on 03-10-2013 9:36 PM
Hi, all
I am new to IDM and struggling to setup a task to provision abap role to the users via IDM.
I have copied task "Assign User Membership to ABAP" from plugins folde of the provisioning framework. The source is "MX_PERSON". The assignment of the role actually works, but the problem is that it wipes out all the existing roles from the user, even though these roles(or privileges in the identity sotre) are supposed to be there. What is wrong? I thought this is suppoed to be "easy" but I don't know why IDM makes everything so hard.
Please help. Is there any step by step guide for ABAP provisioning? What is the technique to synchronize the privilege in the identity store with the su01 in the ABAP system? I can see this is going to be a major risk.
Thanks,
Jonathan.
IDM does a replace on the current roles. This means that all the roles in the target system need to exist as privileges and be assigned to the user. Otherwise it will remove those that don't exist.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I too wish if there is a guide on ABAP Provisioning. Just letting you know (in case you are not aware of it) that IdM would overwrite what ever roles are in SU01 with the existing assignments in Identity Store. If, in IdM you have assigned one privileges to the already existing 3 privileges for the user, you should find 4 technical roles assigned to this user in ABAP.
Note 1626816 ABAP Connector Delta Handling for Role Profile Assignments
I am also keen to hear from others on the best approach.
Cheers
Murali
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Murali
Thank you for your advice. But my situation is a little different. In IDM, the user has 9 different abap roles assigned. However, in SU01, there is only one role. I am not sure how those roles were removed in SU01, but I am trying to figure out how to sync the privileges between IDM and SU01. So far, I cannot do so by either adding a new role or removing an existing role in IDM. When I add a privilege, I only see the one I added in su01. Would you have any input on how to fix the user(aside from assigning the missing roles in su01)?
Note that my version is IDM 7.2 patch 07. I am thinking of using the job SetABAPRole&ProfileForUser. But I have not figured out how to build the SQL to just pass the privilege of one user from the identity store to the function sap_abap_getNameOfAssignedPendingPrivledges.
Please advise.
Thanks,
Jonathan.
I am not sure why things are going so wrong. I also don't have much of idea on SetABAPRole&ProfileForUser job.
I have done the following and seen things working.
In the ABAP system repository > Event Task tab > provision > I maintain the task "ProvisionABAP" (This is available in the framework).
See how it goes.
Cheers,
Murali.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.