mapping is done correctly from the Configuration, Field Mapping, LDAP Mapping.
While defining the workflow, take the approver determinator as Manager. This will route the request to the users manager. Also, ensure that LDAP is the source in all the confiuration areas in CUP.
Check note 1228996 for more information.
Hope this helps!!
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks Raghu for your help.
I was able to get the manager info to show up from user detail info of LDAP while having to point to main SAP backend system for main user data source but GRC 5.3 has limitations bc it doesn't lets you use multiple systems as user data source in order to make sure user exists in a particular LDAP b4 a request can be created for that user...for customers who have more than one LDAP to locate the user.
Also, the user authentication configuration only applies to users logging into create requests to ensure they exist in the configured authentication systems. But that doesn't help where many companies are only having managers or certain folks limited to creating requests, not all end users. So, this doesn't help to authenticate the actual userids in the requests to be authenticated to exist in the authentication system.
Is there any documentation available on how to connect multiple LDAPs to UME or how to create a visual LDAP pointing to multiple LDAPs to then use that one UME System or Visual LDAP system in CUP Configuration of USER DATA SOURCE system?
Will greatly appreciate your feedback.
Thanks for all your help.
Alley
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Is there any documentation available on how to connect multiple LDAPs to UME or how to create a visual LDAP pointing to multiple LDAPs to then use that one UME System or Visual LDAP system in CUP Configuration of USER DATA SOURCE system?
I didn't come across any documentation, but will update you incase if I find any.
Regards,
Raghu
- mergedog parameters - LOADED and CURR in Technology Q&A
- I have a date column and I want to derive Week range in Technology Q&A
- Advanced Shipping and Receiving Simplifying the Connectivity in Supply Chain Management Blogs by Members
- Demystifying the Common Super Domain for SAP Mobile Start in Technology Blogs by SAP
- SAC BW live connection: Error Illegal State: data area already existing in Technology Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.