cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM 7.2 SP3 synchronizing only role assignment changes to ABAP

Go to solution
Former Member

on ‎06-27-2012 10:40 AM

0 Kudos

Hi All,

I set up a system where IDM provisions users and their role assignments into a SAP ABAP system. As I would like to keep the authority of some roles  on the ABAP system side (these roles cannot be requested in IDM), my plan was to synchronize only new role assignments into the ABAP system. However I discovered that despite setting the "changeType" to "Modify" in the "toSAP" pass, all existing roles were removed on the SAP ERP side, and only the newly assigned role was connected to the ABAP user.

How would it be possible to synchronize only changes (new values, or removed values) from IDM without removing all existing values on the ABAP side?

Any help would be greatly appreciated.

Zoltan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-27-2012 2:35 PM
0 Kudos

Hi Zoltan,

This is not possible.  Every time IdM writes to the ABAP side, it will wipe out all roles and rewrite the roles that are stored in IdM.  This is by design for reporting, auditing, and data integrity purposes.

Regards,

Chris

Show replies
Show replies
Former Member
‎06-27-2012 4:00 PM
0 Kudos

Hi Chris,

thank you for clarifying this. There would be than another question:

How can I guarantee that I know in IdM about all assigned ABAP roles, if some ABAP roles will be assigned to users directly in the ABAP system? If I synchronize them with a job every 5 minutes into the IdM system there would still be a chance, that IdM does not know about the latest role assignments, and so "deletes" them when it provisions a newly assigned role from IdM. Some kind of continuous ABAP monitoring would be needed...

Kind regards,

Zoltan

Former Member
‎06-27-2012 4:10 PM
0 Kudos

Hi,

You are correct.  This would definitely lead to problems.  The recommended approach is to not modify roles in SU01.  If a role needs to be changed on a user, it should be done in IdM.  The security team should be trained on IdM and do their assignments there.  If there is a valid business case to still do it in SU01.  You will have to set up an Event Agent service to monitor the ABAP system for any changes.  This is definitley not a perfect solution though, because the event agent service will have to be set to check only so often for changes, every 30 seconds for example (if it can run that fast), and this will put quite a load on your IdM system.  There will still be a chance that you can lose roles though, just because the event agent service isn't a continuous process.  It's just a service that frequently checks.

There really isn't a great solution to your problem.  The best solution is to lock out SU01 and administer users in IdM.  Perhaps the question for me to ask is why you would like to administer roles in the ABAP end system?

Chris

Former Member
‎06-28-2012 8:59 AM
0 Kudos

Hi Chris,

Well, the reason behind administering roles in the ABAP end system is, that the customer would like to roll-out the IdM solution in separate phases, and in the first phase we should only deal with external employees and their roles. Anyway, thank you for your quick answers, maybe we can convince the customer to change the plans a bit..

Zoltan

Answers (0)

Ask a Question