on 08-25-2014 8:59 PM
Hi Experts,
We have done a LDAP group provisioning from GRC and this is feasible if both the LDAP ID and SAP ID are same.
But we have different scenario where LDAP ID & SAP ID are different, then how can we do this?
Below is the sample scenario:
When a new user joins the organization, then his LDAP ID will be created in LDAP.
So while raising the request in GRC based on the user first name and last name we can pull other details of the user.After getting the details we are auto generating the user ID and this will be users SAP ID.
Requester will select the business role and submit the request, this business role also contains groups related to LDAP.
My query here is....as request is headed by SAP ID and while provisioning to LDAP,how GRC will recognize user's LDAP ID based on the auto generated SAP ID and provision the groups?
AND After provisioning
1. SAP ID should go &sit in the custom attribute defined in LDAP (custom variable is available in LDAP to maintain SAP ID, this is currently mapping manually))
2. LDAP group provisioning
please provide your valuable suggestions on this scenario
Thanks,
Sriram
Even i have similar requirement like your.
decided for screen customization where user field is actually updated using custom program.
will update you details as testing is going to happen from Monday on wards.
the logic for us was we mapped it to email id .
since my ldap is integrated manyl dap server employees from 5 company .
and their sap id is also different even though they logon to same server.
1)for comapny 1 sapid is S_lastname+1
2)Company2 Lastname+1(numeric)
3)Company 3 Lastname+p
4)Company4 Lastname+fristdigit of 1stname
5)Company5 lastname+1(numeric)+P
suggested to have uniform naming convention through out landscape but that going to happen next year.
earlier they use to create id in GRC 5.3 system and it was not connected to LDAP.
so user id was populated automatically.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Prasanth for your suggestion.
That is good idea to recognize LDAP ID based on the email ID of the user, so as per your logic at the end of the request LDAP groups is provisioned based on the Email of the LDAP.
Even i am also thinking to use Alias filed to recognize the LDAP ID,below are the steps for that
For new user:
1. Requester will search user based on the First Name & Last name, then the users LDAP ID will be populated and the requester will select the LDAP ID then it will sit in the User ID column of the request form.
2. Then the requester will auto generate the SAP ID with the help of custom button created in request from.then LDAP ID is converted to new SAP ID in the User ID column.
3. In the provisioning mapping Alais field is mapped with sAMAccountName, so during the user search LDAP ID will sit in Alisa
4.At the end of the request, LDAP ID should be recognized based on the Alisa field.
But i am not sure how Alias filed will recognize the LDAP ID and where we need to do the mapping
Please suggest .
Thanks,
Sriram
Hi Sriram / Prasant
Have a question on LDAP search and provisioning? We are unable to search users in our MS AD 2003 when we specify our root domain as the base entry and port 389 (Default port) in LDAP server configuration. Port 389 only allows you to search users if you enter OU's in the base entry. Also we are not able to provision AD groups to users in users in different AD OU's. AD group provisioning only works if the user and AD group exist in the same AD OU.
Thanks
Anthony
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.