cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Tutorial/Blog for SAP ABAP License

Go to solution
Former Member

on ‎09-25-2013 12:57 PM

0 Kudos

Dears,

I want to add SAP ABAP License informatioen, when I create a new identity in my SAP IdM 7.2 SP8. This topic shouldn't a part of the SAP Provisioning Framework.

Does somebody know a tutorial or blog for  customizing steps in SAP IdM? I read the PDF "SAP-NW_IdM_IdMForSAPSystems_Configuration_7.2.pdf" and the note Note 1441725 - License attributes in IDM ABAP Connector. Also I found some discussion in the form, but not a best practics blog.

Best regards,

Hans

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-25-2013 1:44 PM
0 Kudos

Hi Hans,

Since you want to add the license information while creating the identity, the best way is to include the license type attributes in the "CreateABAPUser" pass of the provisioning framework as in the attached image.

But i don't understand why you don't want the license information to be part of provisioning framework. Any specific reason ?

Thanks,

Krishna.

Show replies
Show replies
Former Member
‎09-25-2013 3:55 PM
0 Kudos

Hi,

I hope, I understand the question: Now, we use a CUA. When we have create a account in the CUA, we have to add the right license (Tab LicenseData)

I think, I need this functionality in my IdM system, or don't I.

Best regards,

Hans

Former Member
‎09-25-2013 4:28 PM
0 Kudos

Hi Hans,

I know on how to provision the license type from SAP NW Identity management. But in your case, you are NOT using SAP NW Identity Management solution for user creation, BUT CUA (on AS ABAP) , on which i don't have much idea.

I feel this may not be the right place to get an answer for your query.

Thanks,

Krishna.

Former Member
‎09-26-2013 9:18 AM
0 Kudos

Hi Krishna,

I want to replace the CUA to a IdM. Could you give me an example, how I have to customize the inital load for a ABAP System to load the license information in my IdM?

After that, I modify the "CreateABAPUser" pass of the provisioning framework and hope, that all things are running.

Best regards,

Hans

Former Member
‎09-26-2013 10:45 AM
0 Kudos

Hi Hans

In order to load the user information (along with the licese information) from ABAP sytem to SAP IDM. You have to run the initial load job. You can use the SAP provided ABAP Initial load job templates for this. But with the standard initial load jobs, verifying and writing the license information is not there. To make your work easy, I would recommend you to use the initial load templates that comes with the RDS solution of IDM, in which the pass to verify the license type information is included in the initial load job templates. For more information on RDS, see this page http://scn.sap.com/community/netweaver-idm/blog/2012/08/13/new-rds--sap-netweaver-identity-managemen...

  1. Create a new folder in the SAP IDM.
  2. Right click on the folder , select New à Run job wizard
  3. You have to select the ABAP initial load job in the below path as shown. Select the job

4.     Click next and select the repository. If you have not configured repository so far, select no repository and click finish. The repository can   

        be  selected later on the job.

5.     Now you can see the initial load job like below.

The license type information is written to Identity store in the pass as shown below.

Once you have configured the job, run it. Then disable this job and enable the provisioning framework and start creating users !!.

The steps I have mentioned on high-level (without detailed explanation). Please refer to Identity Management for SAP System Landscapes: Configuration Guide for more information on how to achieve this.

All the best !!

Cheers,

Krishna.

Former Member
‎09-27-2013 9:46 AM
0 Kudos

Dear Krishna,

Thank you for your great help. I have only little question:

I add to my ReadABAPUsers pass :

and got the error

java.sql.SQLSyntaxErrorException: ORA-00957: duplicate column name

and

java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist

Could you give me a little hint?

Best regards,

Hans

Former Member
‎09-27-2013 10:10 AM
0 Kudos

Hi Hans,

java.sql.SQLSyntaxErrorException: ORA-00957: duplicate column name

-    Can you please examine the attributes once again, if you have used the UClassLicType attribute anywhere in the destination tab (i.e if you have used multiple times)  of the pass, you will get such errors! if you still get the same error, can you try changing the table name in the destination tab.

java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist

I guess you have selected "Update Entries in table" for the field "Table update".  In  the destination tab select "Delete table before loading" option from dropdown.

Thanks,

Krishna.

Former Member
‎09-29-2013 7:57 AM
0 Kudos

Hi Krishna,

Thank you for your helpfuly answer. But I'm wondering, that I have to define attributes for every of my SAP Systems, which are connected  to the SAP IdM.

SAPC_IDEN_REP_LICENSE_TYPE_%$rep.$NAME%

Is there a technique like the SAP Abap roles? I define only same attributes and put the license with a name convention like "LIC:%$rep.$NAME%_TEST"?

Best regards,

Hans

Former Member
‎09-29-2013 5:00 PM
0 Kudos

Hi Hans,

Happy to know that my replies helped you !! You can mark them as so !!

Yes you can create system specific attributes  !! . You can  create a system specific attribute in 2 ways.

1. During the time of the execution of initial load job. (WHICH I Strongly recommend. The reason is, you can use the same initial load job for multiple target systems, just by changing the repository. So when ever the initial load job is executed, the corresponding system specific attributes are created in the runtime. You don't have to do it manually, as explained in the second way below !!)

Create  a system specific attribute(follow your own naming convention for attribute, but something understandable ). You can create it in one of the passes in the initial load jobs as highlighted in the below screenshot.

2. The other way, you can create an attribute simply by selecting the new identity attribute from identity store schema, as highlighted below. So, you have to give the attribute name _ suffix based on your requirement. if you choose this way, ensure that you don't do typo  errors !!

(But I would recommend you to do the first method to make it very easy for you )

Cheers,

Krishna.

Former Member
‎10-04-2013 4:38 PM
0 Kudos

You are my hero!

Former Member
‎10-06-2013 3:25 PM
0 Kudos

Thanks Hans,

Great that you achieved what you want !!

Cheers,

Krishna.

Answers (2)

Answers (2)

Former Member
‎03-12-2014 11:09 PM
0 Kudos

Hi,

Have a small query.

Can you guys tell me which types of roles are uploaded to IDM on initial load.

Are the technical roles coming into IDM or the composite roles.  We are trying to implement position based security and want to understand how IDM interprets the end system roles.

Please help

Thanks

Chaitanya

Show replies
Show replies
Former Member
‎03-13-2014 2:04 AM
0 Kudos

Hi chaitanya,

When you perform the initial load of an ABAP system from SAP IDM, all the roles(Composite & Single) are loaded into IDM.

You can find the role names as below.

PRIV:ROLE:<RepositotyName>:<ABAPRoleName>

PRIV:ROLE:DEC101:ZSBSMY1002

The profiles areloaded to the IDM wiht below naming convention.

PRIV:PROFILE:<RepositotyName>:<ProfileName>

PRIV:PROFILE:DEC101:SAP_ALL

Thanks,

Krishna.

Former Member
‎03-13-2014 2:33 AM
0 Kudos

Hi Krishna,

Thanks for the quick reply.

When you say even the composites are pulled into IDM, will a mapping between the business roles and the composites be enough to grant the required access to the user?

I am just trying to understand as it would be easier to map/assign composite roles to business role instead of individual technical roles (which can be quite a lot depending on the business).

Let me know your thoughts around this.

Thanks

Chaitanya

Former Member
‎03-13-2014 2:44 AM
0 Kudos

Hi Chaitanya,

Yes, a mapping between the business role and composite role is enough to assign the role to the users.

Map the business role and the compostie role by adding the business role as add role member in the privilge of composite role in IDM.

All the best !!

~ Krishna

Former Member
‎03-13-2014 2:53 AM
0 Kudos

Hi Krishna,

Will try that out once the environment is set up !

Thanks for your inputs.

Chaitanya

Former Member
‎10-01-2013 10:56 AM
0 Kudos

Hi Hans,

we are in the same process, getting rid of CUA and implementing IDM. The problem with licenses is that when you use Multi-System Licensing that you have to add those fields manually to the load and update jobs. We have added the following fields:

SAPC_IDEN_REP_LICENSE_SYSID_%$rep.$NAME% %uclassSysid%

SAPC_IDEN_REP_LICENSE_CLIENT_%$rep.$NAME% %uclassClient%

SAPC_IDEN_REP_LICENSE_BNAME_%$rep.$NAME% %uclassBnameChargeable%

to the jobs. But you are right, you have to do this for every single system. Another issue is that you have to enter the number of the user license, e.g. the value for Multi-System license is 11. This is definitely a problem when migrating from CUA to IDM. I have tried to solve this via RegExp but have no working solution yet. Another possibility could be to insert the license data using a SQL script, but I guess that's not a very handy solution.

The Attribute Value Help in table mxi_AttrValueHelp is a good point to start, but I have not found a solution to change other fields depending on the license type.

Regards,

Michael

Show replies
Show replies
Ask a Question