on 06-15-2015 11:01 PM
Hi,
I'm on NW IDM 7.2 SP9 latest patch level.
I've got a test NW AS ABAP 7.40SR2 with two clients (100 and 110) which are connected to repositories in the IDM system.
I've run initial load jobs from SAP Provisioning Framework Version 2 (PFv2) for each client.
The initial loads write the SAP* and DDIC users into the IC DB without issues, even though of course the last names of these users are not available. When looking at the users in the IDM UI I can verify the lastname is empty.
Now I want to run an user update job, with the scenario in mind that the ABAP system could have had changes to the assigned user profiles.
When I make a new job with the wizard, use the initial load as a template, and then disable all the passes in there but for the ReadABAPUsers and WriteABAPUsers and WriteABAPUsersRolePrivilegeAssignments and WriteABAPUsersProfilePrivilegeAssignments jobs, I expect the job to update the users for that repository in IDM with the new profiles that are in the ABAP system for these users. I know this goes against standard practices of not changing the user accounts anymore in the ABAP system once you've done the initial load job and driving that from IDM only thereafter.
However, what I see now in my job logs is errors on the writing of the SAP* and DDIC users as they have no last names.
Does anyone know why that happens? Why did this work in the first initial load job run, and now it fails when I do an update run? Do I need to make modifications to the destination params of the write steps (if yes, where and how)? Do I need to make additional steps to skip updates if SPA* or DDIC are being updated? How?
Just curious. My generic update run as per standard documentation for the client specific roles and profiles work fine, but that way of course I don't get any changes made to the roles/profile assignments of the users in the ABAP systems anymore once they are made after the initial run.
Do we really need to go to a binary mode where we cannot allow anymore changes to user settings once the ABAP system has been initially loaded to IDM?
Hi Ronald,
I do not know the best practise but I usually don't prefer reading/writing/managing non-dialog users in/using IDM.
I do this by using filters in read pass when I initially load the users from SAP systems. You can mention filter like below, to read only dialog users in your update job.
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.