on 01-15-2014 4:16 PM
Hello,
I haven't yet upgraded to SP8, but I'm wondering if this service pack resolves the issue of Delta Handling for Role/Profile Assignments ?
Specifically I'm referring to the issue outlined in SAP Note# 1626816:
It states:
Symptom:
You use SAP NetWeaver Identity Management and its SAP provisioning framework to manage the role and profile assignments of users in AS ABAP systems.
After adding and/or removing some assignment in the Identity Center, the change documents for the affected user in the AS ABAP system show the following: The system unassigned all already assigned roles and/or profiles and, immediately afterwards, assigned the complete new list of roles and/or profiles.
In addition, after such a change, all changes to the role and profile assignments that you have made for the affected user directly in the AS ABAP system have been reverted again. For instance, if you have added another role to the user in the AS ABAP system using transactions like SU01, after the provisioning, the user no longer has this role.
Two other SCN links give more details on the issue:
SCN question specifically about ABAP roles being removed in provisioning
http://scn.sap.com/thread/3349510
and a proposed resolution:
Delta roles blog by Kai Ulrich
http://scn.sap.com/community/netweaver-idm/blog/2012/09/09/delta-role-assignments-in-idm-72
Has anyone found that SP8 to have resolved this?
Cheers, Paul
Hello Paul,
I think your question is wrong. The issue described in that note is nothing to "solve" so easily. The old ABAP systems (before business suite) cannot handle deltas. So everything you provision with the standard ABAP connector will always work as described in the note. If you want to provision deltas you use Kai's solution.
What will help you preventing trying to provision old ABAP systems with delta is to
Regards
Norman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SP8 resolved the issue that I wrote my blog post about (and as described in http://scn.sap.com/thread/3349510) - privs that were assigned before initial load being removed from ABAP when the first write out happens.
They updated the getNameOfAssignedPendingPrivileges script
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Paul,
I haven't looked into that but have you checked the Central Note for IDM? That kind of stuff is usually stored there.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt,
I have checked the release notes for SP8 here:
I've also reviewed items made available in this link:
If SP8 doesn't address the issue with ABAP delta provisioning, then I'm prepared to take a deep breath and test out Kai Ulrich's solution.
Cheers, Paul
User | Count |
---|---|
81 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.