cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Correct" way to sync LDAP attributes to ABAP Application

Go to solution
Former Member

on ‎11-12-2014 2:46 PM

0 Kudos

All,

I am trying to determine the best practice on how to sync end user attribute information from a LDAP system of record to multiple ABAP systems that are connected to SAP IDM.  I have reviewed the SAP IDM documentation but have not found anything regarding attribute sync to SAP ABAP/Business Suite apps.  Here's the scenario along with the pertinent details:

  1. Objective: Sync the givenName stored in corp LDAP to multiple ABAP/Business Suite clients connected to SAP IDM.
  2. SAP IDM version is 7.2.0.0.  Upgrading to a later version such as SP 8 or 9 is not in the cards because of client limitations.
  3. Initial loads to LDAP, ABAP and Business Suite clients have been set up and all run successfully
    • Confirmed that givenName value stored in LDAP is successfully written to MX_FIRSTNAME value.  Correct data for end user appears in SAP IDM portal.
    • AccountName<SAP_REPOSITORY> fields for SAP clients set on MX_PERSON record.  I see the associated privs for the target SAP systems on the MX_PERSON record so I know that everything is correctly joined to our target SAP/ABAP systems.
  4. Problem: Initially, when the MX_FIRSTNAME field was updated in the IDM portal the change was not sent to the ABAP/Business Suite targets.  The same holds true with LDAP updates.  If the givenName was updated in LDAP, or changed in portal and now out of sync with LDAP, the MX_FIRSTNAME value was successfully updated when re-running the LDAP initial Load job but still no updates were triggered to the connected ABAP systems.
  5. Work Around: I was able to get the MX_FIRSTNAME changes to flow to one ABAP system by updating the MX_FIRSTNAME schema attribute setting and updated the events setting for "Modify" to call task "359/Update ABAP" user.  To make it work, I had to go into task "359/Update ABAP" and explicitly set the repository value to an ABAP target.
  6. I clearly see that the work around will not be able sync MX_FIRSTNAME to other connect ABAP applications.  My question is, how have others successfully set up attribute sync from a book of record system, or even the IDM portal, to multiple ABAP connected systems?
  7. There is frankly very little SCN documentation regarding ABAP integration, including provisioning, with SAP IDM.  I reviewed the basic syn doc and that was not helpful. 

Thanks,

Scott

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

terovirta
Active Contributor
‎11-12-2014 2:59 PM
0 Kudos

Hi Scott,

If you are getting correct data into IdM-attributes and the mapping between LDAP, IdM and ABAP is okay then it's matter of having right tasks in repositories and account/system-privileges plus having right attributes defined as system privilege's modify trigger attributes.

If I understood correctly, you attribute event tasks triggering the Modify ABAP user? You should inactivate them and define the attributes that trigger change as follows..

Filter for system privileges (by "%:system:%" in Id Stores / Metadata / Privileges in the left pane in MMC) and set the attributes for each privilege:

The provisioning/deprovisioning tasks should be set to none for system privilege but the modify is set to inherited (inherited from repository). The two tasks are set to none as the system privilege is assigned to the user at the end of user creation (I guess to mark that the user has been created to target system) and no further tasks should be triggered.

If you created you repostories with the wizard, all the repository tasks should be correct.

7.2.0.0 sounds like a ramp-up version.. Are you using SQL Server or Oracle?

regards, Tero

Show replies
Show replies
Former Member
‎11-12-2014 4:16 PM
0 Kudos

Thanks for the quick reply Tero.  We are using SQL Server.  I will review your suggestions and let you know how it goes.  Also, do you know of any specific documentation that illustrates best practices around ABAP account provisioning via IDM business roles?

I have reviewed the SCN guide for IDM provisioning, but there is nothing ABAP/Business Suite perspective.  I have also reviewed the configuration guide.  Everything seems to center around provisioning to flat files which obviously doesn't fit this scenario.

Thanks again,

Scott

former_member2987
Active Contributor
‎11-12-2014 5:42 PM
0 Kudos

Scott,

If Former Member says it, you can bank on it!   For the most part you can use the directions for ABAP and ABAP BS interchangeably.  Most implementers choose to use the BS for ABAP systems as it is a little more flexible and works better for sub-type 105 updating.

But the simple answer is that once the attributes are associated with the repository correctly all systems should get updated as you originally assumed.

Matt

Former Member
‎11-12-2014 6:17 PM
0 Kudos

Thanks for the confirmation Matt!  SAP, it would be great to have an official SCN document on this!

Scott

former_member2987
Active Contributor
‎11-12-2014 6:44 PM
0 Kudos

Scott,

There was nothing in the Landscape, Operations, or Security documents?  I'm surprised.

Matt

terovirta
Active Contributor
‎11-13-2014 7:41 AM
0 Kudos 


Scott Eastin wrote:




I have reviewed the SCN guide for IDM provisioning, but there is nothing ABAP/Business Suite perspective.  I have also reviewed the configuration guide.  Everything seems to center around provisioning to flat files which obviously doesn't fit this scenario.

Do you have any specific questions or concerns?

It is really as simple as:

  1. setting the tasks right in privileges
  2. setting the tasks right in repositories
  3. setting the correct attribute trigger the Modify workflow (Prov Framework / Core / Modify)
  4. setting the attribute map in Create/Modify ABAP user match to your requirements (if there are lot of changes, create a copy of the task so you don't need to revisit the mapping after an upgrade)
  5. using the "No Master Task" in assigning the account-privilege automatically when the user is assigned a privilege (define this per each ABAP repository)

The initial loads and repository creation wizard should set the points 1-3 and you would only need to do 4-5 (plus verify the points 1-3 in case of provisioning problems).

When the basic technology stuff is in place then it's matter of getting the privileges to the users preferably via business roles (kind of "authorization consultants take over from IdM consultants").

If you're using 7.2.0.0 which sounds like a ramp-up version from early 2011, I would consider an upgrade. My memory is hazy as it was 3.5 years ago but I think I had some issues with the initial loads not setting correct tasks to privileges and the no master task didn't work (could be my memory and my "learning curve" from the 7.1 to 7.2 jump also). Upgrade is not necessarily huge effort, unless you have lot of custom development that you need to retest.

regards, Tero

Former Member
‎11-13-2014 2:38 PM
0 Kudos

Tero, first I really appreciate your prompt and detailed response.  Second, I do not have any specific concerns about the provisioning process at this time.

My main point is that it would be great if there was a SCN guide that specifically addresses how to sync data, as well as provision accounts, to SAP ABAP/Business Suite targets.  There are some good basic guides on working with text files that certainly illustrate some of the basic SAP IDM concepts but nothing that focuses on SAP targets. 

I have found that companies typically implement SAP IDM to manage their SAP landscapes. A highly targeted guide for ABAP/Business Suite apps based on common IDM scenarios would be quite useful to community in order to quickly realize additional value with their SAP IDM implementations.

Thanks again for all the help,

Scott

former_member2987
Active Contributor
‎11-13-2014 3:41 PM
0 Kudos

Scott, that should probably be posted to the SAP IDM Idea Place.

Matt

Answers (0)

Ask a Question