cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM 8.0 ABAP initial load changes passwords

Go to solution
oktay_simsek2
Explorer

on ‎06-10-2015 3:11 PM

0 Kudos

Hi,

I have set two repository for ABAP specific application servers.

I run the first initial load job, there was no problem. All users synced to IDM.

Then I run the second initial load and realized that some updateABAPuser tasks were running in parellel and changing the users in the first system.

In the system I see it some users' passwords and some other attributes were changed.

Why does it change the users? If user name exist in other system, does it try to make user has similar attributes?

How can I run initial load job without changing the users?

Thanks for your help.

Best regards

Oktay

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎06-11-2015 12:28 AM
0 Kudos

Hi Oktay,

Yes, when you run the initial load for second ABAP system, the job will create users if they were not already available in IDM database, else modify the attributes of existing users.

If you want to run initial load of second system then you can select option like below, in all the lines of write passes so that existing attributes are not updated.

Kind regards,

Jai

Show replies
Show replies
oktay_simsek2
Explorer
‎06-11-2015 3:48 PM
0 Kudos

Hi Jai,


I have changed the IDM WriteAbapUsers pass as you mentioned and it is described in the below link.

http://help.sap.com/saphelp_nwidmic_80/helpdata/en/1c/6af73b7ecb4b4986b0a20006f59878/content.htm?fra...

I run the initial load job for a new system and it start to change the users in other systems again.

During initial load if users exist in IDM, it changes these users in the systems where it has been synced before.

How can I prevent that inital load stops updating the users in other systems?

Thanks and best regards

Oktay

jaisuryan
Active Contributor
‎06-12-2015 12:58 AM
0 Kudos

Hi Oktay,

Did you add period in just WriteAbapUsers pass or as I said, in all WriteAbapUsers* passes? Specifically WriteABAPUserCompanyAddressAssignments pass.

As mentioned in the document, if there are any attributes for which your second system is "Leading system" and that you do not set period (.) for those attributes, then IDM will trigger update users task for other target systems if that attribute is set as trigger attribute for that system.

1) Copy the initial load job of 1st target system, disable all the passes except "Create System Privilege" and "Create ABAP Account Privilege" and run once. This will set MX_MODIFYTASK = -1 for your system and account privs of 1st ABAP system and hence no updates to target system will be triggered. Then, disable these two passes as well.

2) Run the initial load of 2nd ABAP systems with Period (.) in all writeABAPusers* passes

3) Then, enable the pass "Add triggers to ABAP Account Privilege", "Add triggers to System Privilege" and "Update System Privilege trigger attributes" in 1st job and run once.

Kind regards,

Jai

oktay_simsek2
Explorer
‎06-18-2015 9:16 AM
0 Kudos

Hi Jai,

Thanks again for all your help.

ABAP initial loads work perfect without touching to other systems.

I run HANA initial load and it touched to some users also in ABAP systems.

Again these users were already in ABAP and synced to IDM.

How can I prevent this for HANA?. Should I do all the passes same as we did for ABAP initial load?

Best regards

Oktay

jaisuryan
Active Contributor
‎06-19-2015 4:28 PM
0 Kudos

Hi Oktay,

I never used HANA initial load till date but I would assume it should do very similar to other load jobs. No matter the job type, dot '.' before attributes should restrict IDM from updating that attribute on users if they are already available. Please post if that worked for HANA load as well so that others in community can benefit as well. Cheers

Kind regards,

Jai

Answers (1)

Answers (1)

jaisuryan
Active Contributor
‎06-11-2015 12:35 AM
0 Kudos

Furthermore, decide on your source system (source of truth) for the IDM landscape. It is best to initial load users and their attributes only from the source system.  Then to run delta loads from other systems only to sync the roles/profiles/company address and assignments to users.

Kind regards,

Jai

Show replies
Show replies
oktay_simsek2
Explorer
‎06-11-2015 12:58 PM
0 Kudos

Hi Jai,

Thanks for your reply; however I can see in ABAP package initial load, reset delta and provision company addresses to ABAP repositories jobs. Reset delta doesn't load the user data into IDM. What do you mean with run delta loads?

Best regards

Oktay

jaisuryan
Active Contributor
‎06-11-2015 1:41 PM
0 Kudos

Hi Oktay,

Sorry, ignore my last reply. Please use "." (Dot) in your write passes of your initial load job and it should solve the problem for you.

After you ran Initial load job, once, for all your target systems, then create and schedule update job as per documentation.

Creating an Update Job - SAP Identity Management Configuration Guide - SAP Library

Thanks,

Jai

oktay_simsek2
Explorer
‎06-11-2015 1:47 PM
0 Kudos

Hi Jai,

Thank you very much for your replies.

Best regards

Oktay

Ask a Question