AC 53 IdM Integration Implementation Assistance Guide released in BPX

Similar Messages

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......

• Implementation/config guide for "Business package for Product"

  Hi,
  I need implementation/config guide for "Business package for Product".
  If anybody has it please send it to [email protected]
  Thanks
  Vinit

  Did u get the same ?
  If u have it can u send it to [email protected]
  thanks

• Some puzzle for the 'Upgrade Guide: Release 11i to Release 12'

  We are on 11.5.10.2 with 10g db,now we are going to upgrade to R12
  I have done all the pre jobs in the 'Upgrade Guide: Release 11i to Release 12''s character 2 except the 'Prepare for the Upgrade' section.
  In the 'Prepare for the Upgrade's step 3:Step 3 Run Rapid Install (required),it ask me to run Rapid Install wizard
  But i can not understand what use of the action?
  When run rapidwiz,should i close the app and db?or only keep the db running?
  Anyone can help me?
  Thanks!
  Remen
  2007.8.18

  When run rapidwiz,should i install the R12's app to the same dict that the 11i's files locate?
  Sample:
  Before Upgrade the APPL_TOP=/u8/TEST/app/testappl,and the $AD_top=/U8/TEST/app/testappl/ad/11.5.0
  After run rapidwiz,the dict will change to $AD_top=/U8/TEST/app/testappl/ad/12.0.0 automaticly??No need to create the dicts manualy??
  Remen
  2007.8.18

• [svn:bz-trunk] 23048: Update BlazeDS trunk to use Spring BlazeDS integration 1.5.0.RELEASE build .

  Revision: 23048
  Revision: 23048
  Author:   [email protected]
  Date:     2011-10-18 08:34:43 -0700 (Tue, 18 Oct 2011)
  Log Message:
  Update BlazeDS trunk to use Spring BlazeDS integration 1.5.0.RELEASE build. 
  Added Paths:
      blazeds/trunk/apps/samples-spring/WEB-INF/src/spring-samples/src/org/springframework/flex /samples/secured/SecurityHelper.java.UNCOMMENT
      blazeds/trunk/lib/spring/spring-flex-core-1.5.0.RELEASE.jar
  Removed Paths:
      blazeds/trunk/apps/samples-spring/WEB-INF/src/spring-samples/src/org/springframework/flex /samples/secured/SecurityHelper.java
      blazeds/trunk/lib/spring/org.springframework.flex-1.0.3.RELEASE.jar

  The information you provided is totally useless for determining the problem.
  If it helps, I think the message you are getting is related to BlazeDS not being able to find the service class you are calling. You either have a typo somewhere, or you didn't set up a secure channel in your service config (I am assuming you meant SSL and not SSH).

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• Broken link to Oracle9i Database Globalization Support Guide Release 2 (9.2

  http://otn.oracle.com/documentation/oracle9i.html
  broken link to Oracle9i Database Globalization Support Guide Release 2 (9.2)
  http://download.oracle.com/docs/html/A96529_01/toc.htm
  only appear 404 error message.

  Hi Hannuri,
  I am not encountering this issue. Perhaps is has been resolved. Please confirm if you are still having this problem.
  Thanks and regards,
  Les

• Oracle eMail Server Concepts Guide Release 5.2

  Hi,
  Can anyone suggest me a source from where I can find the literature "Oracle eMail Server Concepts Guide Release 5.2".
  Thanks,
  Srini

  Hi,
  Hava look at this site
  http://otn.oracle.com/documentation/emailserver.html

• HCM - IDM Integration issues

  Hello Experts,
  I am working on the HCM & IDM Integration and I have done the configurations on HCM & VDS as per the Systems Landscape document.
  When I Run the export query from the HCM, The data is not coming to the staging area.
  I have turned on the Operational log trace and reran the query and found the following is logged in the logs. But it is not of much help to understand why the roll back is happening.
  Could anyone face such kind of error earlier ? Any thoughts on how to proceed further !!
  I am on IDM 7.2 SP7
  Thanks,
  Krishna.

  Hello Deepak,
  Thanks for your reply.
  Yes, I am using PERNR to calculate my MSKEYVALUE. But I believe in the current issue, it is not going to that stage at all.
  1. When we run the extract programme from HCM, VDS first writes the data to HCM_Staging_Area identity store to the MX_HCM_EMPLOYEE entry type.
  2. When this happens, based on the event tasks defined on MX_HCM_EMPLOYEE type attribute, the job "Write HCM Employee To SAP Master" will be triggered where the MSKEYVALUE is calculated and be written to Master ID store.
  In the current scenario,VDS is not writing the data to HCM_Staging_Area at all.
  When examined, the logs i got entry rejection as mentioned the screenshot in my initial post.
  ~ Krishna.

• Implementation assistant

  Hello Experts,
  what is implementation assistant and solution architect or solman and is it delivered along with SAP standard system? is it possible to work on it  on IDES system
  kavita

  http://help.sap.com/saphelp_47x200/helpdata/en/cb/89f657c27211d28afa0000e828549c/content.htm
  http://help.sap.com/saphelp_sm32/helpdata/EN/ae/64c33af662c514e10000000a114084/content.htm
  http://help.sap.com/saphelp_sm40/helpdata/en/45/51fbdbd4941803e10000000a1553f7/frameset.htm

• Can we implement workflow for release strategy in 4.7

  can we implement workflow for release strategy in 4.7 for PO's please provide some documents.

  HI,
  Check the links
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30c81e21-cd00-2c10-bbba-edb8ce4961be?quicklink=index&overridelayout=true
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/70fef212-b6cb-2c10-e085-c84b80d7068e?quicklink=index&overridelayout=true
  Regards
  KK
  Edited by: Kishore Kumar Galla on Mar 19, 2010 3:40 PM

• Implementation Assistant and ASAP Roadmap

  Hi all,
  We are in the project preperation phase, can any body let me know how can i use the Implementation Assistant and ASAP Road Map in defining the scope of the BW project and to prepare the Bluprint.
  Or can anobody tell me is there any other tool which can be used to prepare the scope the project and blueprint based on the requirements.
  Thanks and regards
  Chandrashekara Vijaykumar

  Vijay,
  the implementation assistant or the ValueSAP tool is a utility that helps you manage the project documentation. ASAP will give you templates , but I am not sure if there is any tool that would convert your requirements into the blueprint or scope.
  ASAP templates will be a good thing to start with and you can have a good overview of the steps involved in the projects via the implementation assistant.
  My 0.02
  Arun

• IDM/OID upgrade assistant (UA) failed in the examination - on 11.1.1.2

  Does anyone have problem upgrading Oracle Identity Management/OID from 10.1.2.3 to 11.1.1.2 on Linux SUSE-10 64-bit?.
  1. Upgrade Oracle seed DB 10.1.0.5 32-bit to 10.2.0.4 64-bit. Using DBUA - OK, no problem.
  2. Started As 10.1.2.3 Infrastucture - IDM/OID/Metadata Repository and Middle Tier - Portal/Forms/Reports/Discoverers - OK, No problem.
  3. Installed Weblogic 10.3.2 - OK, No problem.
  4. Installed NEW 11.1.1.2 IDM/OID components OID and DIP only - OK, No problem.
  5. Run ua (upgrade assistant) to upgrade OID to 11.1.1.2 and got error - Examination OID failed. UA stopped.
  Installed 64-bit Fusion Middleware IDM/OID - Probably this is the problem?.
  Have not tried the 32-bit Fusion Middleware IDM/OID yet.
  Had a SR opened with Oracle Support and have no solution yet.
  Follow the instructions from:
  Oracle® Fusion Middleware Upgrade Guide for Oracle Identity Management
  11g Release 1 (11.1.1)
  Part Number E10129-02
  ***** Error in OID oidctl.log *****
  [2010-04-28T13:15:24+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: Session ID = 540
  [2010-04-28T13:15:24+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: OracleProcess ID = 16253
  [2010-04-28T13:15:24+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: WARNING: Connected to incorrect OID base schema version, (version=10.1.2.3.0).
  WARNING: OID server (version 11.1.1.2.0) is now operating in read_only mode
  [2010-04-28T13:15:24+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: WARNING: Connected to incorrect OID base schema version, (version=OID 10.1.2.3.0).
  WARNING: OID (version 11.1.1.2.0) is now operating in read_only mode
  [2010-04-28T13:15:24+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:15:34+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:15:44+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:15:54+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:16:04+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:16:14+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:16:24+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:16:34+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:16:44+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  [2010-04-28T13:16:54+00:00] [OID] [NOTIFICATION:16] [] [] [host: csnbia21] [pid: 16251] [tid: 0] OIDCTL:: oidctl: Waiting for oidmon to start OIDLDAPD (instance=1)
  ***********************************************************************************

  Hi Milan,
  take a look to "Oracle Database Data Cartridge Developer's Guide" [http://docs.oracle.com/cd/E11882_01/appdev.112/e10765/dom_idx.htm#autoId50] (here is the 11g rel2 version but is the same with 9i)
  Domain Indexes and SQLLoader*
  SQLLoader conventional path loads and direct path loads are supported for tables on which domain indexes are defined, with two limitations:
  -The table must be heap-organized.
  +-The domain index cannot be defined on a LOB column.+
  To do a direct path load on a domain index defined on an IOT or on a LOB column, perform these tasks:
  -Drop the domain index
  -Do the direct path load in SQL*Loader.
  -Re-create the domain indexes.
  doesn't seem to be possible to use "direct path method" with spatial (domain) indexes
  i hope for you that there is a workaround ...
  good luck,
  CarlT

• GRC-IDM Integration: missing web-service?

  Hi Experts,
  I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
  However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
  uLDAPGetEntry got exception
  javax.naming.NameNotFoundException: [LDAP: error code 32 -
  Couldn't perform DN to Data source mapping]; remaining name '
  After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
  Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
  Any idea would be appreciated!
  Kind regards,
  Jean-Christophe

  Hi ,
  After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
  Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
  Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
  Kind regards,
  JC