on 11-12-2014 2:46 PM
All,
I am trying to determine the best practice on how to sync end user attribute information from a LDAP system of record to multiple ABAP systems that are connected to SAP IDM. I have reviewed the SAP IDM documentation but have not found anything regarding attribute sync to SAP ABAP/Business Suite apps. Here's the scenario along with the pertinent details:
Thanks,
Scott
Hi Scott,
If you are getting correct data into IdM-attributes and the mapping between LDAP, IdM and ABAP is okay then it's matter of having right tasks in repositories and account/system-privileges plus having right attributes defined as system privilege's modify trigger attributes.
If I understood correctly, you attribute event tasks triggering the Modify ABAP user? You should inactivate them and define the attributes that trigger change as follows..
Filter for system privileges (by "%:system:%" in Id Stores / Metadata / Privileges in the left pane in MMC) and set the attributes for each privilege:
The provisioning/deprovisioning tasks should be set to none for system privilege but the modify is set to inherited (inherited from repository). The two tasks are set to none as the system privilege is assigned to the user at the end of user creation (I guess to mark that the user has been created to target system) and no further tasks should be triggered.
If you created you repostories with the wizard, all the repository tasks should be correct.
7.2.0.0 sounds like a ramp-up version.. Are you using SQL Server or Oracle?
regards, Tero
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the quick reply Tero. We are using SQL Server. I will review your suggestions and let you know how it goes. Also, do you know of any specific documentation that illustrates best practices around ABAP account provisioning via IDM business roles?
I have reviewed the SCN guide for IDM provisioning, but there is nothing ABAP/Business Suite perspective. I have also reviewed the configuration guide. Everything seems to center around provisioning to flat files which obviously doesn't fit this scenario.
Thanks again,
Scott
Scott,
If Former Member says it, you can bank on it! For the most part you can use the directions for ABAP and ABAP BS interchangeably. Most implementers choose to use the BS for ABAP systems as it is a little more flexible and works better for sub-type 105 updating.
But the simple answer is that once the attributes are associated with the repository correctly all systems should get updated as you originally assumed.
Matt
Scott Eastin wrote:
I have reviewed the SCN guide for IDM provisioning, but there is nothing ABAP/Business Suite perspective. I have also reviewed the configuration guide. Everything seems to center around provisioning to flat files which obviously doesn't fit this scenario.
Do you have any specific questions or concerns?
It is really as simple as:
The initial loads and repository creation wizard should set the points 1-3 and you would only need to do 4-5 (plus verify the points 1-3 in case of provisioning problems).
When the basic technology stuff is in place then it's matter of getting the privileges to the users preferably via business roles (kind of "authorization consultants take over from IdM consultants").
If you're using 7.2.0.0 which sounds like a ramp-up version from early 2011, I would consider an upgrade. My memory is hazy as it was 3.5 years ago but I think I had some issues with the initial loads not setting correct tasks to privileges and the no master task didn't work (could be my memory and my "learning curve" from the 7.1 to 7.2 jump also). Upgrade is not necessarily huge effort, unless you have lot of custom development that you need to retest.
regards, Tero
Tero, first I really appreciate your prompt and detailed response. Second, I do not have any specific concerns about the provisioning process at this time.
My main point is that it would be great if there was a SCN guide that specifically addresses how to sync data, as well as provision accounts, to SAP ABAP/Business Suite targets. There are some good basic guides on working with text files that certainly illustrate some of the basic SAP IDM concepts but nothing that focuses on SAP targets.
I have found that companies typically implement SAP IDM to manage their SAP landscapes. A highly targeted guide for ABAP/Business Suite apps based on common IDM scenarios would be quite useful to community in order to quickly realize additional value with their SAP IDM implementations.
Thanks again for all the help,
Scott
Scott, that should probably be posted to the SAP IDM Idea Place.
Matt
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.