cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Automatically synchronize IdM with systems

Go to solution
youssef_anegay3
Explorer

on ‎06-26-2015 1:06 PM

0 Kudos

Hello

i have searched in the forum, but did not find the right answer to my qyestion. And i am sorry if it exist and i did not see it.

We have IdM connected to several ABAP/HANA/Java systems. When we create the repositories, we run the initial loads.

But in the systems we keep creating new roles. What are the best practices to update IdM with the new modifications? Do i have to schedule all initial loads to run regurarly everyday ?

Thanks for your answers and help

Y.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎06-26-2015 1:13 PM
0 Kudos

Hi Youssef,

You will have to create and schedule an update job that writes new roles into IDM. This job is copy of Initial loads with only relevant passes enabled. Below link provides you required information to set up the job.


Using an Update Job for Reading New Privileges and New Company Addresses - SAP Identity Management C...


Kind regards,

Jai

Show replies
Show replies
youssef_anegay3
Explorer
‎06-26-2015 1:47 PM
0 Kudos

Hi Jai

thanks for your answer ... that is exactly what i was looking for ... The page is for IdM 8.0 .. I guess it is the same for 7.2 no ?

BR

Y.

jaisuryan
Active Contributor
‎06-26-2015 1:50 PM
0 Kudos

Hi Youssef,

Yes, It should be the same.

Anyway, it is documented by SAP for 7.2 as well.

Using an Update Job for Reading New Privileges and New Company Addresses - SAP NetWeaver Identity Ma...

Kind regards,

Jai

youssef_anegay3
Explorer
‎06-26-2015 4:15 PM
0 Kudos

Excellent ! thanks !

youssef_anegay3
Explorer
‎06-27-2015 4:08 PM
0 Kudos

I have one more question thought ... i do not quite understand why i should set the triggers for the priviledge in the write tasks to {D} ... why not just let the "-1" as it is by default ?

peterwass
Explorer
‎06-27-2015 10:03 PM
0 Kudos

If I recall correctly, {D} sets it to 'inherited' and -1 sets it to none. Its very early in the morning so it may be the other way round

In most cases, inherited is good as it lets you set things on the repository.

Peter

terovirta
Active Contributor
‎06-28-2015 7:00 AM
0 Kudos

The tasks on the privileges are attributes in Id Store, so the {D} maps to one of the attribute operators, -1 stands for the attribute value for none.

When the privileges are created in Initial Load all tasks are set to -1 as the users are also read from target and existing privileges are assigned to users. This is done to prevent reprovisioning to take place. If the privileges would have "live" tasks set, then once the privilege is assigned to the user, IdM would trigger provisioning workflow.

In the Update Job you don't have to set the tasks to -1 unless you're also touching users. You can set all tasks (add/del member, validate add/del, provision/deprovision) to inherited with {D} and set the modify task to -1 (as you don't want all the privileges triggering modify workflow, only the system privilege).

regards, Tero

youssef_anegay3
Explorer
‎06-29-2015 8:21 AM
0 Kudos

Thanks Peter and Tero for your answers ... finally got it ;-). I will set it to {D} then as mentioned in the documentation. At least for our ECC and APO system.

But we have an BPC system also. In BPC, there are two layers of authorizations. One in the SU01 ABAP and the other directly in the BPC web interface. When we set the rights in the BPC interface, it creates new roles dynamically and affects them to the user in the abap side. In this case, is it more wise to use initial jobs always instead of update jobs ?

Answers (0)

Ask a Question