cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assignment of role removed existing roles in ABAP although registered in IDM

Go to solution
Former Member

on ‎04-26-2013 3:25 AM

0 Kudos

Hi, all

I am working on another odd issue in IDM. In R/3, a userA has roleA and roleB. Now I installed IDM and run the abap initial load. Therefore, in IDM, userA has roleA and roleB as priviledge. Now in IDM, I assigned roleC as a priviledge to userA. When looking at su01 on the r/3 system, roleC is assigned but roleA and roleB are removed. But according to IDM, userA has all roleA, roleB and roleC.

Is it a bug or a normal phenomenon? I am losing a lot of hair since working on IDM . Please help.

Thanks,

Jonathan.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Murali_Shanmu
Active Contributor
‎04-26-2013 7:04 AM
0 Kudos

Hi Jonathan,

This is just the same as this thread

This note explains why your roles gets overwritten.

Note 1626816 - ABAP Connector: Delta Handling for Role/Profile Assignments

Generally, IdM will replace all your entries in SU01 with whatever is there in IdM. Not exactly sure why Role A & Role B are missing for the user in your R/3. Can you check the dates for these two roles. If they are either in the past or future date, IdM will not push them down to R/3.

Cheers,

Murali

Show replies
Show replies
Former Member
‎04-29-2013 2:34 AM
0 Kudos

Hi Jonathan ,

As part of our IDM Implementation , we are also facing the same Issue . This is what my analysis around this .In SAP ABAP Provisioning Folder SAP provided ABAP Script " sap_abap_getNameOfAssignedPendingPrivileges" is based on following Logic .

- get only assignments (mcLinkType = 2)

          * - get all assignments of current entry X (mcLinkState = 0 & mcExecState = 1)

          * - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513)

          * - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed

          *          assignment gets retried, the state changes immediately to pending.

          * - for specfified repository Y

          * - and privilege type Z

          * - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)

                              -> no future assignments

                              -> no assignments for which an approval will be done but approval task is not yet running

          * - no privileges for which an approval is needed/running

          *                    mcValidateAddAudit < mcAddAudit <- approval is already done

          *                    or mcValidateAddAudit IS NULL <- if no approval is necessary

In the case of Privileges uploaded as part of Initial Load ,  mcAddAudit is NULL , Due to this when SAP Provisioning script calculates privileges,it will skip entries that are loaded as part of Initial Load . I am not sure how to get this corrected without breaking the integrity of the system .

I am thinking of sending this case back to SAP for suggestions . Please provide your suggestions on how to get this issue resolved !!

Answers (2)

Answers (2)

ivan_petrov
Active Participant
‎05-21-2013 11:51 AM
0 Kudos

Hi Jonathan,

Please take a look here:

If you still have questions - ask

Best regards,

Ivan

Show replies
Show replies
Former Member
‎04-28-2013 5:09 PM
0 Kudos

Hi, Murali

Thank you for your feedback. I am aware of that oss note 1626816. But it doesn't explain why roleA and roldB are deleted. I have opened a message with SAP. They said this is a known bug in SP7(yes, another one). This would be fixed in SP8.

Regards

Jonathan.

Show replies
Show replies
Murali_Shanmu
Active Contributor
‎04-29-2013 11:36 AM
0 Kudos

Thanks for that update. Good that I didn't upgrade to SP7

Former Member
‎05-21-2013 9:16 AM
0 Kudos

Good that I directly go to SP7, because after knowing the worst, the best will come and I will be readyyyyy !!

I really hope SP8 will arrive soon.

former_member2987
Active Contributor
‎05-21-2013 2:54 PM
0 Kudos

Try this as well when dealing with the initial load: http://scn.sap.com/community/netweaver-idm/blog/2013/02/17/setting-write-permissions-on-abap-initial...

Ask a Question