cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Reconciliation" concept in SAP NW IdM 7.2

Go to solution
Former Member

on ‎11-07-2013 9:39 AM

0 Kudos

Hi everyone!

Can anyone suggest a best-practice for doing reconciliation with SAP NW IdM 7.2?

When reading the Release Notes from SAP NW IdM 7.2 SP07 / SP08, I saw that the reconciliation job-templates are now obsolete. This leads me to the question how should I do it then? Reconciliation, as SAP defines it now is just setting a "dirty" flag when a privileg or a role was not provisioned correctly, for whatever reasons.

But what about reconciling attributes?

For exapmle:

I have a MS AD repository. If someone changes a attribute on a AD-User, for which the AD repository is a leading system (master), for example the email-address, what would you do to reconcile this change?

So, what is the basic concept to detect and update changed "master"-attributes from a repository?

Thanks,

Raphael

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-08-2013 4:30 AM
0 Kudos

There are any number of ways of doing this - it also depends on whether you want it immediately fixed or just reported.

Essentially, you need to schedule an import and then compare things with the ID store.  If the ID store is different, you can trigger a sync to IDM (or an export to the system if its not authoritative for that data).

In terms of accomplishing this? SQL / scripts of various flavours will do some or all of the work.

Similarly, you can write the issues to a file and then email that file to an administrator to resolve.

Of course, you can just use the import to update the authoritative attributes no matter what so reconciliation isn't really necessary.

Peter

Show replies
Show replies

Answers (4)

Answers (4)

Former Member
‎11-26-2013 8:05 PM
0 Kudos

Hi Raphael,

from my point of view, the SAP reconciliation concept for target systems in 7.1 causes severe headache, especially when you have to figure out why some situations are not recognized. This is caused by the delta mechanism.

From my point of view, a real straight-forward approach is to load data from

1) IDM

2) targetsystem

into two tables with the same structure. Then you can do a real easy and fast comparison of the two tables and calculate the required reports and actions.

Please let me know if you know some additional hints.

best regards

Matthias

Show replies
Show replies
Former Member
‎11-11-2013 8:30 AM
0 Kudos

Thanks for your helpful answers!

I guess I have to develop something on my own then..

Show replies
Show replies
terovirta
Active Contributor
‎11-11-2013 1:51 PM
0 Kudos

There's a 7.1 based How To Document:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/80771942-8423-2d10-0f99-f64d072fc...

Maybe it gives you some ideas(?) even though it's not 1:1 match due to differences in data model.

Former Member
‎11-08-2013 10:12 AM
0 Kudos

Hi Raphael,

The reconciliation job that has been retired is the internal user-role/privilege assignment reconciliation job. This has been moved into the housekeeping function on the dispatcher(s).

As a quick recap this (and the job before it) only deals with structure changes such as privilege being assigned to a role with many members. When that happens all the members of the affected role are marked "dirty" and a reconciliation of the users is needed to recalculate the hierarchy/inheritence of them. The same when happens when removing a privilege from a role.

Br,

Per Christian

Show replies
Show replies
Former Member
‎11-08-2013 6:55 AM
0 Kudos

Hi Raphael,

If your requirement is till just reporting, you can make use of the reconciliation job templates. I have done this and you can find more details on generating reconciliation reports in my blog.

http://scn.sap.com/community/netweaver-idm/blog/2013/09/09/reconciliation-reports-in-sap-idm

If it for fixing immediately, as peter suggested, you have to develop a logic to import the the data from target to IDM temporary table, do a comparison with the identity store data and fix it immediately.

You can achieve this with a To identity store pass, where in which in the source tab you have to write a query which will compare the data in temporary table with identity store and picks the records which are different and the destination tab will have identity store attributes.

Thanks,

Krishna.

Show replies
Show replies
Ask a Question