Hi,

thanks for your help!

We are having portal, but it's just one way to access the mdm repository, and we need to make sure mdm knows about system landscape users in order to manage access for its other clients or the API. Furthermore the client wants to have user management centralized.

Is there any standard way to synchronize/harmonize users, roles, and authorizations throughout the system landscape with NetWeaver?

Kind Regards,

Ingo

Did I get you right? There is no LDAP-synchronization in MDM? In one of my MDM courses I was tought that MDM could manage its access by using an external LDAP-directory.

Thanks.

Hi,

I don't know exactly how to use the LDAP synchronization with MDM but giving you some idea about CCMS.

You can monitor your MDM server and MDM GUI clients with the help of CCMS.

Using this you can monitor Processes at the operating system level, you can monitor any log files, monitor performance of MDM system using SAPOSCOL, you can get the list of all repositories of MDM server, checks availability of the MDM server, the memory utilised by MDM server

The concept of monitoring architecture is that all equired information is available in a central monitoring system (CEN) and therefore makes the work of the administrator easier.

You should have authorization to use transaction RZ20 and RZ21 in your R/3 (CEN) system

You can refer the following link for installation guides:

https://websmp108.sap-ag.de/installMDM

go to operation section, there you can download the installation guides for CCMS Monitoring name as "MDM 5.5 - Monitoring Guides"

Rewards if found useful

Mandeep Saini

Hello Ingo,

Apologies for not making it clear..

MDM can always "look up" to AD (LDAP) for users and their assigned roles, but you cannot import them to MDM. Thats what my point was... but even this is true for some versions... check with your vendor or SAP themselves whether for your patch level this is possible..

If the client's need is to use this tool for Single sign on (coz of having same users), this in essence is not feasible as in MDM you will always be prmopted for username/password... you cannot bypass that as of now...

This is why Portal comes into picture of having centralized access to SAP Landscape... One of the definitions of "centralized landscape" is to have Single sign on which MDM does not cater to on its own...

So premise is... you can look up the users from LDAP by making changes to MDS.ini file..

Hope this helps..

Edited later: This is what I got from Console guide for SP06

RESTRICTIONS AND LIMITATIONS

MDM Console users do not run under LDAP in the initial release of this

functionality. We will review the value of putting MDM Console access

under LDAP control at some future time.

LDAP ERRORS AND MDM

Errors that occur due to LDAP failures are returned to the client

application. Therefore, you are likely to receive reports from clients

when there are problems with your LDAP service.

Please refer to Console guide for more inputs...

HI,

In our scenario we have multiple SAP and Non-SAP systems, each having its own user management. The client wants to synchronize the user accounts of all systems. Each system should still be able to manage its users, sending updates into the landscape. Is LDAP a solution for this problem?

SSO can be established by using portal I guess, and we are able to use API to access MDM from other systems.

Thanks,

Ingo

Edited by: Ingo Taraske on May 6, 2008 5:03 PM

Hi Ingo,

First of all, try and check on what version are you on. If your version does not support LDAP and if SAP can confirm that the next available patches should hold LDAP support, then no issues, you can go ahead with LDAP (bearing in mind the limitations - major one being that you cannot/should not manage users within MDM)..

Just in case there is no commitment from SAP, then I guess use Portal to access MDM. I understand the situation that there might be a multitude of activities planned for MDM, but see if you can mix and match some at the MDM GUI level and portal level... WIth this approach you can defnitely sync users, as Portal also has a LDAP Write functionality wherein if you create a user in Portal, same will happen at LDAP level (vice versa is naturally true). Last but not the least, this is the idea of Portal - one login for all.. Hope the workaround is clear now...

Hi,

Bringing more activities into portal is an option and planned as far as I know. But it's not enough for the solution to only use portal. We still need to support the use of standard transactions in the R/3 systems, harmonizing their master data via MDM. And the client wants the systems user accounts in sync, that's the requirement.

Thanks for pointing out the possibilities though! It was very helpful.

Kind Regards,

Ingo