cancel
Showing results for 
Search instead for 
Did you mean: 

User Creation / Deletion AS ABAP

Former Member
0 Kudos

Hello All,

Again thank you for the support and answers you give me.

I did good progress these lasts 2 days, and ABAP provisioning works almost fine.

Modifying data on user level, adding / removing roles work really as expected.

Now I'm stuck with user Creation on ABAP.

When i create a user in IDM and give him a Privilege (imported) on the targeted system, nothing happens, no jobs are created (not even warning). I guess I forgot to point a task somewhere but I don't know where.

Same thing with user Deletion (which I don't think we will use, but still I want it working).

1. Here are the Event tasks configured. It allows me to do everything explained above.

I don't know if I have to add or modify other tasks.

2. Here is my configuration of the hook tasts pointing on custom connectors.

3. Here is the way tasks are configured.

I don't know if it's correct but up to now everthing works as I want (exept user creation).

Nicolas.

Accepted Solutions (1)

Accepted Solutions (1)

Murali_Shanmu
Active Contributor
0 Kudos

Did you try working with the Account Privilege PRIV:<Repository>:ONLY:

If you created a new user in IdM, assign the user this account Privilege which will be available in the Privileges. This should trigger the user creation in ABAP. If you try and assign some other ABAP privilege initially (Technical role), this will not Create and assign the role in ABAP. 

Why did you make a copy of the Hook Tasks and refer to the custom ones ? Did you have some requirement for that ?

Cheers,

Murali

Former Member
0 Kudos

Hi Murali,

You are 100% right Murali !

Simply by adding PRIV:<Repository>:Only the user is created on the correct system !

Now I see this error message, I probably must create this priviledge somewhere, if you can help me with this 🙂

I will now follow your advise and point my HOOK_TASK on the default Framework.

If I good remember when I did not point to the Custom Plug-In I had error messages : "No Repository Defined".

I'll retry and keep you posted.

A big thanks for your help !

Nicolas.

Murali_Shanmu
Active Contributor
0 Kudos

If you look at the Initial Load AS ABAP, there will be pass "Write ABAP Users" (I think so). Over there, you can see that for every user in ABAP, IdM will be attaching this Account Privilege by default.

It depends from where your new users come into IdM. There should be job which would be scheduled to bring in new users. In my case, I have a LDAP Initial Load which will run every day to bring new users into IdM. I added this logic within this job to insert the account privilege for new users.

Cheers,

Former Member
0 Kudos

Hi,

Yes, I did Initial Load as Abap and the users have been imported correctly.

Normally no users will be created in Sap System, but I'll still create a job to check.

Here is my status now :

--> I can create a user (without role)
--> I cannot give role even PRIV:<Repository>:ONLYto this new user.

          It falls in failed for Priv... and pending for the back end systems.

--> i can add - remove any roles to imported users.

Any Advise ?

Nicolas.

Answers (10)

Answers (10)

Former Member
0 Kudos

Hi Nicolas/Ivan/Murali,

Thanks for the usefull suggestion.

I am also facing a similar issue where i am able to create the user on IDM UI using standard provisioning task - "create identity", however the user is not created in the backend system. Please be informed that the below scenarios are working for me:

1) Assignment/deletion of role from user loaded through initial load.

2) Change in validity and other user details for users loaded through initial load.

I understand from the above converstaion that the master privelege - "PRIV:<repository(corresponding to backend system)>:only" is to be assigned to user in order to create in backend system. But how to add this privelege to a user while creating from "Create identity" task from IDM UI?

I maintained account privelege as the master privelege on repository. Also, i maintained the Account<repository> attribute for the user(please refer attachment for screenshots on the same). However, the user is still not created in backend system.

Appreciate your comments on this.

Thanks and regards,

Nits

ivan_petrov
Active Participant
0 Kudos

Hi Nits,

Please check if checkbox "Create new entry" of the UI task is checked.

If so please check the audit logs for more info or errors.

And finally please open a new topic. The issue is different.

Best regards,

Ivan

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

Yes you get it right.

In order to work correctly you should get all privileges from IDM and the once that currently are pending to be attached in SAP.

Then you should check the action of the pending value if it is ADD - add the privilege to the list of already assigned in IDM.

If it is DELETE then you should remove it from the list with already attached privileges in SAP.

And at the end you should send to SAP the result list. And that is it.

Best Regards,

Ivan

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

This is exactly the case

and it is happened, because SAP doesn't support delta.

What you should do in this case just read the BLOG

Best Regards,

Ivan

Former Member
0 Kudos

Ivan,

I understand things better now, after some testings.

1. When I add 1 role to a user imported by initial load ==> Role added in IDM is correctly added in SAP, but the other role are removed in SAP (but kept in IDM).

2. When I add another role to the same user : the role added in the previous step is not touched, the new role is added, and the other roles are still in IDM but not yet in SAP.

I thought that each time I modify a role, all roles in IDM are removed in SAP then the role in IDM are added in SAP.

So the above problem is less important than I thought, but I want to avoid that on the first modification all roles are removed (and kept in IDM).

I keep you posted about my next tests and if I succeed to apply your solution.

Nicolas.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

You already explained one of the issues that are explained in my blog.

So please try to understand it. This will help me a lot.

After that if you still have questions just ask them here, and I'll try to explain it more in details.

But please try to understand at least the basics like what is happening and why it is happening. Still if you don't get the things. Ask .... I'll try to help

Best Regards,

Ivan

Former Member
0 Kudos

Ivan,

I keep  you posted about my understand.

In my case it's even worth, the old roles are simply removed, and not put back afterwards. I'll try to figure this out.

Nicolas.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

Now I got what is happening. Actually the problem is that SAP system has no delta for privileges. This means that always you should do SET instead ADD or DELETE and if you take a look at the log even on removal it says SetABAPRole&ProfileForUser.
I don't know what exactly does this task, but I can guess that it takes pending privileges for removal and just set them again in SAP. And that is why nothing happened.

Please look here how you should do it:


Best Regards,
Ivan

Former Member
0 Kudos

Ivan,

You are right, I haven't setup delta for SAP systems yet.

I added a role to an imported user (with Initial Load) who already had privileges and as you attented, role has been added in IDM and in SAP, but the old ones where removed from SAP !

I've already read your How to handle SAP Roles few days ago but I was not yet confronted to the problem. Now that I am, I'll try to understand and apply it.

Thx,

Nicolas.

PS : Any Idea, when I delete a user, it's not done in SAP but well in IDM ?

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

Well still the values should be the same. So show me how you are ting to remove privileges.

Post snap shots from task where you are removing privileges as a start.

Best Regards,

Ivan

Former Member
0 Kudos

Ivan,

Here is the user creation.

Despite the red and yellow lines, it worked fine.

Role deletion (it ends without Notification?!)

Delete Identity

Delete identity (user hasn't been deleted in SAP System)

Nicolas.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

What is bother me here in this screen shot is that in the error message it says total entries 1 and only one is processed, but if you look below in log at the row you marked with red arrow you'll see that is says total 2 entries, processed 2 entries. Are you sure you have opened the window from this log row?

Best Regards,

Ivan

Former Member
0 Kudos

It's maybe because I created the user with 2 roles ?!

I'm not sure.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

The important information about the error is in WARNING message.

it looks like you are searching for somthing that not exists. Look in warning .... mskey = not-existing-mskey .... and, because IDM expects a number for mskey it raises an error in SQL.

This error filas the script: sap_core_getSkippedOK().

This is all I can uderstand from the exception.

Best Regards,

Ivan

Former Member
0 Kudos

Warning message is strange :   "Could not obtain repository name from pending object."

What is strange is :

I can create a user in SAP IDM, give him ABAP role, set a password.

In the backend the user is created, the roles are correctly correclty granted and the password also works.

The only thing which doesn't work for the moment (or maybe i haven't noticed the other ones) is deleting a user.

In the print screen the error message which tells Could not obtain repository and in the job logs it seems the opposite.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

"Failed running function in string "$FUNCTION.sap_setContextVariable(NOTIFICATION_SUBJECT;Assignment failed!!<SKIPPEDOK>=$FUNCTION.sap_core_getSkippedOK()$$;<UIUSER_DISPLAYNAME>=$FUNCTION.sap_getDisplayName(manager)$$)$$". Marking entry as failed. Exceptio"

This is the error message but it is truncated at the end. Still it says that you have problems in following script: sap_setContextVariable

If you post the whole error I can say more

Best Regards,

Ivan

Former Member
0 Kudos

Thank you Ivan I haven't noticed that the error message was trucated.

Here is the complete one.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

As Murali already explained, you should use PRIV:<repository name>:ONLY privilege to create the user in SAP AS system. This privilege is automatically created from standard initial load SAP tasks, which is preferable to use and extend, if you need something more instead of writing initial load tasks from scratch. Usually you will be responsible to attach this privilege to user before or after other SAP privileges were attached to the user. How to check if is attached? If the property was attached successfully and you are using standard SAP provisioning, the user will have attribute named "ACCOUNT<repository name>".

Now something of big importance for you. As I saw you've set modify task also. This task will be triggered on change of user attribute. If you want to execute task on each attribute change of MX_PERSON than you should be very careful not to change any user attributes during provisioning tasks execution, otherwise you can start an endless loop.

If you want to react only on several user attributes change, then you should add the list of this attributes in PRIV:SYSTEM:<repository name> privilege using multi value privilege attribute: MX_MODIFYTASK_ATTR or using the console. When you open the privilege go to Tasks tab.

If the list is empty IDM will react on all attribute changes.This privilege will be attached to the user on successful creation in SAP.

Best Regards,

Ivan

Former Member
0 Kudos

Hi Ivan,

I have changed the HOOK_TASKS pointers to the default one, not on my custom one and it works great. I had no problem with initial load, users do exist correctly and roles are also correct, it's only now when I want to provision from IDM to SAP that sometimes I have problems.

I'm still stuck here :

--> I can create a user but roles go to pending or failed for PRIV:Repository:ONLY
--> I cannot give role even PRIV:<Repository>:ONLYto a user directly created in IDM.

--> i can add - remove any roles to imported users (with Initial load)

I'm just wondering why is there a difference between assigning a role to an existing user (from initial load) and a new one created in IDM.

Another Problem, when I delete a user I get those error messages.

The user is correctly deleted in IDM but nothing happens in ABAP.

I modified one user and I have the error and warnings messages in dubble.

Nicolas.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

- If the user has no PRIV:Repository:ONLY privilege all privileges you attached to it will stay in pending state until one of following happened:

  • PRIV:Repository:ONLY is attached to the user - then all pending values for this repository will be attached to the user.
  • pending values expired - then they will be visible with status 4 (FAILED) and the reason for fail will be stored in audit log.

- I don't know what do you mean by "directly created in IDM", but when you need to attach a privilege to the person you can first check if PRIV:Repository:ONLY were attached to the person checking if the person has ACCOUNTRepository attribute. This can be don with simple conditional task. As I already told you this attribute will be automatically attached if person has been created in this Repository.

Well there is nothing to wonder about. The difference is that all Initial Loaded users has PRIV:Repository:ONLY. The rest doesn't have it

I need the exception in order to know what happened. This is only the log

Best Regards,

Ivan

Former Member
0 Kudos

Ivan,

When I say create directly, I mean I don't create or import the user with an import / initial load from ABAP, but I create it with "Create Identity".

Even when I give the user the PRIV:Repository:ONLY I get the error. The user is correctly created in IDM and in the backend but I get this error :

ToIDStore.modEntry failed modifying entry 'TEST_000'. IDStore returned error message: " Referenced value does not exist:Attribute: MXREF_MX_PRIVILEGE" when storing attribute 'MXREF_MX_PRIVILEGE={A}<PRIV:SYSTEM:Enterprise People>'

I don't understand what you mean by "I need the exception in ...".

Nicolas.

ivan_petrov
Active Participant
0 Kudos

Hi Nicolas,

"PRIV:SYSTEM:Enterprise People"

This is what is important.

Do you have such privilege?

if not, you should create it.

See my previous posts about it.

And by "exception" I mean that you should press on this red lines from your screen shot and window with error will appear. I need the info from this new window

Best Regards,

Ivan

Former Member
0 Kudos

Ivan, 

You were right. "PRIV:SYSTEM:Enterprise People" did not exist.

I created it but I don't understand what is this used for and how to fill it ?

I created the priv PRIV:SYSTEM:Enterprise People, and now it works, but I have errors.

I clicked on the red errors and I see this :

Failed running function in string "$FUNCTION.sap_setContextVariable(NOTIFICATION_SUBJECT;Assignment failed!!<SKIPPEDOK>=$FUNCTION.sap_core_getSkippedOK()$$;<UIUSER_DISPLAYNAME>=$FUNCTION.sap_getDisplayName(manager)$$)$$". Marking entry as failed. Exceptio

I'm already happy with the result ! A big thanks for you help Ivan, I just have to fix the last errors.

Nicolas.

Murali_Shanmu
Active Contributor
0 Kudos

Interesting. I thought Enterprise People was the name of your Identity Store. I didn't know that a System privilege has to be created for it.

I tested this in my system. I created a new person by selecting "Create Identity: in IdM UI. After saving this person, I modified this Identity and assigned the System Account Privilege. This created the user in the ABAP system and also enabled the ACCOUNT<REPOSITORY> attribute for this user.

With regard to your error message, did you enable Notifications in the attribute MX_TRIGGER_NOTIFICATION

Cheers,

Murali.

Former Member
0 Kudos

Hi,

Well, I neither know it, but now it works 🙂

I don't know if it's normal that I have to set all that manually, but finally it works, even if I still have an error message.

Now I can tackle Password provisioning and activate user groups (that are in SAP Backend but not in IDM).

I don't understand the enabling of Notifications.

Here is a print screen of the current values.

Thx,

Nicolas.

Former Member
0 Kudos

Hi Nicolas/Ivan/Murali,

Thanks for the usefull suggestion.

I am also facing a similar issue where i am able to create the user on IDM UI using standard provisioning task - "create identity", however the user is not created in the backend system. Please be informed that the below scenarios are working for me:

1) Assignment/deletion of role from user loaded through initial load.

2) Change in validity and other user details for users loaded through initial load.

I understand from the above converstaion that the master privelege - "PRIV:<repository(corresponding to backend system)>:only" is to be assigned to user in order to create in backend system. But how to add this privelege to a user while creating from "Create identity" task from IDM UI?

I maintained account privelege as the master privelege on repository. Also, i maintained the Account<repository> attribute for the user(please refer attachment for screenshots on the same). However, the user is still not created in backend system.

Appreciate your comments on this.

Thanks and regards,

Nits

Former Member
0 Kudos

Never assign the privilege directly - assign a priv on the target system and have a 'no master task' which assigns 'PRIV:$rep.$Name:ONLY' when its called.  Works for all repositories.