cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does SP8 resolve AS ABAP Delta Handling for Role/Profile Assignments?

Go to solution
Former Member

on ‎01-15-2014 4:16 PM

0 Kudos

Hello,

I haven't yet upgraded to SP8, but I'm wondering if this service pack resolves the issue of Delta Handling for Role/Profile Assignments ?

Specifically I'm referring to the issue outlined in SAP Note# 1626816:

It states:


Symptom:

You use SAP NetWeaver Identity Management and its SAP provisioning framework to manage the role and profile assignments of users in AS ABAP systems.

After adding and/or removing some assignment in the Identity Center, the change documents for the affected user in the AS ABAP system show the following: The system unassigned all already assigned roles and/or profiles and, immediately afterwards, assigned the complete new list of roles and/or profiles.

In addition, after such a change, all changes to the role and profile assignments that you have made for the affected user directly in the AS ABAP system have been reverted again. For instance, if you have added another role to the user in the AS ABAP system using transactions like SU01, after the provisioning, the user no longer has this role.

Two other SCN links give more details on the issue:

SCN question specifically about ABAP roles being removed in provisioning

http://scn.sap.com/thread/3349510

and a proposed resolution:

Delta roles blog by Kai Ulrich

http://scn.sap.com/community/netweaver-idm/blog/2012/09/09/delta-role-assignments-in-idm-72

Has anyone found that SP8 to have resolved this?

Cheers, Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

normann
Advisor
Advisor
‎01-16-2014 9:39 AM
0 Kudos

Hello Paul,

I think your question is wrong. The issue described in that note is nothing to "solve" so easily. The old ABAP systems (before business suite) cannot handle deltas. So everything you provision with the standard ABAP connector will always work as described in the note. If you want to provision deltas you use Kai's solution.

What will help you preventing trying to provision old ABAP systems with delta is to

  • either only adapt the business suite integration and use delta and use business suite integration for newer systems (as it also has other advantages to use a ToSAPIdentity pass instead of ToSAP like the ability to handle overlapping assignments)
  • or add a repository constant whether repository can handle delta or not and decide in provisioning task what logic to use

Regards

Norman

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎01-15-2014 10:35 PM
0 Kudos

SP8 resolved the issue that I wrote my blog post about (and as described in http://scn.sap.com/thread/3349510) - privs that were assigned before initial load being removed from ABAP when the first write out happens.

They updated the getNameOfAssignedPendingPrivileges script

Peter

Show replies
Show replies
former_member2987
Active Contributor
‎01-15-2014 7:42 PM
0 Kudos

Paul,

I haven't looked into that but have you checked the Central Note for IDM? That kind of stuff is usually stored there.

Matt

Show replies
Show replies
Former Member
‎01-15-2014 10:14 PM
0 Kudos

Hi Matt,

I have checked the release notes for SP8 here:

SAP NetWeaver Identity Management 7.2 SP 8 - What's New in SAP NetWeaver Identity Management 7.2 (Re...

I've also reviewed items made available in this link:

If SP8 doesn't address the issue with ABAP delta provisioning, then I'm prepared to take a deep breath and test out Kai Ulrich's solution.

Cheers, Paul

Ask a Question