cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Reconciliation IDM -> SAP

Go to solution
Former Member

on ‎10-09-2013 11:00 AM

0 Kudos

Dear experts,

My IDM is connect to several SAP repositories.
Sometimes user data as roles are overwritten by another team when performing refreshes or synchronizations,…

I would like IDM synchronizes the data from IDM to SAP Back-end by deleting the wrong values (added roles), and putting the ones from IDM.

Example :

Correct Value in IDM :

User ABC123 with role IDM_BC_1

Wrong value :

User ABC123 with role IDM_BA_9

IDM should delete the IDM_BA_9 and give the IDM_BC_A

What is the easiest way to do that ?

Thx for the reply,

Nicolas.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

terovirta
Active Contributor
‎10-09-2013 3:58 PM
0 Kudos

How about a batch job that re-writes the privileges to target system based on the passed repository name? Repository name could be defined in job constants and referred in scripts and SQL statements from that point onwards.

In the job you would have only "to SAP" pass that has a SQL in source tab that selects all the users who have access to the target system, either by comparing your job constant to account-attribute or account-privilege. Destination tab would look the same as Plugin #4 for your repository in SAP PF.

The other alternative would be "to Generic" pass with same source select statement but on the destination tab you would have a entry script that calls the Plugin #4 of the specific repository with the user MSKEY (by means of uProvision U-function).

The job can easily be enhanced to work on multiple repositories even on different repository types.

If you need to work on individual selected user, you easier option would be creating an UI task that calls the Plugin #4 for the specific user&repository combination.

Show replies
Show replies
Former Member
‎10-10-2013 9:20 AM
0 Kudos

Hi Tero,

First proposal seems interresting.

To make it (maybe easier) I could first remove all the priviledges from all users in one SAP Repository then put the priviledges they have in IDM to the SAP Repository.

The concept is there but I need help to realize it 🙂

Nicolas.

Steffi_Warnecke
Active Contributor
‎10-10-2013 9:31 AM
0 Kudos

Hello Nicolas,

I'm not an expert like the other guys, but I think you don't need to deprovision first.

Couldn't you just copy the update job and disable the delta handling? I thought I read somewhere, that the complete list of privileges is always send, so that it should automatically delete the roles in the backend and then add the roles that IdM sends. Or did I missunderstand that? I'm really not sure right now, because the others hadn't come up with that yet.

Regards,

Steffi.

keith_zhang
Active Participant
‎10-10-2013 10:15 AM
0 Kudos

Hello Nicolas and Steffi,

The SAP provisioning framework will always send complete list of all role and profile assignments of the user to ABAP system, without delta functions(as Steffi describes). Unless you implement as per SAP Note 1626816. Please you can review the note which explains details about this.

So you may just take the standard plugin task as a reference like Tero has suggested, if you decide to do it in this way.

BR, Keith

Steffi_Warnecke
Active Contributor
‎10-10-2013 10:32 AM
0 Kudos

Thank you, Keith. Now I'm not that confused anymore. ^^

Former Member
‎10-10-2013 3:56 PM
0 Kudos

Hi Keith,

Thanks for your answer.

If I check the plugin task corresponding to Hook 4 "4. Assign User Membership to ABAP" what it does is assign the pending roles / profiles and not copying all of them. Maybe I'm wrong and I hope so.

Nicolas.

keith_zhang
Active Participant
‎10-11-2013 1:58 AM
0 Kudos

Hello Nicolas,

Maybe the name of script sap_abap_getNameOfAssignedPendingPrivileges is a little bit confusing, while there is also some comment lines at the beginning of it which explains generally about the script. I think that should can answer/explain to your question?

BR, Keith

Answers (3)

Answers (3)

Former Member
‎10-10-2013 10:37 PM
0 Kudos

Hi Nicolas

I've done this a few times.  When reading in from IDM, I disable the writing of roles and profiles so that IDM is never updated after initial load - IDM is authoritative.  However, instead of writing, I do a search of the existing IDM assignments for the user and if they do *not* have the role that is in the ABAP backend, trigger a Modify on the user for that repository which will overwrite all the roles and profiles on the back end.

As an advanced step, add the Username to a job variable when you trigger it and then check against the variable when kicking off the script so that it only gets triggered once per user.

Peter

Show replies
Show replies
Former Member
‎10-11-2013 7:42 AM
0 Kudos

Hi Peter,

Thank you for your answer.

All the answers seem good but I'm surprise that this functionnaly is not standard in SAP IDM while in the IDM of IBM it's standard.

Am I the only one interrested by this that SAP doesn't develop this ?

Nicolas.

terovirta
Active Contributor
‎10-11-2013 9:00 AM
0 Kudos 
Nicolas Varga wrote:
All the answers seem good but I'm surprise that this functionnaly is not standard in SAP IDM while in the IDM of IBM it's standard.
Am I the only one interrested by this that SAP doesn't develop this ?

You're not the only one interested as I've developed similar job couple of times in customer projects along with repairs that could come out of the box like doing uPrivilegeRetry based on the provisioning status in link table. (There is now the stored procedure based provisioning problem analyze/fix-solution.)

Even though these features are not supplied with the product the platform offers relatively easy way to achieve the functionality. I agree it would be nicer if it would come out of the box, tested with warranty.

Former Member
‎10-13-2013 6:29 AM
0 Kudos

I'm not surprised.  The scope of IDM is to allow complete customisation.  The basic 'initial load' jobs assume a certain functionality - that IDM is updated from the back end systems.  You can change it but its your own customisation -as would the resulting requirement to reconcile.

Peter

Former Member
‎10-14-2013 9:12 AM
0 Kudos

Hi Tero

Do you think it's usefull to put it on idea place ?

Nicolas.

Former Member
‎10-10-2013 9:15 AM
0 Kudos

Hello,

I tried this "How to Reconcile Identity Data - Additional Material.zip" what contain "AS ABAP - Reconciliation.dst" but apparently it only does a report.

My colleagues of ITIM have an easy way to do what I want, I thought it would be a native task of IDM ?!

Show replies
Show replies
Former Member
‎10-09-2013 1:49 PM
0 Kudos

Hi Nicolas,

please check the load settings for the repositories overwriting the correct values. You can set those repository attributes to "Write only when adding entry". This is also described in the IDM documentation.

Regards,

Michael

Show replies
Show replies
Former Member
‎10-09-2013 1:56 PM
0 Kudos

Michael,

If it's the pass of Initial Load you show, I think it only copies data from SAP to IDM and I want exactly the opposite.

Allow the user to only have the data from the master "IDM" and erase the rest.

Nicolas.

former_member2987
Active Contributor
‎10-09-2013 3:53 PM
0 Kudos

Agreed.  I've seen this on intial loads before and I commonly use the " . " prefix to prevent privileges and roles from being overwritten.

Matt

Ask a Question