cancel
Showing results for 
Search instead for 
Did you mean: 

SAP IDM Create user policies

Former Member
0 Kudos

Hi All,

We are implementing SAP IDM and we need to set IDM to create a user (identity) related to data bring from HR System, for example:

HR System ( there is a new employee called João Silva)

IDM needs read these fields from HR and create a user to login on target system like jsilva, with this policie, first letter of first name and last name.

And if in the future there will other João Silva, the IDM treat this case increasing number like: jsilva1, jsilva2.

This activity needs to be done automatically by IDM.

Do you guys have any suggestions to accomplish this.?

Thank you for your help.


Regards.

Miguel

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi ALL

Thank you in advanced.

This problem was solved:

1-

We created a job, on Identity store under task "Create identity (UI)"  to IdentityStore, that write our userID in a custom attribute that we create (Client_AD_UserID).


Regarding this, we were able to execute our script before idm creates userID on target systems.





2- We mapped this attribute as value on Task to create identity on Active Directory and SAP with the value reached before.





We made it because here in Brazil we are using the mskeyvalue as other value (personal number) and not userID to target Systems.

Thank you.

Answers (6)

Answers (6)

Former Member
0 Kudos

Hi experts, thank you for your replies, but till now I was not able to find this information.

We tried on idmv_vallink, idmv_entry, idmv_value

Thank you for your attention.

former_member2987
Active Contributor
0 Kudos

Miguel, this information can be found in the views that you have mentioned.

MSKEYVALUE is usually the login ID and there is also column called modify time that holds the change date/time.

What else are you looking for? We can help

Matt

Former Member
0 Kudos

Hi Guys thank you for your attention.

But will it work even that my mskeyvalue is not my user id, here we will use mskeyvalue as a personal number, but what we need to check is about userID "TCheck1" that is created in this time,

What we need is check if this userprincipal name already exists and if yes, increase a sequencial number, but in this time ( when the user is been created on AD we need to check.

is it information is stored in some place on idm database?

Thank you.

Regards.

Former Member
0 Kudos

Miguel:

Yes you have to check the DN and if it already existed then change the ID. You will need more than just ID.

You did not mention whether you have one AD domain in your landscape or more than one.

DN = samaccountname + OU + Domain Name

Before the password CreateADUser you need to make sure you get the samaccountname and OU for the user. The domain information is given by reposity settings.

For you logic basically you are

1. Calculating user's samaccountname

2. Determine OU

3. Form DN

4. Check DN for uniqueness (If not going back to step 1 and repeat the process)

Regards

Andy

Former Member
0 Kudos

Sure - just replace MSKEYVALUE with ACCOUNT$rep.$Name and you'll check that (might require extracting the CN, but thats easy enough.

Former Member
0 Kudos

Puter my CN will be something like this.

CN= Test Check1, Ou=Users, OU=Company, dc=none,dc=com

I need check the value "Tcheck1" that will be related a samaccountname or userprincipalname to new user on active directory.

I need check if tcheck1 existis during the creation over UI.

Thank you.

Regards.

Former Member
0 Kudos

OK - if you're using the CN as the sAMAccountName as well, it has to be unique across the entire domain.  Therefore you can change the script

accnames = Select MSKEYVALUE where MSKEYVALUE like 'CN=accountname%'

if(accnames.indexof("!ERROR") > -1) {return CN=accountname,OU*=Users...;}

for i=1 to 1000

  if(accnames.indexOf("CN=" + accnames + i + ",OU=*") == -1) {return "CN=" + accnames + i + "OU*=..." ;}

next

* Note - default AD structure, the base Users container is a CN, not an OU.

Peter

Former Member
0 Kudos

As workarround we are trying do a update on the table to update this value during user creation on UI.

This update can be done inside the script to create new users.

Does anyone have this experience before ? (Update over script) .

Regards.

terovirta
Active Contributor
0 Kudos

So, you would like to create users in UI and assign a generated MSKEYVALUE to them?

Uncheck the MSKEYVALUE from your UI, this way when the entry is created IdM will assign the MSKEYVALUE, it will be MX_[number].

Add a workflow task after the UI screen in MMC which will call your script and sets the MSKEYVALUE in toGeneric-pass. You would be using the same uIS_SetValue-function as in the script example above but setting a value to MSKEYVALUE instead of  "Z_USERREQ_USERID" of the example.

regards, Tero

Former Member
0 Kudos

Hi Experts,

We have implemented this script to treat User ID creation:

We were able to check if the value (jn this example TCheck) already  exists on IDM database.

The finding is been done on idmv_entry_simple table as showed below,

If we create a new user like TCheck1, this value did not uptadate on IDM database, permiting that I create a new user with Tcheck1 again.

Maybe we are finding this value in the wrong table.

Does anyone have already faced this before?

Thank you

Regards.

Former Member
0 Kudos

This looks OK (although pasting the actual script rather than a screenshot would help).  Just make sure that you are returning the strTempName to the userID attribute when trying to create the user.  IF you don't find one and return strCurNames you'll get that behaviour.

Peter

Former Member
0 Kudos

Hi Peter, thank you again for you attention.

When some user is created ove user interface with privilege to creation o Active Directory, where this information will be placed on idm database?

I mean, imagina that I created a user that his SamAccountName / UserprincipleName will be Tcheck1,

In wicht table this data (Tcheck') will be stored on idm database, because I need do my check in this table, to check if this user already exists, correct?

we are trying on column mcdisplayname in idmv_entry_simple, is correct?

Thank you very much.

BR

Ckumar
Contributor
0 Kudos

Hi Miguel,

you can check that in idmv_vallink_basic table.

Regards,

C Kumar

Former Member
0 Kudos

Hi Kumar,

Thank you for your answer,

Using the same parameter?

Mean mcMSKEYVALUE idmv_vallink_basic where mcdisplayname = "myvalue" /??

thank you

Ckumar
Contributor
0 Kudos

Hi Miguel,

you can use the following query,

Select mcvalue from idmv_vallink_basic where mcattrname='MSKEYVALUE' and mcvalue='TCheck1'

or

Select mcvalue from idmv_vallink_basic_active where mcattrname='MSKEYVALUE' and mcvalue='TCheck1'

Regards,

C Kumar

Former Member
0 Kudos

The userID for each system is held against 'ACCOUNT<repositoryName>'.  It doesn't have to be the same as IDM (although this can make admin easier).

You can create the account for AD at that time if necessary, rather than when coming in from HCM.

Realistically, try not to overthink the problem.

accnames = Select MSKEYVALUE where MSKEYVALUE like 'accountname%'

if(accnames.indexof("!ERROR") > -1) {return accountname;}

accnames = "!!" + accnames + "!!";

for i=1 to 1000

  if(accnames.indexOf("!!" + accnames + i + "!!") == -1) {return accnames + i;}

next

This will just loop through any account like your first initial, last name, appending a number and checking to see if it already exists.  You'll need to fit in the proper sql query and debug etc.

Peter

Former Member
0 Kudos

Assuming you have already got the data out of HR, a simple script with be able to get uniqueness from the IDM solution and generate the new name.

Peter

Former Member
0 Kudos

Hi Peter,

By any chance, do you have some example of scripts to accomplish this result?

Thank you for your attention.

Miguel

former_member2987
Active Contributor
0 Kudos

Miguel,

Take a look at this.

Matt

Former Member
0 Kudos

I have many - it depends on what your rules are for generating the name.

A really  basic one is:

initial = firstname.charAt(0);

tempName = initial+surname;

MaxCounter = 999;

curNames = uselect("Select mskeyvalue from idmv_valink_basic where mskeyvalue LIKE 'tempName%'");

tempCurNames = "!!" + curNames + "";

if(!curNames.InStr("!!" + tempName + "!!"));

{

     //tempName doesn't exist at all!  We are good to go.

   return tempName;

}

curNamesArray = curNames.Split("!!");

for(i=1; i < MaxCounter; i++)

{

     if(!curNames.InStr("!!" + tempName + i + "!!"))

     {

        //tempNamei does not exist.

        return tempName+i;

     }

}

Handle errors here...

NOTE - this is very basic and not very efficient but it will work (debug my javascript first! )

Peter

Former Member
0 Kudos

Hi Miguel,

Here is the script i am using.

// Main function: zsap_core_generate_mskeyvalue

/*

*----------------------------------------------------------------------------------------------------------------------------

* Parameter(s) Cat.        : String

* Parameter(s)               : FirstName|LastName|NRIC|MSKEY from the Z_USER_REQUEST Entry Type

* Return value Cat.         : String 

* Return value                : MSKEYVALUE of MX_PERSON

*----------------------------------------------------------------------------------------------------------------------------

* Dependencies : // to scripts, attributes, inbuild functions, context vars, tables/views,

* system/job/repository/global constants/variables

* - inbuild function : uGetIDStore

* - inbuild function : uSelect

* - view : idmv_entry_simple_all

*- NRIC is the unique identity of the user

*--------------------------------------------------------------------------------------------------------------------------*/

function zsap_core_generate_mskeyvalue(Par){

//Example calling DSE internal function

//uStop("Terminated by user");

  //string looks like this FirstName|LastName|NRIC|MSKEY

  var inputParameter = Par.split("|");

  var displayName = inputParameter[1]+ inputParameter[0];

  var nric = inputParameter[2];

  var mskey = inputParameter[3];

  var subName = ""; //To store first five characters of the MSKEYVALUE

  var nameLength = displayName.length;

  var checkmskeyvalue = ""; //To store the MSKEYVALUE

  var count = 0; //To generate the free number in the MSKEYVALUE

  var IdentityStore = uGetIDStore();

  var tempCount = 0; //Counter used in loop

  var tempDisplayName = ""; //variable to hold display name

uInfo("Executing zsap_core_generate_mskeyvalue");

uInfo("displayName:" + displayName + "nric :" + nric + "mskey:" +mskey);

//skip space from displayName

for (tempCount = 0;tempCount<nameLength;tempCount++)

{

if (displayName[tempCount] != " " )

tempDisplayName          = tempDisplayName + displayName[tempCount];

}

displayName = tempDisplayName;

// Append additional 0 if the length of name is less than 5 characters

  for (; nameLength < 5;)

{

displayName = displayName.concact("0");

nameLength = displayName.length;

}

subName = displayName.substring(0,5);

//for loop to find next available number if the a user with same name and nric number already exists.

for (count = 0;count<=36; count++)

{

if(count <10)

{

checkmskeyvalue = uSelect("select mcMSKEY from idmv_entry_simple_all WITH(NOLOCK) where mcMSKEYVALUE = '" + subName+count+nric +"'");

if (checkmskeyvalue =="" || checkmskeyvalue=="NULL")

{

checkmskeyvalue = subName+count+nric;

break;

}

}

else {

checkmskeyvalue = uSelect("select mcMSKEY from idmv_entry_simple_all WITH(NOLOCK) where mcMSKEYVALUE = '" + subName+String.fromCharCode(count+55)+nric +"'");

if (checkmskeyvalue =="" || checkmskeyvalue=="NULL")

{

checkmskeyvalue = subName+String.fromCharCode(count+55)+nric;

break;

}

}

}

uInfo("checkmskeyvalue:" + checkmskeyvalue );

var retValue = uIS_SetValue(mskey, IdentityStore, "Z_USERREQ_USERID", checkmskeyvalue.toUpperCase());

uInfo("retValue:" + retValue );

return checkmskeyvalue.toUpperCase();

}

Former Member
0 Kudos

Hi Peter,

Thank you very much for your colaboration.

Kind regards!

Miguel

Former Member
0 Kudos

Hello Krishna,

Thank you very much for you help.

Kind Regards.

former_member2987
Active Contributor
0 Kudos

Miguel,

There's plenty of documentation on this in the landscape documents.  That should point you in the right direction!

Regards,

Matt