on 09-25-2013 12:57 PM
Dears,
I want to add SAP ABAP License informatioen, when I create a new identity in my SAP IdM 7.2 SP8. This topic shouldn't a part of the SAP Provisioning Framework.
Does somebody know a tutorial or blog for customizing steps in SAP IdM? I read the PDF "SAP-NW_IdM_IdMForSAPSystems_Configuration_7.2.pdf" and the note Note 1441725 - License attributes in IDM ABAP Connector. Also I found some discussion in the form, but not a best practics blog.
Best regards,
Hans
Hi Hans,
Since you want to add the license information while creating the identity, the best way is to include the license type attributes in the "CreateABAPUser" pass of the provisioning framework as in the attached image.
But i don't understand why you don't want the license information to be part of provisioning framework. Any specific reason ?
Thanks,
Krishna.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Hans,
I know on how to provision the license type from SAP NW Identity management. But in your case, you are NOT using SAP NW Identity Management solution for user creation, BUT CUA (on AS ABAP) , on which i don't have much idea.
I feel this may not be the right place to get an answer for your query.
Thanks,
Krishna.
Hi Krishna,
I want to replace the CUA to a IdM. Could you give me an example, how I have to customize the inital load for a ABAP System to load the license information in my IdM?
After that, I modify the "CreateABAPUser" pass of the provisioning framework and hope, that all things are running.
Best regards,
Hans
Hi Hans
In order to load the user information (along with the licese information) from ABAP sytem to SAP IDM. You have to run the initial load job. You can use the SAP provided ABAP Initial load job templates for this. But with the standard initial load jobs, verifying and writing the license information is not there. To make your work easy, I would recommend you to use the initial load templates that comes with the RDS solution of IDM, in which the pass to verify the license type information is included in the initial load job templates. For more information on RDS, see this page http://scn.sap.com/community/netweaver-idm/blog/2012/08/13/new-rds--sap-netweaver-identity-managemen...
4. Click next and select the repository. If you have not configured repository so far, select no repository and click finish. The repository can
be selected later on the job.
5. Now you can see the initial load job like below.
The license type information is written to Identity store in the pass as shown below.
Once you have configured the job, run it. Then disable this job and enable the provisioning framework and start creating users !!.
The steps I have mentioned on high-level (without detailed explanation). Please refer to Identity Management for SAP System Landscapes: Configuration Guide for more information on how to achieve this.
All the best !!
Cheers,
Krishna.
Dear Krishna,
Thank you for your great help. I have only little question:
I add to my ReadABAPUsers pass :
and got the error
java.sql.SQLSyntaxErrorException: ORA-00957: duplicate column name
and
java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist
Could you give me a little hint?
Best regards,
Hans
Hi Hans,
java.sql.SQLSyntaxErrorException: ORA-00957: duplicate column name
- Can you please examine the attributes once again, if you have used the UClassLicType attribute anywhere in the destination tab (i.e if you have used multiple times) of the pass, you will get such errors! if you still get the same error, can you try changing the table name in the destination tab.
java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist
- I guess you have selected "Update Entries in table" for the field "Table update". In the destination tab select "Delete table before loading" option from dropdown.
Thanks,
Krishna.
Hi Krishna,
Thank you for your helpfuly answer. But I'm wondering, that I have to define attributes for every of my SAP Systems, which are connected to the SAP IdM.
SAPC_IDEN_REP_LICENSE_TYPE_%$rep.$NAME%
Is there a technique like the SAP Abap roles? I define only same attributes and put the license with a name convention like "LIC:%$rep.$NAME%_TEST"?
Best regards,
Hans
Hi Hans,
Happy to know that my replies helped you !! You can mark them as so !!
Yes you can create system specific attributes !! . You can create a system specific attribute in 2 ways.
1. During the time of the execution of initial load job. (WHICH I Strongly recommend. The reason is, you can use the same initial load job for multiple target systems, just by changing the repository. So when ever the initial load job is executed, the corresponding system specific attributes are created in the runtime. You don't have to do it manually, as explained in the second way below !!)
Create a system specific attribute(follow your own naming convention for attribute, but something understandable ). You can create it in one of the passes in the initial load jobs as highlighted in the below screenshot.
2. The other way, you can create an attribute simply by selecting the new identity attribute from identity store schema, as highlighted below. So, you have to give the attribute name _ suffix based on your requirement. if you choose this way, ensure that you don't do typo errors !!
(But I would recommend you to do the first method to make it very easy for you )
Cheers,
Krishna.
Hi,
Have a small query.
Can you guys tell me which types of roles are uploaded to IDM on initial load.
Are the technical roles coming into IDM or the composite roles. We are trying to implement position based security and want to understand how IDM interprets the end system roles.
Please help
Thanks
Chaitanya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi chaitanya,
When you perform the initial load of an ABAP system from SAP IDM, all the roles(Composite & Single) are loaded into IDM.
You can find the role names as below.
PRIV:ROLE:<RepositotyName>:<ABAPRoleName>
PRIV:ROLE:DEC101:ZSBSMY1002
The profiles areloaded to the IDM wiht below naming convention.
PRIV:PROFILE:<RepositotyName>:<ProfileName>
PRIV:PROFILE:DEC101:SAP_ALL
Thanks,
Krishna.
Hi Krishna,
Thanks for the quick reply.
When you say even the composites are pulled into IDM, will a mapping between the business roles and the composites be enough to grant the required access to the user?
I am just trying to understand as it would be easier to map/assign composite roles to business role instead of individual technical roles (which can be quite a lot depending on the business).
Let me know your thoughts around this.
Thanks
Chaitanya
Hi Hans,
we are in the same process, getting rid of CUA and implementing IDM. The problem with licenses is that when you use Multi-System Licensing that you have to add those fields manually to the load and update jobs. We have added the following fields:
SAPC_IDEN_REP_LICENSE_SYSID_%$rep.$NAME% %uclassSysid%
SAPC_IDEN_REP_LICENSE_CLIENT_%$rep.$NAME% %uclassClient%
SAPC_IDEN_REP_LICENSE_BNAME_%$rep.$NAME% %uclassBnameChargeable%
to the jobs. But you are right, you have to do this for every single system. Another issue is that you have to enter the number of the user license, e.g. the value for Multi-System license is 11. This is definitely a problem when migrating from CUA to IDM. I have tried to solve this via RegExp but have no working solution yet. Another possibility could be to insert the license data using a SQL script, but I guess that's not a very handy solution.
The Attribute Value Help in table mxi_AttrValueHelp is a good point to start, but I have not found a solution to change other fields depending on the license type.
Regards,
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.