cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to provision the abap roles properly

Go to solution
Former Member

on ‎03-10-2013 9:36 PM

0 Kudos

Hi, all

I am new to IDM and struggling to setup a task to provision abap role to the users via IDM.

I have copied task "Assign User Membership to ABAP" from plugins folde of the provisioning framework. The source is "MX_PERSON". The assignment of the role actually works, but the problem is that it wipes out all the existing roles from the user, even though these roles(or privileges in the identity sotre) are supposed to be there. What is wrong? I thought this is suppoed to be "easy" but I don't know why IDM makes everything so hard.

Please help. Is there any step by step guide for ABAP provisioning? What is the technique to synchronize the privilege in the identity store with the su01 in the ABAP system? I can see this is going to be a major risk.

Thanks,

Jonathan.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-11-2013 10:51 PM
0 Kudos

IDM does a replace on the current roles.  This means that all the roles in the target system need to exist as privileges and be assigned to the user.  Otherwise it will remove those that don't exist.

Peter

Show replies
Show replies

Answers (2)

Answers (2)

ivan_petrov
Active Participant
‎03-12-2013 1:54 PM
0 Kudos

Hi,

Please check the link below. I've tried to cover some of the issues you might have.

If you have questions don't hesitate to contact me.

Best Regards,

Ivan

Show replies
Show replies
Murali_Shanmu
Active Contributor
‎03-10-2013 11:49 PM
0 Kudos

I too wish if there is a guide on ABAP Provisioning. Just letting you know (in case you are not aware of it) that IdM would overwrite what ever roles are in SU01 with the existing assignments in Identity Store. If, in IdM you have assigned one privileges to the already existing 3 privileges for the user, you should find 4 technical roles assigned to this user in ABAP.

Note 1626816  ABAP Connector Delta Handling for Role Profile Assignments

I am also keen to hear from others on the best approach.

Cheers

Murali

Show replies
Show replies
Former Member
‎03-11-2013 5:15 AM
0 Kudos

Hi, Murali

Thank you for your advice. But my situation is a little different. In IDM, the user has 9 different abap roles assigned. However, in SU01, there is only one role. I am not sure how those roles were removed in SU01, but I am trying to figure out how to sync the privileges between IDM and SU01. So far, I cannot do so by either adding a new role or removing an existing role in IDM. When I add a privilege, I only see the one I added in su01. Would you have any input on how to fix the user(aside from assigning the missing roles in su01)?

Note that my version is IDM 7.2 patch 07. I am thinking of using the job SetABAPRole&ProfileForUser. But I have not figured out how to build the SQL to just pass the privilege of one user from the identity store to the function sap_abap_getNameOfAssignedPendingPrivledges.

Please advise.

Thanks,

Jonathan.

Murali_Shanmu
Active Contributor
‎03-11-2013 5:26 AM
0 Kudos

I am not sure why things are going so wrong. I also don't have much of idea on SetABAPRole&ProfileForUser job.

I have done the following and seen things working.

In the ABAP system repository > Event Task tab > provision > I maintain the task "ProvisionABAP" (This is available in the framework).

See how it goes.

Cheers,

Murali.

Ask a Question