cancel
Showing results for 
Search instead for 
Did you mean: 

how to only add roles to users in SAP system and not remove roles

Former Member
0 Kudos

We have a requirement in our company where for one of our SAP systems, we need to only add roles to the users from IDM but don't want to remove the existing roles, can you please share the steps and scripts along with screen shots to achieve this for SAP 7.1 patch 7.

Thanks,

  Arun A

Accepted Solutions (1)

Accepted Solutions (1)

ivan_petrov
Active Participant
0 Kudos

Hi Arun,

The problem is too big to explain it with a few lines, so please look here:

If you still have questions than you can ask again here.

Best regards,

Ivan

Former Member
0 Kudos

Hi Ivan,

I have gone through your process and see that it is mostly steps to 7.2 version and we are on 7.1 version that's where i was looking for some help to find a script to do this. Do you mind sharing the script so i can check and modify where needed to use for version 7.1

Thanks,

Arun

ivan_petrov
Active Participant
0 Kudos

Hi Arun,

My script is very complex because of my scenario.

The version of IDM doesn't matter at all, because the issue is not in IDM, but in ABAP it self.

So the basic idea is that actually you should always send all attached roles in IDM and all pending for attachment in IDM to ABAP. And you don't need to remove any roles from ABAP just don't send them.

So step by step:

1. Use grouping per Application in ABAP Repository

2. Get all attached ABAP roles in IDM

3. Get all pending ABAP roles to be removed in IDM

4. Subtract the list from step 2 from list of step 1

5. Get all pending ABAP roles to be added in IDM

6. Add list from step 4 to list of step 3

7. Submit result list to ABAP.

Best regards,

Ivan

Former Member
0 Kudos

Thanks Ivan, for all your replies. So the current provisioning process irrespective of if there is a role to be added to the user or not when we provision the user through SAP provisioning for any repository it removes the roles and re-adds the roles as per the approved identity center.

I guess this is more controlled in BAPI'S that standard process is using.

Do you mind giving me an over view how to customise these BAPI's and how to modify the standard provsioning framework.

Thanks,

Arun A

ivan_petrov
Active Participant
0 Kudos

Hi Arun,

No you can not customize this using BAPI. The DELTA for ABAP CUA is not supported from ABAP side. There is ABAP BAPI that supports DELTA, but it doesn't support CUA

Best regards,

Ivan

Former Member
0 Kudos

Hi Ivan, are you referring to CUA as SAP IDM? becasue we do not have SAP CUA system but we have SAP IDM we provisoning to different individual SAP systems.

Thanks,

Arun A

ivan_petrov
Active Participant
0 Kudos

Hi Arun,

If you don't use SAP CUA and you have provisioning to individual SAP Systems than you should use another task which supports DELTA.

Look around in standard SAP provisioning for task with following name:

AssignDeltaABAPPrivileges

Use it instead of regular one. Of course you should accomplish some tests first, because I never used to play with it, our clients are using SAP CUA. Hope it will be useful for you.

Best regards,

Ivan

Former Member
0 Kudos

Hi Ivan,

This is what i am looking for in our environment but i did not find this task. We are on 7.1 version patch level 7 but i do not see this pass in our SAP provisioning framework.

Do you know if this is available for 7.1 as well or is limited to 7.2 and higher versions.

ivan_petrov
Active Participant
0 Kudos

Hi Arun,

This task is marked as deprecated in 7.2 so I think it should present in 7.1

Best regards,

Ivan

Former Member
0 Kudos

Thanks Evan for your reply. We do not have this in our system. How can we get this task where can we download this now one task.

Thanks,

Arun A

Answers (1)

Answers (1)

ivan_petrov
Active Participant
0 Kudos

Hi Arun,

If you don't have it than maybe it doesn't work with 7.1.

What I can propose follow the steps in my blog they will work even for 7.1 and even you are not using SAP CUA.

Sorry, but there is no better solution, or at least I don't know about it.

Best regards,

Ivan