on 03-16-2014 5:10 AM
Dear All,
My "User Search Data Sources" are: HR system and LDAP (in this order) and
"User Details Data Sources" are: HR system, LDAP, GRC Production system and ERP Development system (in this order)
I could search for the users in HR and LDAP systems correctly. However, the problems I am facing are:
1. For some users, First Name, Last Name and Email id fields are not getting mapped. Though they are correctly shown in search screen of ARQ. This
behavior is sporadic and not sure why this is not mapped for some of the users only. But for other users, they are getting mapped correclty!
2. For some other users selected users from the search result, First Name, Last Name and Email id fields are correctly mapped. However, "Manager" field is empty and not mapped! Though they are correctly maintained in HR system.
Any idea why this is behaving like this and how to solve this?
Please advise.
REgards,
Faisal
I have mapped fields for LDAP connector as defined in LDAP configuration guide for action#4. See below screen:
For fields mapping from HR system, I think I dont have to maintain any mapping because it takes if automatically.
Can anyone please advise if I have to map fields for HR system as well?
Regards,
Faisal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Alessandro,
Thanks for your reply.
I even tried with SU01, I got no difference. Still Manager is not pulled. As far First Name, Last Name and Email id, those are getting filled from one of the user details data sources. But no sure why manager is not getting pulled.
Please advise.
Regards,
Faisal
It should come from both the systems if it is maintained for that user. Currently, user manager details (manager id) is not maintained in Active Directory, therefore has to come from SAP HR system since it is maintained there.
If it is also maintained in active directory, it should also fetch from there.
Regards,
Faisal
okay - I have a similar set up and shared some thoughts in this regard in a previous post:
Make sure that the user data type is set to "HR" in the user detail data source so that the information is picked from HR.
Additionally you can check if the organizational assignments in info type 0001 is correct. Ensure if the information is maintained correctly and available in the HR system.
Let me also know if it does pick some managers or if it is generally missing.
Regards,
Alessandro
Alessandro,
Thanks for your reply.
Yes, I have gone through this document and believe that, it helps in looking up for the manager of a user using F4 button (lookup), correct me if required. However, what I want is, as soon as a user id is selected, the manager field should be filled automatically from the data source: HR or LDAP if it is maintained there.
I believe this is the default behavior of the application.
Please advise.
Regards,
Faisal
Yes it is as it should work - the information is coming from the Detail Data Source and there you should define your HR with first priority and LDAP with second.
See my configuration, more of less similar than yours (1. SU01, 2. HR, 3. LDAP):
As I dont know your configuration in detail it is very difficult to tell you very the error is.
Regards,
Alessandro
I assume it is correct. As mentioned I am using GIVENNAME for firstname mapping but this can be slightly different in your system.
Did you check if other information, beside the manager, is coming from your HR system? Maybe you can remove all other data sources in test system to check whether information is read or not.
Sorry for "guessing"... from my point of view I don't see the issue.
Regards,
Alessandro
How to check what fits in my system? As you are using GIVENNAME for first name, I am using CN as mentioned in the LDAP config. document.
Currently, I am only using First and Last name and email id as mandatory along with manager id. Therefore, yes, these details are properly coming from one of the user details data sources maintained. I tried to keep only LDAP and check if it picks up. but it is not.
Regards,
Faisal
Since I dont know your system and configuration I can only guess. But to summarize what I know and what I would try to figure out (try and error):
You want to have the manager information from your HR system.
Try the following: remove all systems beside HR system from detail data source and try again. Do you get information for name and email? If all other information (email, name, etc.) is read from the HR system then something is missing in the backend. If this is the case the issue is probably not in GRC and more in the HR system.
What says system log SLG1? Did you try to trace the authorization check in ST01? Can also be that you are missing authorization to read from HR system. Also check system/authorization log in HR system.
Regards,
Alessandro
Dear Alessandro,
NOTE: User Search Data Sources is :1. HR and then LDAP for all below tests
I have tested scenarios below are the details:
1.a. Kept only ERP system with HR module in User Details Data Source with "HR" as user data, it picked and mapped First Name, Last Name and Email ID from HR.
I selected one user from LDAP (which is not maintained in HR), it did not map above fields for this user. Understood, because this user is not maintained in HR.
1.b. Kept only ERP system with HR module in User Details Data Source with "SU01" as user data, it picked and mapped First Name, Last Name and Email ID from SU01.
2. Kept only LDAP and selected user from the search result. No field is mapped. Not sure why it is not mapped, though mapping is done corretly.
3. Kept 1.HR 2. LDAP 3. GRC PRd. and 4.ERP DEV systems and it appropriately mapped fields from other systems.
Please advise.
Regards,
Faisal
Alessandro,
Hope you are doing good.
I wanted to check with you if we can see these details in GRACUSER table. I noticed one field "MANAGER_ID" in GRACUSER master table.
Do you think it should be filled with manager id for connector belonging to HR system? I dont see any entries in that field now.
Please advise.
Regards,
Faisal
Hi,
I think I moved to next step. Now I can see all the manager ids for both the connectors (HR and LDAP) under field "MANAGER_ID" in table GRACUSER.
And now I simply need to pull and map in access request form. For LDAP connector, Action#4, I used "MANAGERID" under field AC Field Name and" MANAGER" in "Assign group field mapping".
I did not get any results. But I noticed the manager details for all users in table GRACUSER is maintained under column "MANAGER_ID".
I tried using this field also, but did not work.
CAn any one please help me?
Regards,
Faisal
Hi,
I could figure out something.
I have below hierarchy in Active Directory:
1. OU=Unit1,OU=ABC,DC=123,DC=COM
2. OU=Unit2, OU=XYZ,DC123,DC=COM
Unit1 and Unit2 are peers, fall under DC "123" and contain different sub-nodes and users. What is happening is that, if a user and his manager are from same OU (Unit1 for example), it is pulled appropriately.
In case if a user is in Unit1 and manager is in Unit2, then in this case, manager first and last name is pulled and Manager id field is not filled.
I could only maintain one of the above entries in LDAP tcode. I dont know how I can maintain peer-OUs in LDAP!
When I maintained like this:
OU=Unit1,OU=ABC,DC=123,DC=COM;OU=Unit2, OU=XYZ,DC123,DC=COM
It give me error: "Entry does not exist".
It is looking for only one node at at time but can not traverse in multiple peer nodes.
CAn anyone suggest me on this?
Regards,
Faisal
I followed below SAP help link:
SAP Library - Integrated User and Access Management
Here, it says that:
Basis entry | Distinguished Name of the root node of the directory tree |
Therefore, I believe it needs to have a root node mandatory! It will not traverse through peer nodes (nodes at the same level).
I would appreciate if anybody can confirm.
Regards,
Faisal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.