cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Event Task

Go to solution
Former Member

on ‎03-08-2013 10:21 AM

0 Kudos

Hi,

I am trying to use the standard SAP PF to provision an ABAP system. I am able to see the below tasks delivered as part of the SAP PF which I would need to use.

(*) ProvisionABAP

(*) DeprovisionABAP

(*) ModifyABAPUser

In ABAP System Repository, under the tab "Event Task" I am able to see the  below options.

Also, in the Repository constants, I am able to set value for the below tasks.

MX_ADD_MEMBER_TASK

MX_DEL_MEMBER_TASK

MX_MODIFYTASK

MX_PROVISIONTASK

MX_DEPROVISIONTASK

1) I am confused as to where I need to set values - should it be in Event Task tab or as constants. What is the difference?

2) What is the differene between "Add Member" and "Provision Task" ? I have already done the initial load and have got the users and roles ready in IdM. The moment I assign a role to a user via IdM UI,  I need the system to provision the role in my ABAP system.

3) Assume,  I do not have any Manager/Role Owner approval process. The role should straightaway get provisioned to the user in the ABAP system. Will this still create a Pending Value Object and then provision the user and after successful provision delete the Pending Value ?

Thanks,

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-10-2013 7:02 AM
0 Kudos

With regard to question (1),

I have a strong feeling (after reading the documentation) that the repository constants are ONLY used to refer the values via the context menu in the passes that reference this repository. I am just looking at provisioning an AS ABAP repository. Hence, I think I should just maintain the SAP PF tasks in "Event Task" tab of the repository.

With regard to question (3),

I think I found the answer. If I do not have approvals maintained and wish the role to be assigned directly, I would need to maintain the task in the "Provision" of Event Task. This will not create a PVO and straightaway assign the role in the backend ABAP system.

With regard to question (2),

I understand that "Add Member" task will create a PVO and give an opportunity for me to play around with the objects whereas "Provision" task will not create a PVO. But in the documentation, for the "Add Member" task it says "This task will perform its operations, for example request an approval when assigning a role or create an authorization in a target application when assigning a privilege". I thought to request an approval while assigning a role, I would use the "Add Validate" task and refer it to an Approval task ? This has confused me even futher.


Please correct me if I am wrong. If I have an ABAP system to provision and if I am using the SAP PF to provision roles, I would need to do either of the following.

Option A: Role Owner needs to approve the request.

I would maintain "Add Validate" and refer to an Approval task. I would then maintain "Add Member" and refer to ProvisionABAP tasks in SAP PF.

Option B: No approval is required

I would just maintain "Provision" and refer to ProvisionABAP tasks in SAP PF.

I understand that the sequence of Event tasks is "Add Validate" > "Add Member" > "Provision".

Thanks,

Show replies
Show replies
Former Member
‎03-10-2013 7:44 PM
0 Kudos

Hi Gandalf

If you assign a task in the properties of the repository it gets added to the value in the constants.

The add/remove/modify tasks can be used to trigger approvals etc

The provisioning task is executed after the add/remove/modify task and should be used to actually do the work.

The add validate task was added more recently - I think it intended for GRC and is performed first in the task list Validate -> add -> provision.  The validate task returns true/false which is suited perfectly to the GRC framework.  It can be used for approvals as well.

Both your options a) and b) look valid.

Peter

Former Member
‎03-10-2013 10:36 PM
0 Kudos

Thank you Peter. I now get a feeling that I am in the right direction. With regard to Hook tasks, I will have a look at the system and shall repond.

Thanks.

Answers (1)

Answers (1)

Former Member
‎03-09-2013 8:38 AM
0 Kudos

Hi Gandalf,

I'm not sure of I understand your question properly so if I'm not answer, please give more explanation.

In your Identity Store - (imported) Provisioning Framework - Connectors - Abap Connectors - As Abap Task - chose what you want.

==> There you must enable "Public Task" (see print screen) and set the repository to your ABAP destination.

This should make your task visible on your IDM webui and activate the SAP provisionning (without modifying "Event Task" (as your print screen).

Keep me posted if it helped to solve your provisioning problem.

Nicolas.

Show replies
Show replies
Former Member
‎03-09-2013 10:59 AM
0 Kudos

Thanks for your response Nicolas.

My questions were around the reasoning behind

(1) When to use "Repository constants" and "Respository Event Tasks".

(2) Difference between "Add Member" and "Provision" event tasks.

(3) PVO for my scenario.

I am not convinced with your approach. The reason being, you are setting the repository at the task level. Lets say, I have two AS ABAP systems to provision for the same action I am performing in the UI (Unless you copy the same task and have the second repository in that). I doubt if your approach would work. Please correct me if I am wrong.

Thanks.

Ask a Question