on 02-11-2013 6:43 AM
Dear Experts,
We are in middle of a upgrade from SAP 5.3 (SP 18) to SAP 10 (SP 10) and we are facing an issues which has practical halted our next steps.
In 5.3 we had a standard functionality (using SAP_User_ID) where in we can map SAP User ID to an LDAP ID, so that user can be logged in CUP with LDAP ID but will be provisioned to backend as an SAP ID in GRC 10.
We have mapped our SAP user id in field "L"i.e. location. The functionality works fine in GRC 5.3.
However, the same functionality is missing in GRC 10. On further investigation, we found that the SAP_User_ID field itself is missing from GRC 10. But then we found an SAP note 1724954 - UAM Unable to reset password for SAP User Id using LDAP for the missing SAP_User_ID field.
On application of the above mentioned note, we were successful to bring back the SAP_User_Id field, but still some how the standard functionality which is present in 5.3 is still not working in GRC 10.
Do any one of you is facing similar issue. Please advice.
Regards,
Sahil.
Hi SAhil
I have the same scenario in my company. the SAP_user_ID is missing and I cant provision to users with different LDAP ID and SAP ID. How did you get this to work?
We are on GRC 10 SP13. Appreciate your response.
Thanks
Kee
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sahil
I checked the SAP note 1724954 mentioned in your original email. Though we are on SP13, I did not see the SAP_USER_ID in the AC field while doing field mapping. The entry was missing in the view GRACV_ACFIELD. So I added a row with following data )4, user details, sap_user_id, sap_user_id, , ADDRESS). I have not applied the note 1834706 as we are already on SP13.
Now I see the SAP_USER_ID show up in field mapping. I mapped SAP_USER_ID to SAPACCOUNTNAME (SAP backend ID). I have USERALIAS field mapped to the LDAP ID and the user ID is also mapping to the LDAP ID which is the authentication ID and used for user search lookup. So when I create a request for another user and try to look up the user, the search is by the LDAP ID and it returns right values but as soon as I click OK, the LDAP ID is populated in the User ID field of the Access request. But I want the SAPAccountName populated in there.
Can you share how the field mapping is done in your scenario?
Thanks in advance
Kee
Hi Sahil,
I am in similar situation where LDAP SAMACCOUNTNAME attribute is different to sap ID and at the same time portal uses mentioned attribute for SSO . So i have the scenario where LDAP and portal have long ids and SAP ABAP systems will have shorts IDs (<= 12 characters). Can you please share the solution how GRC can provisioin different ids in different systems.
Thanks & Regards,
Prasad
Hi Kee,
Thanks for your reply. I am on SP13 and so the note should already be applied but i added the SAP_USER_ID similar to what you did . But if at all this works then it only gives part of the solution as i will still have to auto provision portal ids which are different to SAP ABAP ids. But, please post me any updates.
Thanks & Regards,
Prasad
hello kee
i am also on SP13 had to add SAP_USER_ID manually.
but my requirement is
ldap id :abc and sap id is employee number 123
but few users have sap id and ldap id same.
so requirement is if user can login to enduser screen using ldap authentication but user field if be of SAP
Regards,
Prasant
Hi,
The mapping works for me if the SAP_USER_ID is mapped with the relevant LDAP attribute under the config 'Maintain Mapping for actions and connector groups' but my issue is to auto provision portal and abap ids where portal have the LDAP ids (long ids >12 characters) which are different to abap ids (short ids < 12 characters). Please update of any solution for this scenario.Thanks.
Regards,
Prasad
Hi Kee/Vallamsetty/Prasant,
In my scenario LDAP ID and SAP_USER_ID are same. In this case do i need to do any additional settings apart from Creating Connector, Maintaining mapping between LDAP and SAP attributes and using LDAP as authentication, search and user details data source.
If i complete all the above mentioned things will all my users can login to NWBC through LDAP authentication?
Just wanted to know as we are planning to do the same, but still LDAP access has not been provided.
Regards,
Madhu.
I have not seen this before. Are you able to see the other fields and just not some specific ones? You may need to check if you can see these fields being rendered in the LDAP tcode when you do find for the LDAP server results.
Also, the issue with provisioning with mulitple IDs (ABAP vs Portal) is resolved now. SAP recommended using Logonname field in portal for the field mapping
i.e. the AC field that stores the EP/ LDAP id is mapped to logonname
This is in conjunction with the below notes
1872047
1977915
Now, in a single request I can provision to ABAP systems using the User Id field in AC and Portal system using the User Alias field in AC which is mapped to the logonname field in portal (in field mapping).
Hope this helps.
Thanks
Kee
Hi Kee,
Thanks for your response. In my case , I have the SAP standard AC field SAP_USER_ID to store the sap id (short ID) in GRC system and created a custom attribute sapUsername in LDAP Active directory which will store the sap id (short ID) . Below screenshot of LDAP Connector group mapping . Portal is using LDAP for single sign on and so the portal has the long IDs . With this configuration i can lookup the long id from LDAP data source in the access request and when i select the user i get the SAP user id (short id ) in the user id field of the access request form. At the point i am able to provision the ABAP systems which are using the short ids but not portal which is using the long id . Can you please elaborate with screenshots how you achieved provisioning both short and longs id (ABAP Vs Portal) in single request.Thanks in advance for your help.
Regards,
Prasad
Hi Prasad
I dont believe you need to do any further updates with the LDAP field mapping. You have to adjust the portal field mapping. In my case, I mapped the first name, last name, email, Id and logonname fields in portal to the AC fields.
You must have Portal ID field mapped to the AC field that stores the long ID and the logonname field should be mapped to the USERID field in AC.
If you complete this config and apply 1872047 and 1977915, your problem should be solved.
I wont be able to send screenshots but happy to chat if you mail me at keezone01@gmail.com
Thanks
Kee
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.