on 04-26-2013 3:25 AM
Hi, all
I am working on another odd issue in IDM. In R/3, a userA has roleA and roleB. Now I installed IDM and run the abap initial load. Therefore, in IDM, userA has roleA and roleB as priviledge. Now in IDM, I assigned roleC as a priviledge to userA. When looking at su01 on the r/3 system, roleC is assigned but roleA and roleB are removed. But according to IDM, userA has all roleA, roleB and roleC.
Is it a bug or a normal phenomenon? I am losing a lot of hair since working on IDM . Please help.
Thanks,
Jonathan.
Hi Jonathan,
This is just the same as this thread
This note explains why your roles gets overwritten.
Note 1626816 - ABAP Connector: Delta Handling for Role/Profile Assignments
Generally, IdM will replace all your entries in SU01 with whatever is there in IdM. Not exactly sure why Role A & Role B are missing for the user in your R/3. Can you check the dates for these two roles. If they are either in the past or future date, IdM will not push them down to R/3.
Cheers,
Murali
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jonathan ,
As part of our IDM Implementation , we are also facing the same Issue . This is what my analysis around this .In SAP ABAP Provisioning Folder SAP provided ABAP Script " sap_abap_getNameOfAssignedPendingPrivileges" is based on following Logic .
- get only assignments (mcLinkType = 2)
* - get all assignments of current entry X (mcLinkState = 0 & mcExecState = 1)
* - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513)
* - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
* assignment gets retried, the state changes immediately to pending.
* - for specfified repository Y
* - and privilege type Z
* - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
-> no future assignments
-> no assignments for which an approval will be done but approval task is not yet running
* - no privileges for which an approval is needed/running
* mcValidateAddAudit < mcAddAudit <- approval is already done
* or mcValidateAddAudit IS NULL <- if no approval is necessary
In the case of Privileges uploaded as part of Initial Load , mcAddAudit is NULL , Due to this when SAP Provisioning script calculates privileges,it will skip entries that are loaded as part of Initial Load . I am not sure how to get this corrected without breaking the integrity of the system .
I am thinking of sending this case back to SAP for suggestions . Please provide your suggestions on how to get this issue resolved !!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Murali
Thank you for your feedback. I am aware of that oss note 1626816. But it doesn't explain why roleA and roldB are deleted. I have opened a message with SAP. They said this is a known bug in SP7(yes, another one). This would be fixed in SP8.
Regards
Jonathan.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try this as well when dealing with the initial load: http://scn.sap.com/community/netweaver-idm/blog/2013/02/17/setting-write-permissions-on-abap-initial...
User | Count |
---|---|
94 | |
11 | |
11 | |
10 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.