cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Questions about the initial load on AS ABAP

Go to solution
Former Member

on ‎03-26-2013 11:45 PM

0 Kudos

Hello,

I've just completed preparing for and running an initial load on one AS ABAP system. Prior to running the initial load I did clean up this DEV system, which is not in CUA so that it had a small number of users. I also followed instructions in the configuration guide and worked through errors I received regarding 'value help' attributes.

The result of the initial load is that all users where loaded into the Identity Store. Privileges were also loaded but none of the privileges users had asssigned to them in the AS ABAP system were assigned in the Identity Store, with the exception of one. Only one priviledge was assigned to all the users and it's one that isn't a technical ABAP role.

So, there's a few gaps in my understanding here and I'm hoping you might be able to help me fill them.

Here are a few questions/expectations I had from the initial load.

1) As per the configuration guide, I set a period for attributes in non-leading systems. Since the AS ABAP system is non leading most attributes had a period. So I expected the initial load to read the privileges assigned to users and write them into the Identity Store.

Question: shouldn't the privileges that were assigned to users be written to the Identity Store? The only priviledge that was written was PRIV:R3D100:ONLY, and this is not a technical ABAP role.

2) Prior to performing the initial load, I did setup a role model. This included the role names as well as which privileges were assigned to each role.

Question: I was expecting that by creating the role model first that after the initial load was completed users would show as members of these roles since they had the corresponding privilege associated with the role. Is this not how it works? *Since the privileges each user had assigned weren't written to the Identity Store I can understand why they don't show up as members of roles, if that's how it's supposed to work.

3) The privileges that were loaded also include all delivered SAP ABAP roles, which I don't want.

Question: is there an easy way to delete these SAP delivered privilges in mass instead of one at a time?

My approach with implementing Identity Management has been to go slowly by using one AS ABAP system at first until everything was working as expected. Then I'd add additional AS ABAP systems. Your help in helping me better understand the initial load and role model is much appreciated.

Also, any links to any documentation to support answers to the above is also appreciated.

Thanks, Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-27-2013 11:52 PM
0 Kudos

Thanks Murali, Nicolas,

Both of your responses helped me to consider and review what I've done so far.

What I found was that when running the initial load, I set all attributes in the 'write' jobs with a (.) since my ABAP system was not considered a leading system. However, when it comes to write ABAP user profile privilege assignments it was.

So, I removed the (.) from both the 'changetype' and 'MXREF_MX_PRIVILEGE' attributes on the two jobs:

writeABAPUsersProfilePrivilegeAssigments, and

writeABAPUsersRolePrivilegeAssignments

After making this change and re-running the initial load the roles were assigned to users as I had expected.

So you know, prior to running the initial load I also did run the 'read help values' but not the 'read company address'.

Again, thanks for your comments and assistance, much appreciated.

Cheers, Paul

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎03-27-2013 6:42 AM
0 Kudos

Hi Paul,

I just have a small remark about your initial load, prior it did you do "ABAP Read Help Values" and "Provision Company Addresses to ABAP Repositories" ?

It's advise in SAP NEtweaver IDM for SAP System Landscapes : Configuration Guide 31.01.2013 page 17 = 3.1.5. "Job Templates".

For the initial load i would advise to not modify the attributes.

If you still have the problem, you can work that job only and not start the initial load from the beginning, so you can analyse better the problem. If you still have problems, could you please post print screens and the error messages you have ?

For mass changes I think it's not done via IDM GUI but with job in Identity Center.

Nicolas.

Show replies
Show replies
Murali_Shanmu
Active Contributor
‎03-27-2013 2:06 AM
0 Kudos

Hi Paul,

1) My understanding is that, after an initial load, you will be able to see in IdM, only Privileges which are present in the AS ABAP system. When you investigate the passes in the Initial load, you will be able to see "WriteABAPUsers" where the system by defaults assigns two privileges to each user in AS ABAP.

The following system-specific privileges are created by the initial load

PRIV:SYSTEM:<Repository>: This a system privilege that is used internally by the SAP provisioning framework. It is not visible in any user interfaces. Never manually assign (or unassign) it to any users.
PRIV:<Repository>:ONLY: This is a system account privilege used for users or company addresses:

Hence you are able to see the privilege PRIV:R3D100:ONLY.

2) Wonder how you managed to  assign Privileges to newly created business roles before an Initial load is performed. I thought that these Privileges will only appear in IdM after an Initail load. I believe the correct way of doing this is

(A) Perform the Initial Load

(B) Create Business Roles via IdM UI

(C) Assign AS ABAP Privileges to the newly created Business Roles via IdM UI.

(D) Assign the Business Role to user. (This should trigger a Provisioning task to AS ABAP)

Note, you can automate (B) (C) (D) by creating your own job and uploading data from Flat file

After you assign the Business Roles to users in IdM, the system will wipe out all our existing assignements in SU01 and replace them with the fresh assignments. In the future, even if you add another role to the same user, the system will remove all assignments from SU01, compute all the Role assignments from IdM and add it to SU01.

3) Use this Note 1398976 - SAP IdM: Filter definition for initial load of ABAP entities to filter roles which you do not want.

Hope this helps.

Cheers,

Murali.

Show replies
Show replies
Ask a Question