cancel
Showing results for 
Search instead for 
Did you mean: 

Does GRC 10/10.1, pull the users, without sync, from LDAP/AD

Former Member
0 Kudos

Hi All,

All New users in my org., get added to LDAP/AD, first. So, thereafter i create new users in plug-in systems. So, in the access request, while creating a new id, i will search for the user id. So, could you suggest, if sync from LDAP /AD is required to find this user id in search?

if so,i think it would be through Rep. Sync job, with Connector as RFC Name defined for LDAP/AD

Regards

Plaban

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
0 Kudos

Hi Plaban,

There is no need to perform User Synch for LDAP/AD users as the search happens real time during request creation and fetch details from LDAP/AD

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

suppose i do not want real time fetch from LDAP, then how do i do it? Also, i think, for New/Change/any user access request, only if user is in GRACUSER table, then only it will appear in search.

Could you kindly let me know, where is the option to make LDAP search realtime. on a gentle note, the parameter 2051 is for validation against

search data sources, as per SPRO->..->Maintain Data Sources Configuration. But this validation will be done, while trying to submit a request, and not while search for user, before creating a request

Regards

plaban

madhusap
Active Contributor
0 Kudos

Hi Plaban,

Have your Search Datasource and User Details Datasource as LDAP/AD.

Set up 2051 parameter as YES

Don't run Repository Object Sync for LDAP/AD

Once you have the above configuration, try to search for the users from LDAP/AD which will be real-time.

May i know why you want your datasource as LDAP but dont want search to be realtime?

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

I am not talking about validation. So, let us not include 2051, here. I am only doing search for field User in a request(to be created).

As you can understand, I cannot add a new user in LDAP on my own. But i tested by creating a user id in GRC system itself, and i did not run Rep. Sync job. Now, User search should show this id, as i have set User Search data Source as GRC. But it did not.

Then, i ran the rep sync job, and now, search shows the id. So, does it not prove that user search in Access request form(and not others such as Access Control Owner) is from table GRACUSER

Regards

plaban

madhusap
Active Contributor
0 Kudos

Hi Plaban,

You can ignore 2051 parameter for now as your query is more on SEARCH.

Yes your understanding is correct. For ABAP systems you need to run repository object sync and user details are fetched from GRACUSER table.

For LDAP/AD no need to do run repository sync and user details are fetched real time from LDAP.

Create one user who is in LDAP in your GRC system and then set your User Search and Details datasource as GRC (Sequence 1) and LDAP (Sequence 2) and perform Rep.Obj sync only for GRC system and not for LDAP.

Now search for this user who is in both LDAP and GRC and check user details will fetch both LDAP and GRC details, where user details from GRC are fetched from GRACUSER table and user details from LDAP are fetched real-time.

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

Thanks a lot for your efforts.

i further tested with other(other than GRC) ABAP system as User search and User detail Data Source. i created same new id, both in the other ABAP system, and in GRC, and ran the rep sync job from GRC, but not for the other ABAP connector. Now, search does not show the new ids. So, this means that user search does not take place from GRACUSER table, but from GRACUSERCONN.

This means, search fetches user ids from GRACUSERCONN, for that system, which is set as user data source.

Regards

Plaban

madhusap
Active Contributor
0 Kudos

Hi Plaban,

Please check below note for clear understanding on how data is stored and fetched from GRACUSER and GRACUSERCONN

2027447 - GRC 10.0: Tables GRACUSER and GRACUSERCONN explained

Regards,

Madhu.

Former Member
0 Kudos

Hi Madhu,

I have only 1 sequence, and therefore the note does not hold good for my tests. It does not say, the search source for Access request. it only says that there will be only one entry for a user in GRACUSER, depending on the priority of the Data Source Configuration.

Regards

Plaban

madhusap
Active Contributor
0 Kudos

Hi Plaban,

To make things clear assume:

User Search Data Source as ECC

User Details Data Source as ECC

Now you have run Rep Object Sync for ECC. Both GRACUSER and GRACUSERCONN will have entries for the user.

Now User Details for the user you are searching are fetched from GRACUSER table.

Assume that the same user exists in GRC system and you have run Rep synch job for GRC connector. Now the entry for user in GRACUSER with ECC connector will not get replaced though the latest Rep. object synch you have run is for system GRC.

This is because you have mentioned ECC as Datasource in SPRO -> Data source configuration and hence it takes priority and User vs ECC is not replaced in GRACUSER.

Hence the user details are fetched from GRACUSER table.

Note: You need to run Rep Object Sync for ABAP connectors which you wanted to use as Datsource but for LDAP/AD no need to run Rep Object Synch job

Regards,

Madhu.

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi All,

Could anyone suggest on this

Regards

Plaban