on 12-03-2012 8:43 PM
Hello experts:
I'm working on setting passwords in some connected systems. I'm seeing a couple of interesting things though:
1. Even though the repository definitons specify ABAP the Java password change is being executed (the systems are ECC and SRM if it matters) -- Any thoughts?
2. When I go to set the password I am setting PasswordChangeRequired to FALSE and I get the following message:
putNextEntry failed storingSPML.SAPUSER.MPOLLICOVE
Exception from Modify operation:com.sap.idm.ic.ToPassException: Could not update user Productive Passwords can only be set via secure transport layers - What do I need to tell BASIS to do?
Thanks,
Matt
Hi Matt
1. Not off the top of my head - thats a little strange.
2. I've encountered this before. SNC needs to be enabled on the ABAP system and the correct constants need to be set up on your repository to enable it to use SNC when doing the change.
You also need to ensure that you update the rights on your user. From SAP Note 1287410:
"To set passwords as productive, the communication user needs the authorization for object S_USER_GRP with activity 'PP'. This authorization is not included in the IDM role SAP_BC_SEC_IDM_COMMUNICATION"
Note that SAP Note 1602902 talks specifically about creation, not modification, as it goes through BAPI_USER_CREATE1. Not sure if this'll work with modify - let me know how it goes.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt
I'm not sure - I've only ever done it with ABAP. However, I seem to recall that the SPML implementation has an attribute 'passwordchangerequired' which is set to true by default on the To Custom job for setting the password.
If you set that to false it should work (logically - I make no guarantees)
Peter
Hi Matt
1. Doesn't sound right, would check the mx_hook8 for password change (if the operation is just that of a password change) - it's not dual stack?
2. Keep in mind that connections need to be encrypted to set a password as productive
So RFC-SNC for ABAP and HTTPS-SSL for JAVA
This error would indicate that connection from IDM is only http
Could not update user Productive Passwords can only be set via secure transport layers
Cheers
Craig
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Craig,
I mentioned in my post that the attributes would need to be encrypted. I'd recommend not using the framework in this case to prevent synchronization from taking place. Directly referencing a framework task could start synchronization which is specifically not called for in Deepak's scenario. A copy of the task executed outside of the framework would be best IMO.
You could also look to 's post (and thread) above which references how to do this over multiple repositories. And yes, you would need to hard code the repository.
You do have a valid point in that SSL is required for handling the setting of Productive passwords in SAP. It also makes AD password setting much easier.
Regards,
Matt
Hi Matt
As we know Password management for IDM only manages 1 password for all target applications. Correct !
I have a question,how IDM will manage passwords for the already existing users in target systems having Different User ID's (with different passwords ).
Like in my case.we are using SAP and AD as target systems. One user has different user id's in SAP and AD ( different passwords).
Looking forward for your reply soon.
Best Regards
Deepak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Deepak,
This should probably be it's own thread since it's really a different question, but I've put you through enough hoops already
First off, this is not really the way SAP wants things done. As I've said elsewhere, the goal is password syncrhonization. The product is not really designed to be a passworde manager.
However, the product is extremely flexible and the framework is meant to be extended, so here's how I would do it. (Note I'm not sitting in front of IDM as I am typing this so it's really a rough framework)
I would set up a "PW Management Task" with the following attributes:
ADPWD
MX_PASSWORD
These attributes should be encrypted with confirmation turned on to comply with best practices
Then in your workflow attached to this UI task you can set the passwords as needed by creating jobs to accomplish this (AD needs a to LDAP, use the framework passes for SAP)
This would then set your unique passwords as you need.
Good luck!
Matt
Hi Matt
Thanks for your reply.
I understand and agree with you that things should not be intended to divert the actual objective of the
product but it is a key requirement of client and they want to manage passwords.
I am more worried about the ALREADY EXISTING USERS and THEIR PASSWORDS.
Will these attributes you mentioned above be able to handle their passwords?
Is SNC the key requirement for those SAP Passwords to handle through IDM ( for existing users).If enabling SNC is not possible,then what would be the impacts and how this requirement could be achieved?.
Thanks
Deepak
Hello Deepak,
we have created repository specific attributes not only for password, but also for validity, locked values and many other. In addition one has to copy and change the Hook tasks.
If SNC is not an option you have to make an RFC call by yourself. In this document the procedure is mentioned:
Set a productive password: The user is created with an initial password that needs to
be changed the first time the user logs on. However, there may be cases where you
want to set up a user that initially has a productive password. Technically this is not
possible, therefore in this case, you have to create the user with an initial password
and then change it using the function module
SUSR_USER_CHANGE_PASSWORD_RFC.
Edit: Almost forgot to mention this thread: http://scn.sap.com/thread/3418477
It isn't standard that is true, but asking provokingly and rhetorically: Who uses an unchanged SAP IdM anyway?! I always liked the flexibility of the SAP IdM and alot of processes wouldn't work without changing
Best regards
Dominik
Hi Dominik
Thanks for your prompt reply.
From the fresh start,I want to just simply manage the users and their passwords already in SAP ECC through IDM.
I know about the new users during provisioning but not much clear about the existing users.
Could you please give your views in detail?
Regards
Deepak
Deepak,
There's no real difference. If you want to prevent a password that's already in the system from being overwritten, you can use the "." prefix in the destination tab of the pass to prevent overwriting the attribute or use a script to process the value.
If you need to do something different, please put the details in a new thread.
Matt
User | Count |
---|---|
81 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.