cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to map SAP User Id to an LDAP ID in GRC 10

Former Member

on ‎02-11-2013 6:43 AM

0 Kudos

Dear Experts,

We are in middle of a upgrade from SAP 5.3 (SP 18) to SAP 10 (SP 10) and we are facing an issues which has practical halted our next steps.

In 5.3 we had a standard functionality (using SAP_User_ID) where in we can map SAP User ID to an LDAP ID, so that user can be logged in CUP with LDAP ID but will be provisioned to backend as an SAP ID in GRC 10.

We have mapped our SAP user id in field "L"i.e. location. The functionality works fine in GRC 5.3.

However, the same functionality is missing in GRC 10. On further investigation, we found that the SAP_User_ID field itself is missing from GRC 10. But then we found an SAP note 1724954 - UAM Unable to reset password for SAP User Id using LDAP for the missing SAP_User_ID field.

On application of the above mentioned note, we were successful to bring back the SAP_User_Id field, but still some how the standard functionality which is present in 5.3 is still not working in GRC 10.

Do any one of you is facing similar issue. Please advice.

Regards,

Sahil.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎01-21-2014 4:30 AM
0 Kudos

Hi SAhil

I have the same scenario in my company. the SAP_user_ID is missing and I cant provision to users with different LDAP ID and SAP ID. How did you get this to work?

We are on GRC 10 SP13. Appreciate your response.

Thanks

Kee

Show replies
Show replies
Former Member
‎01-21-2014 4:43 AM
0 Kudos

Hi Kee,

Please implement SAP note 1834706 and your problem will be solved.

Regards,

Sahil.

Former Member
‎01-21-2014 5:14 AM
0 Kudos

Hi Sahil

I checked the SAP note 1724954 mentioned in your original email. Though we are on SP13, I did not see the SAP_USER_ID in the AC field while doing field mapping. The entry was missing in the view GRACV_ACFIELD. So I added a row with following data )4, user details, sap_user_id, sap_user_id, , ADDRESS). I have not applied the note 1834706 as we are already on SP13.

Now I see the SAP_USER_ID show up in field mapping. I mapped SAP_USER_ID to SAPACCOUNTNAME (SAP backend ID). I have USERALIAS field mapped to the LDAP ID and the user ID is also mapping to the LDAP ID which is the authentication ID and used for user search lookup. So when I create a request for another user and try to look up the user, the search is by the LDAP ID and it returns right values but as soon as I click OK, the LDAP ID is populated in the User ID field of the Access request. But I want the SAPAccountName populated in there.

Can you share how the field mapping is done in your scenario?

Thanks in advance

Kee

Former Member
‎01-21-2014 5:26 AM
0 Kudos

SAhil

FYI , I just checked the correction instructions for 184706. The code is in place. I have LDAP as the user search source and detail source as well.

Former Member
‎01-22-2014 2:26 PM
0 Kudos

Hi Sahil,

I am in similar situation where LDAP SAMACCOUNTNAME attribute is different to sap ID and at the same time portal uses mentioned attribute for SSO . So i have the scenario where LDAP and portal have long ids and SAP ABAP systems will have shorts IDs (<= 12 characters). Can you please share the solution how GRC can provisioin different ids in different systems.

Thanks & Regards,

Prasad


Former Member
‎01-22-2014 2:41 PM
0 Kudos

Hi Prasad

the notes mentioned by Sahil should be the starting point incase you cannot find the SAP_USER_ID to do the mapping.

also, what is your SP level?

I have a high priority ticket with SAP on this and working with them to get the issue resolved. I will keep you posted.

Thanks

Kee

Former Member
‎01-22-2014 3:45 PM
0 Kudos

Hi Kee,

Thanks for your reply. I am on SP13 and so the note should already be applied but i added the SAP_USER_ID similar to what you did . But if at all this works then it only gives part of the solution as i will still have to auto provision portal ids which are different to SAP ABAP ids. But, please post me any updates.

Thanks & Regards,

Prasad

former_member193066
Active Contributor
‎01-22-2014 10:49 PM
0 Kudos

hello kee

i am also on SP13 had to add SAP_USER_ID manually.

but my requirement is

ldap id :abc and sap id is employee number 123

but few users have sap id and ldap id same.

so requirement is if user can login to enduser screen using ldap authentication but user field if be of SAP

Regards,

Prasant

Former Member
‎01-23-2014 8:58 AM
0 Kudos

Hi,

The mapping works for me if the SAP_USER_ID is mapped with the relevant LDAP attribute under the config 'Maintain Mapping for actions and connector groups' but my issue is to auto provision portal and abap ids where portal have the LDAP ids (long ids >12 characters) which are different to abap ids (short ids < 12 characters). Please update of any solution for this scenario.Thanks.

Regards,

Prasad


madhusap
Active Contributor
‎01-23-2014 9:33 AM
0 Kudos

Hi Kee/Vallamsetty/Prasant,

In my scenario LDAP ID and SAP_USER_ID are same. In this case do i need to do any additional settings apart from Creating Connector, Maintaining mapping between LDAP and SAP attributes and using LDAP as authentication, search and user details data source.

If i complete all the above mentioned things will all my users can login to NWBC through LDAP authentication?

Just wanted to know as we are planning to do the same, but still LDAP access has not been provided.

Regards,

Madhu.

Former Member
‎03-04-2014 10:59 AM
0 Kudos

Hi,

In the LDAP group field mapping i can't find all the LDAP attributes (ex:postofficebox) in the drop down list of 'system field name' . Basically i am trying to map the AC field 'SAP_USER_ID' with the LDAP attribute 'postofficebox' . Am i missing any configuration ?

Thanks & Regards,

Prasad

Former Member
‎03-04-2014 3:49 PM
0 Kudos

I have not seen this before. Are you able to see the other fields and just not some specific ones? You may need to check if you can see these fields being rendered in the LDAP tcode when you do find for the LDAP server results.

Also, the issue with provisioning with mulitple IDs (ABAP vs Portal) is resolved now. SAP recommended using Logonname  field in portal for the field mapping

i.e. the AC field that stores the EP/ LDAP id is mapped to logonname

This is in conjunction with the below notes

1872047

1977915

Now, in a single request I can provision to ABAP systems using the User Id field in AC and Portal system using the User Alias field in AC which is mapped to the logonname field in portal (in field mapping).

Hope this helps.

Thanks

Kee

Former Member
‎03-04-2014 5:10 PM
0 Kudos

Hi Kee,

Thanks for your response. In my case , I have the SAP standard AC field SAP_USER_ID to store the sap id (short ID) in GRC system and created a custom attribute sapUsername in LDAP Active directory which will store the sap id (short ID) . Below screenshot of LDAP Connector group mapping . Portal is using LDAP for single sign on and so the portal has the long IDs . With this configuration i can lookup the long id from LDAP data source in the access request and when i select the user i get the SAP user id (short id ) in the user id field of the access request form. At the point i am able to provision the ABAP systems which are using the short ids but not portal which is using the long id . Can you please elaborate with screenshots how you achieved provisioning both short and longs id (ABAP Vs Portal) in single request.Thanks in advance for your help.

Regards,

Prasad

Former Member
‎03-28-2014 12:24 PM
0 Kudos

Hi Kee,

I can only find few fields in the LDAP tcode when i search for users with the 'find' option in the LDAP server results. Can you please help if i am missing any configuration to view other missing LDAP attributes

Thanks,

Prasad

Former Member
‎03-28-2014 3:08 PM
0 Kudos

Hi Prasad

I dont believe you need to do any further updates with the LDAP field mapping. You have to adjust the portal field mapping. In my case, I mapped the first name, last name, email, Id and logonname fields in portal to the AC fields.

You must have Portal ID field mapped to the AC field that stores the long ID and the logonname field should be mapped to the USERID field in AC.

If you complete this config and apply 1872047 and 1977915, your problem should be solved.

I wont be able to send screenshots but happy to chat if you mail me at keezone01@gmail.com

Thanks

Kee

Ask a Question