cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

updating user changes in ABAP source after initial load

Go to solution
rondv
Advisor
Advisor

on ‎06-15-2015 11:01 PM

0 Kudos

Hi,

I'm on NW IDM 7.2 SP9 latest patch level.

I've got a test NW AS ABAP 7.40SR2 with two clients (100 and 110) which are connected to repositories in the IDM system.

I've run initial load jobs from SAP Provisioning Framework Version 2 (PFv2) for each client.

The initial loads write the SAP* and DDIC users into the IC DB without issues, even though of course the last names of these users are not available. When looking at the users in the IDM UI I can verify the lastname is empty.

Now I want to run an user update job, with the scenario in mind that the ABAP system could have had changes to the assigned user profiles.

When I make a new job with the wizard, use the initial load as a template, and then disable all the passes in there but for the ReadABAPUsers and WriteABAPUsers and WriteABAPUsersRolePrivilegeAssignments and WriteABAPUsersProfilePrivilegeAssignments jobs, I expect the job to update the users for that repository in IDM with the new profiles that are in the ABAP system for these users. I know this goes against standard practices of not changing the user accounts anymore in the ABAP system once you've done the initial load job and driving that from IDM only thereafter.

However, what I see now in my job logs is errors on the writing of the SAP* and DDIC users as they have no last names.

Does anyone know why that happens? Why did this work in the first initial load job run, and now it fails when I do an update run? Do I need to make modifications to the destination params of the write steps (if yes, where and how)? Do I need to make additional steps to skip updates if SPA* or DDIC are being updated? How?

Just curious. My generic update run as per standard documentation for the client specific roles and profiles work fine, but that way of course I don't get any changes made to the roles/profile assignments of the users in the ABAP systems anymore once they are made after the initial run.

Do we really need to go to a binary mode where we cannot allow anymore changes to user settings once the ABAP system has been initially loaded to IDM?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎06-16-2015 12:24 AM
0 Kudos

Hi Ronald,

I do not know the best practise but I usually don't prefer reading/writing/managing non-dialog users in/using IDM.

I do this by using filters in read pass when I initially load the users from SAP systems. You can mention filter like below, to read only dialog users in your update job.

Kind regards,

Jai

Show replies
Show replies
rondv
Advisor
Advisor
‎06-16-2015 1:42 AM
0 Kudos

Jay, that may be where I need to go. I have found some information on filters in posts relating to reading tables from a NW AS ABAP for another thing I am researching, but the topic sort of came out of nowhere. Where is this filtering documented for reading from ABAP tables with JCO?

rondv
Advisor
Advisor
‎06-16-2015 1:51 AM
0 Kudos

Ah, found OSS note 1398976 - SAP IDM: Filter definition for initial load of ABAP entities!

Answers (0)

Ask a Question