cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

connecting sap system over LDAP - Automatic user provisioning

Go to solution
Former Member

on ‎01-24-2014 3:41 PM

0 Kudos

Hi Experts,

i was wondering if you could help me. I need to connect one SAP System with a HR System and have automatic SAP Role provisioning depending on the organizational unit (special wish ). In the moment the system is connect to a CUA. The CUA has been configured to communicate over SAP LDAP connector with microsoft active directory (ADAM).

We also have a GRC10 system which is to be implemented for all systems (firefighter, user provisioning, risk analysis)

So as i see it, i have two choices about the automatic provisioning: GRC10 or CUA

Probably to make it work over GRC10 i need to setup a workflow with BRF+ rules so i can have the automatic provisioning based on the organisational units of the employees.

I havent spoke with our AD engineer, but i suppose : organisational unit is not an Active Directory attribute. To make it work we will probably use another attribute as a place holder for organisational unit and sync this field with a sap field from user master data.

So creating a BRF+ rule i could implement a check on the organisational unit and have roles assigned depend on that.

I know this is a GRC forum, but which solution would you recommend? maybe is will be simpler using this automatic role provisioning  over CUA and leave GRC10 out of it.

cheers,david

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-25-2014 7:03 AM
0 Kudos

thanks for your answers, we will solve our problem with IDM and business roles

Best regards,

david

Show replies
Show replies

Answers (2)

Answers (2)

former_member193066
Active Contributor
‎08-22-2014 2:02 AM
0 Kudos

Hello,

As said above , GRC10 or GRC 10.1 can be integrated with CUA and IDM.

And you can have LDAP configured in GRC system as well to Pull respective information.

Prasant

Show replies
Show replies
santosh_krishnan2
Participant
‎08-22-2014 4:24 AM
0 Kudos

Hi Prasant,

We are having some issues with our LDAP configuration where in the LDAP connector appears to be working, and yet when I try to sync the connector within GRC, it says that 0 users are returned from Active Directory.

I've gone through all the guides and it seems like everything has been set up correctly - so I wanted to find out if there were any issues you've encountered in implementing Microsoft Active Directory that I should look into.

Thanks,

Santosh

former_member193066
Active Contributor
‎08-23-2014 5:33 PM
0 Kudos

Check read authorization.. and always use Fully qualified name in sap server under LDAP instead of ip address.

to check go to se38 and run role repository sync.

there you can see msg if its able to read it.

Is your GRC server on Linux OS?

If yes ask your basis to check if name resolution works perfect.

Regards,

prasant

santosh_krishnan2
Participant
‎08-23-2014 5:40 PM
0 Kudos

Thanks.  A couple of things.

The server config in the GRC 10 system for LDAP is the same as the one in the current GRC 5.3 system.  The GRC 5.3 system appears to be working while I'm having issues in the GRC 10 system.

Next, the only difference in the config is the user ID used to bind to LDAP.

Next, the program you asked me to run comes back with all greens except for two yellow triangles for users DDIC and SAP*.

Next, the results of that program, with a green light, says 0 records were returned from LDAP.

So now I'm not really sure because it appears to be working, with 0 records being returned, while GRC 5.3 is apparently getting records back. 

Santosh

former_member193066
Active Contributor
‎08-23-2014 5:55 PM
0 Kudos

to check this, please go to spro.

run sync job .

check for role sync.. do you have any issue there all will come 0, please chk if anywhere it says read auth failure.

and ensure your base entry is correct.

Regards,

Prasant

santosh_krishnan2
Participant
‎08-23-2014 6:47 PM
0 Kudos

They came back 0.  Profile sync, obviously, failed, but role sync and user sync came back 0.  No mention (that I could see) about read auth failure.  Base entry is correct, I think, because it's the same one as from our GRC 5.3 system.

Santosh

former_member193066
Active Contributor
‎08-23-2014 6:54 PM
0 Kudos

is the user id has S_LDAP auth object assigned?

Check in LDAP tcode as well by logging is and find ..

Regards,

Prasant

former_member193066
Active Contributor
‎08-23-2014 6:55 PM
0 Kudos

also check 4. Refer to SAP Note "1755767 - Repository object sync from LDAP fails".

former_member193066
Active Contributor
‎08-23-2014 6:57 PM
0 Kudos

What string is used while searching users in LDAP. Execute LDAP tcode and find the users with default string. for example ...(&(objectclass=*)(samaccountname = a*)). If you have some different string to serach users, then we need to find out from LDAP team if they can set your searchable string as default

former_member193066
Active Contributor
‎08-23-2014 6:58 PM
0 Kudos

attach screen shot of SPro rep obj sync and slg1 log

santosh_krishnan2
Participant
‎08-25-2014 4:35 PM
0 Kudos

Here you go ...

At the time this was run, the user ID used did not seem to have S_LDAP explicitly assigned, though the user does have SAP_ALL, SAP_NEW.

former_member193066
Active Contributor
‎08-25-2014 8:04 PM
0 Kudos

your issue fixed now?

REgards,

Prasant

Former Member
‎09-22-2014 3:53 PM
0 Kudos

Hi Prasant,

the issue is not fixed because IDM is not yet implemented. But i have spoken with IDM engineers and they mentioned it is not a big deal connecting business roles and user OE (functions)

Best regards,david

former_member193066
Active Contributor
‎09-23-2014 9:55 AM
0 Kudos

Hello,

Please check running incremental.. and let me know if you get the result.

Regards,

Prasant

santosh_krishnan2
Participant
‎09-23-2014 6:38 PM
0 Kudos

Hi Prasant,

Looks like it wasn't a GRC issue.  The LDAP/AD team had some weird non standard config which wasn't well documented and I had them sort it out.  LDAP is all set now.  Thanks for the help.  I'd be happy to give details to anyone who wants it.

Santosh

santosh_krishnan2
Participant
‎08-21-2014 10:22 PM
0 Kudos

Using GRC 10/10.1 for auto-provisioning is fairly straightforward and it will integrate with IdM very well.  I'd suggest you go that route instead of CUA if there is an IdM solution in place.

Show replies
Show replies
Ask a Question