Hi Faisal,

are you getting the information from your HR system via SU01?

Regarding your LDAP mappings: My configuration is slightly different as I have mapped the Firstname via GIVENNAME from LDAP. But beside that it should work properly.

Regards,

Alessandro

Alessandro,

Thanks for your reply.

I even tried with SU01, I got no difference. Still Manager is not pulled. As far First Name, Last Name and Email id, those are getting filled from one of the user details data sources. But no sure why manager is not getting pulled.

Please advise.

Regards,

Faisal

where do you gather the manager information? From LDAP or from HR system?

It should come from both the systems if it is maintained for that user. Currently, user manager details (manager id) is not maintained in Active Directory, therefore has to come from SAP HR system since it is maintained there.

If it is also maintained in active directory, it should also fetch from there.

Regards,

Faisal

okay - I have a similar set up and shared some thoughts in this regard in a previous post:

Make sure that the user data type is set to "HR" in the user detail data source so that the information is picked from HR.

Additionally you can check if the organizational assignments in info type 0001 is correct. Ensure if the information is maintained correctly and available in the HR system.

Let me also know if it does pick some managers or if it is generally missing.

Regards,

Alessandro

Alessandro,

Thanks for your reply.

Yes, I have gone through this document and believe that, it helps in looking up for the manager of a user using F4 button (lookup), correct me if required. However, what I want is, as soon as a user id is selected, the manager field should be filled automatically from the data source: HR or LDAP if it is maintained there.

I believe this is the default behavior of the application.

Please advise.

Regards,

Faisal

Yes it is as it should work - the information is coming from the Detail Data Source and there you should define your HR with first priority and LDAP with second.

See my configuration, more of less similar than yours (1. SU01, 2. HR, 3. LDAP):

As I dont know your configuration in detail it is very difficult to tell you very the error is.

Regards,

Alessandro

Dear Alessandro,

Thanks for your reply.

Please see below my current User Details Data Sources configurations:

It is pretty simple and I believe it should work. Not sure why this simple thing is not working.

Regards,

Faisal

Yes I am also wondering... is the GRC plug in installed in the HR system? Plugin is: GRCPIERP

Yes it is installed on backend systems has GRCPINW and GRCPIERP both. SP#9

Alessandro,

May I know if LDAP filed mapping is correct in the screen shared above (first)? Do I have to make any corrections there?

Regards,

Faisal

I assume it is correct. As mentioned I am using GIVENNAME for firstname mapping but this can be slightly different in your system.

Did you check if other information, beside the manager, is coming from your HR system? Maybe you can remove all other data sources in test system to check whether information is read or not.

Sorry for "guessing"... from my point of view I don't see the issue.

Regards,

Alessandro

How to check what fits in my system? As you are using GIVENNAME for first name, I am using CN as mentioned in the LDAP config. document.

Currently, I am only using First and Last name and email id as mandatory along with manager id. Therefore, yes, these details are properly coming from one of the user details data sources maintained. I tried to keep only LDAP and check if it picks up. but it is not.

Regards,

Faisal

Since I dont know your system and configuration I can only guess. But to summarize what I know and what I would try to figure out (try and error):

You want to have the manager information from your HR system.

Try the following: remove all systems beside HR system from detail data source and try again. Do you get information for name and email? If all other information (email, name, etc.) is read from the HR system then something is missing in the backend. If this is the case the issue is probably not in GRC and more in the HR system.

What says system log SLG1? Did you try to trace the authorization check in ST01? Can also be that you are missing authorization to read from HR system. Also check system/authorization log in HR system.

Regards,

Alessandro

Thanks for your reply.

Yes, now I have to figure it by trial and error only. As far as SLG1, I did not get any errors.

Will update this message with my findings out of trial and error.

Regards,

Faisal

Dear Alessandro,

NOTE: User Search Data Sources is :1. HR and then LDAP for all below tests

I have tested scenarios below are the details:

1.a. Kept only ERP system with HR module in User Details Data Source with "HR" as user data, it picked and mapped First Name, Last Name and Email ID from HR.

I selected one user from LDAP (which is not maintained in HR), it did not map above fields for this user. Understood, because this user is not maintained in HR.

1.b. Kept only ERP system with HR module in User Details Data Source with "SU01" as user data, it picked and mapped First Name, Last Name and Email ID from SU01.

2. Kept only LDAP and selected user from the search result. No field is mapped. Not sure why it is not mapped, though mapping is done corretly.

3. Kept 1.HR 2. LDAP 3. GRC PRd. and 4.ERP DEV systems and it appropriately mapped fields from other systems.

Please advise.

Regards,

Faisal

Alessandro,

Hope you are doing good.

I wanted to check with you if we can see these details in GRACUSER table. I noticed one field "MANAGER_ID" in GRACUSER master table.

Do you think it should be filled with manager id for connector belonging to HR system? I dont see any entries in that field now.

Please advise.

Regards,

Faisal

Any help on this?

Hi,

I think I moved to next step. Now I can see all the manager ids for both the connectors (HR and LDAP) under field  "MANAGER_ID" in table GRACUSER.

And now I simply need to pull and map in access request form. For LDAP connector, Action#4, I used "MANAGERID" under field AC Field Name and" MANAGER" in "Assign group field mapping".

I did not get any results. But I noticed the manager details for all users in table GRACUSER is maintained under column "MANAGER_ID".

I tried using this field also, but did not work.

CAn any one please help me?

Regards,

Faisal

Hi,

I could figure out something.

I have below hierarchy in Active Directory:

1. OU=Unit1,OU=ABC,DC=123,DC=COM

2. OU=Unit2, OU=XYZ,DC123,DC=COM

Unit1 and Unit2 are peers, fall under DC "123" and contain different sub-nodes and users. What is happening is that, if a user and his manager are from same OU (Unit1 for example), it is pulled appropriately.

In case if a user is in Unit1 and manager is in Unit2, then in this case, manager first and last name is pulled and Manager id field is not filled.

I could only maintain one of the above entries in LDAP tcode. I dont know how I can maintain peer-OUs in LDAP!

When I maintained like this:

OU=Unit1,OU=ABC,DC=123,DC=COM;OU=Unit2, OU=XYZ,DC123,DC=COM

It give me error: "Entry does not exist".

It is looking for only one node at at time but can not traverse in multiple peer nodes.

CAn anyone suggest me on this?

Regards,

Faisal

I followed below SAP help link:

SAP Library - Integrated User and Access Management

Here, it says that:

Therefore, I believe it needs to have a root node mandatory! It will not traverse through peer nodes (nodes at the same level).

I would appreciate if anybody can confirm.

Regards,

Faisal

I could conclude that, there should be some "OU" under DC=xyz,DC=com in order this search to happen successfully.

I tested some of the users and it is working fine with above setting.

Hope this would help anyone.

Regards,

Faisal