on 04-25-2013 9:31 PM
As part of IDM implementation we have executed ABAP Initial Load to fetch the data from the back end Systems . Privileges are sync back to IDM as part of this Initial Load .So after this initial load when we assigned certain privileges to the same user , roles which are updated to the user as part of ABAP Initial Load or Back end Sync are wiped out from Back end System . Can you explain why this is happening & how we can fix this issue ?
Example below :
1) ABAP Initial Load executed for System GTS
2) User A roles (Priv 1 , Priv 2 ) in GTS system was sync to IDM System.
3) Approval workflow Testing we initiated PRIV 3 assignment to User A .
4) IDM Provision workflow group only PRIV 3 to User in backend system & removes PRIV 1 , PRIV 2 from users backend system.
Can any one explain why this is happening ?
Yes we also have the same issue on SP7.
Roles imported during Initial Load are being deleted from the user in the backend when we modify the user in IDM and IDM still shows the deleted roles still available.
One would assume that the core functionality like this would subject to regression testing by SAP before releasing SPs. It does not appear to be the case.
Waiting for SP 8 as well.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Pete & Murali ,
I believe our issue is based on below mentioned SQL script which is encoded in Script "
" sap_abap_getNameOfAssignedPendingPrivileges" . Script logic defined by SAP is updated below .
- get only assignments (mcLinkType = 2)
* - get all assignments of current entry X (mcLinkState = 0 & mcExecState = 1)
* - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513)
* - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
* assignment gets retried, the state changes immediately to pending.
* - for specfified repository Y
* - and privilege type Z
* - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
-> no future assignments
-> no assignments for which an approval will be done but approval task is not yet running
* - no privileges for which an approval is needed/running
* mcValidateAddAudit < mcAddAudit <- approval is already done
* or mcValidateAddAudit IS NULL <- if no approval is necessary
In the case of Privileges uploaded as part of Initial Load , mcAddAudit is NULL , Due to this when SAP Provisioning script calculates privileges,it will skip entries that are loaded as part of Initial Load . I am not sure how to get this corrected without breaking the integrity of the system .
Can you please review & please provide your feedback ....
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Jerry,
Jonathan got an update from SAP that this is a bug in SP7. Are you also one the same version ?
Cheers
Murali.
Hi Murali,
You seem uptodate with all updates about IDM.
I tried to find when SP8 will come to fix that bug, but I don't find the information.
Do you have an idea, or a place where to ask the question ?
Do you think there is an update (not Service Pack) which solve that ?
If it's in very long time, I'll try to understand and implement Ivan's solution.
Hi Murali,
Did you write a OSS Ticket for that bug ?
I wrote to a developer of IDM concerning this issue, here is his answer :
I am not able to confirm that this is a bug. I do not have made the same experience with SP7. Also, I do not know of any automatic provisioning after initial load of an ABAP system.
I recommend creating an OSS ticket if you still are uncertain.
I've seen a note but it not exactly the same problem that we have here, and I would like to be sure that our problem will be solved in SP8 and very soon.
Does anyone have any updates on this topic ?
Hi Nicolas,
SP8 should be available on Calender Week 20 of 2013. Its should be out very soon.
https://websmp208.sap-ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700001425702010E
Are you on SP7 and experiencing the same issue Jerry has reported. I have not raised an OSS Message (and not sure if SAP has an option to apply only a correction) as I am on SP6.
Cheers,
Murali
You can fix this by changing the SQL to
mcAddAudit >= mcValidateAddAudit
or by checking that
mcValidateAddAudit = '-1' as well as NULL.
in sap_abap_getNameOfAssignedPendingPrivileges
When loaded as part of the initial load, the audit values for some are set to -1 for both. This causes the issue where they're then removed if the user is updated.
Hopefully it'll be fixed in SP8
Peter
Hi Peter,
I'm still stuck with this issue, what I thought would be solved il SP7 Upgrade 2.
I did an initial load after upgrading to test if the problem was solved, but not. I don't want to put SP8 right know, I prefer to wait the first upgrade.
So my question, I don't see where to replace what you tell in your answer.
Is it somewhere in the part of the code here ?
Thx for your support.
Nicolas.
Hello Nicolas,
I'm not Peter, but I looked anyway. ^^
I found this in your code:
I'd say, you have to change there. So if I read and understand it right, your part of the code should look something like this with the changes:
(assignment.mcAddAudit >= assignment.mcValidateAddAudit or assignment.mcValidateAddAudit IS NULL or assignment.mcValidateAddAudit = '-1')
Regards,
Steffi.
Yeah - still here (my timezone means things happen a little slowly sometimes). I haven't tested SP8 yet so disappointed to hear that this is still a problem.
Nicolas, can I get you to do the initial load and then run
SELECT * from mxi_link WHERE mcOtherMskey = <mskey of a known imported privilege>
You should see mcAddAudit = -1 and mcValidateAddAudit = -1
Your script change looked OK (changing 1 back to -1).
Its possible that additional processing is happening and that's changing the audit values so the first step is to verify the data.
You can run the SQL directly to confirm you've got it right:
SELECT * FROM mxi_link WHERE mcLinkType=2 AND mcLinkState IN (0,1) AND mcExecState IN (1, 512,513) AND mcAddAudit IS NOT NULL and (mcAddAudit >= mcValidateAddAudit OR mcValidateAddAudit IS NULL)
Peter,
- Do you want me to rerun all the tasks in the initial load ? As it's a sandbox systems with a lot of users / roles / ... it takes more than 5 hours.
I don't understand where I have to write this :
SELECT * from mxi_link WHERE mcOtherMskey = <mskey of a known imported privilege>
From where can I run sql ? (sorry if my question is stupid)
When I changed the Jscript and saved, I got the message on the print screen.
I don't think the issue is linked with the other Jscript, but we never know.
Tx.
PS : Did you upgrade to SP8 and do you advise to do it ?
Hi Nicolas
Run that sql in your favourite SQL tool. I never build an IDM system without direct database access, so I just assume everyone else has it too
If the initial load takes that long, no, probably not. You can just rerun the tasks which actually do the assignment - disable the rest or make a new job and copy the ones you want to run)
Peter
For those who would like a quick link: http://scn.sap.com/community/netweaver-idm/blog/2013/07/30/preventing-privileges-being-removed-after...
My reply is the same as Peter.
This note explains why your roles gets overwritten.
Note 1626816 - ABAP Connector: Delta Handling for Role/Profile Assignments
Not exactly sure why Priv1 & Priv2 are missing for the user in your backend system GTS at the end. Can you check the dates for these two. If they are either in the past or future date, IdM will not push them down to GTS.
Cheers,
Murali
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
When IDM syncs to ABAP, it overwrites the roles that currently exist rather than updates them. It sounds like you don't have the privileges assigned to the user in IDM so its only writing priv 3 back to the user in GTS.
Check that the privs 1 & 2 are assigned properly to the user after the initial load.
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.