cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple Data Sources unavailability in CUP 5.3

Former Member
0 Kudos

Greetings All,

Our Organization has acquired another organization and wants to bring them on board in GRC CUP for user provisioning process.

The complexity here is they have a separate active directory and the merger of their active directory into the corporate AD is not slated for the next 6-8 months.

The GRC CUP version 5.3 comes with a single data source and multiple details data sources. I now have my CUP pointing out to LDAP1 (MS Active directory) and I am not able to see any users from LDAP2 (Acquired MS Active Directory) which is expected.

The AD team suggested LDAP Referral Chasing functionality that works well within MS windows or any other tools in the LDAP world.

I did not see any other facility or option to use LDAP chasing in CUP.

Any suggestions as how to connect to both LDAP's simultaneously without asking for another instance of CUP will be appreciated.

Best regards,

Angara

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello Angara

I dont think it is possible to connect Two AD with one GRC CUP .

You have option two add muliple data source like SAP ,LDAP,AD etc but If you want to use same data type like system and AD in your case ,its not possible .

For that purpose you have NW IDM where you can pull user id from mulitple data source .

Thanks & Regards

Asheesh

Former Member
0 Kudos

Asheesh,

When you're stating NW IDM.. are you stating in this case UME of GRC system to pull multiple data sources, in this case, multiple LDAPs.. Is there any documentation on how to connect multiple LDAPs for data source to UME bc I didn't see the option on the UME setting which it does state is IDM for GRC 5.3 NW front end.

Angara,

We had the same issues as diff locations for our client had diff LDAPs and so SAP told us to use SAP backend production system for main User DATA source to pick up userid and email info from SU01 and then set up the LDAPs as the user detail info source to pick up manager info and other details from. But you'll have to make sure you do LDAP fields mapping correctly to bring in the user detail info fields into CUP correctly during request processing.

For user authentication for requestors who aren't created in UME, you should be able to add multiple LDAPs if you want to verify the requestors from LDAPs instead of SAP backend system. Configuration>authentication>Multiple LDAPs. But this only checks to make sure the users requesting the request exist in the autentication system and that's what they use for their userid and psw to log in to create requests in GRC. This is for those who are not in the GRC UME system and do not have approver access.

I think SAP fixed this issue in GRC 10.0 from ABAP end giving the option to connect to multiple LDAPs for main user data source. It is a issue ..I'm not sure why they limit it to only one system knowing when so many companies have more than one main user data source.

Hope this helps.

Thanks,

A.

Answers (1)

Answers (1)

Former Member
0 Kudos

Greetings Ashish & Alley,

Thanks for the information and help. The situation here is, we do not have NW IDM and I wish we had it implemented; it would have solved many of our issues.

We are looking into AD as the primary source collecting the information and creating the user in 2 places (Backend & Portal). In backend we have almost all applications (HCM/ECC/CRM/BI/XI/SRM/MDM/BPCu2026etc).

There are about 10,000 users in one Ldap and about 4000 in another LDAP. When the request is for an existing user, I can map the datasoure to the most available ABAP Stack (Best would be HCM as most users (excluding contractors/consultants) would have ESS) and pull the user info and get the remaining information from Details data source in sequential order.

The Issue we have is with the New User creation, as the new user might be in LDAP1/LDAP2 based on the hiring organization and none of their information exists anywhere in the backend or in the portal - since we are using CUP to create even ESS accounts.

We are currently evaluating on one among the below three things:

1. Purchase NWIDM (not sure about the cost of the tool -Possibly 100 g's)

2. Upgrade GRC from 5.3 to 10 (To determine the timeline & cost)

3. Purchase a third party tool like an open data source or Sonatype (This tool can virtually connect multiple MS ADs into one AD tree and point CUP to this tool u2013may costs about 10g or so)

If anyone of you has any other information, please let us know. Thanks for all your advice and help.

Best Regards,

Angara Rao