on 06-10-2015 3:11 PM
Hi,
I have set two repository for ABAP specific application servers.
I run the first initial load job, there was no problem. All users synced to IDM.
Then I run the second initial load and realized that some updateABAPuser tasks were running in parellel and changing the users in the first system.
In the system I see it some users' passwords and some other attributes were changed.
Why does it change the users? If user name exist in other system, does it try to make user has similar attributes?
How can I run initial load job without changing the users?
Thanks for your help.
Best regards
Oktay
Hi Oktay,
Yes, when you run the initial load for second ABAP system, the job will create users if they were not already available in IDM database, else modify the attributes of existing users.
If you want to run initial load of second system then you can select option like below, in all the lines of write passes so that existing attributes are not updated.
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jai,
I have changed the IDM WriteAbapUsers pass as you mentioned and it is described in the below link.
http://help.sap.com/saphelp_nwidmic_80/helpdata/en/1c/6af73b7ecb4b4986b0a20006f59878/content.htm?fra...
I run the initial load job for a new system and it start to change the users in other systems again.
During initial load if users exist in IDM, it changes these users in the systems where it has been synced before.
How can I prevent that inital load stops updating the users in other systems?
Thanks and best regards
Oktay
Hi Oktay,
Did you add period in just WriteAbapUsers pass or as I said, in all WriteAbapUsers* passes? Specifically WriteABAPUserCompanyAddressAssignments pass.
As mentioned in the document, if there are any attributes for which your second system is "Leading system" and that you do not set period (.) for those attributes, then IDM will trigger update users task for other target systems if that attribute is set as trigger attribute for that system.
1) Copy the initial load job of 1st target system, disable all the passes except "Create System Privilege" and "Create ABAP Account Privilege" and run once. This will set MX_MODIFYTASK = -1 for your system and account privs of 1st ABAP system and hence no updates to target system will be triggered. Then, disable these two passes as well.
2) Run the initial load of 2nd ABAP systems with Period (.) in all writeABAPusers* passes
3) Then, enable the pass "Add triggers to ABAP Account Privilege", "Add triggers to System Privilege" and "Update System Privilege trigger attributes" in 1st job and run once.
Kind regards,
Jai
Hi Jai,
Thanks again for all your help.
ABAP initial loads work perfect without touching to other systems.
I run HANA initial load and it touched to some users also in ABAP systems.
Again these users were already in ABAP and synced to IDM.
How can I prevent this for HANA?. Should I do all the passes same as we did for ABAP initial load?
Best regards
Oktay
Hi Oktay,
I never used HANA initial load till date but I would assume it should do very similar to other load jobs. No matter the job type, dot '.' before attributes should restrict IDM from updating that attribute on users if they are already available. Please post if that worked for HANA load as well so that others in community can benefit as well. Cheers
Kind regards,
Jai
Furthermore, decide on your source system (source of truth) for the IDM landscape. It is best to initial load users and their attributes only from the source system. Then to run delta loads from other systems only to sync the roles/profiles/company address and assignments to users.
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Oktay,
Sorry, ignore my last reply. Please use "." (Dot) in your write passes of your initial load job and it should solve the problem for you.
After you ran Initial load job, once, for all your target systems, then create and schedule update job as per documentation.
Creating an Update Job - SAP Identity Management Configuration Guide - SAP Library
Thanks,
Jai
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.