on 01-21-2015 4:25 PM
Hello,
I had a question around the LDAP sync. Currently we have parameter 2050 set - Enable Realtime LDAP Search for Access Request User. My thought is that if we have this set,,we do not need to run a resp LDAP sync since its searching real time. Correct? I never understood if you need to sync the LDAP or not.
We are having an issue though... Our AD admin is locking users LDAP accounts before the SAP security team can go into GRC, search the users and submit a terminate / lock request. Since the account is locked, the team cannot search the account in GRC. If I run a night sync job nightly, will it store all the LDAP account locallly in GRC. SO if the account is locked in AD, the team will still be able to seach for it.
If I use the sync do I turn of 2050 or can I have them both set?
Thanks!
Kyle
Hi Kyle,
I would suggest 3 ways of handling this situation:
1.Can locking of AD accounts be done after user is locked in SAP?
As I understand most of the organization remove all the access from all the internal systems and then finally lock the AD account.
2.If it can't happen then you might have to make the parameter 2050 value set to No and do a regular sync of users with LDAP( then it won't do dynamic search for the user from LDAP) to avoid inconsistency and Security can login to GRC for terminating the user in SAP even after AD accounts are locked.
3.Follow the Filip's idea of making LDAP as secondary or subsequent data source.
Let me know if this helps.
Regards
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kyle,
first the parameter 2050 - YES if you set it to yes the application search user in LDAP in real time, just make sure you have specified user data source as LDAP otherwise application will ignore this parameter. This impact the performance as the search is real-time, and we had to extend time outs and had couple of performance issues on the project, but our LDAP was big (50kusers).
If this is turn off - application search local user repository (depending how often you synchronize the data) it may work as you want the GRC admins still will have time to do global lock.
Another idea (need to be validated) I have in your situation is to put SAP system as source first in sequence for user search and second LDAP.
If the system find a user in SAP ECC will let you do the access request creation.
If user does not exist in SAP ECC system will look into LDAP for a user account to be updated.
Filip
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.