Authentication Question in SAP IDM 7.1

Similar Messages

• SAP IDM integration in SLD

  Hi there
  one of our customers raised the question if SAP IDM can be integrated with SLD (system landscape directory)? Obviously, one of the dispatchers showed up in the SLD for one time (maybe during installation).
  best regards
  Matthias

  Hi Billy
  in fact the core components of SAP IDM are not implemented in NetWeaver. They are running on a Windows Server (e.g. the dispatchers). Those are the components we want to register in SLD.
  Only the UI components are running in an NetWeaver AS Java, but this one is already in SLD.
  best regards
  Matthias

• IDM Password Reset Authentication Questions

  Hi,
  We are implementing Password Self Service using IDM 7.1, everything is set up and we have tested and were able to reset password for users to connected target systems. we are now doing some cosmetic changes before going live, like
  setting up new authentication questions and changing existing questions from IDM.
  In total we have 10 questions and the way we set it is
  Minimum number of validation questions = 5
  No. of questions to show = 3
  No. of answers required = 3
  After setting all 10 questions, i took a new test id who was never set with a profile and set its profile with 5 random questions answers out of 10 and saved it, went back to   /idm/pwdrest  and entered the unique id which is the user id and the 3 challenge questions it showed up were not the ones i set my answers to.
  Why is it prompting the questions for which i have not set answers to ?
  Can anyone tell me if i am missing any config creating these attributes ?? or its the way IDM works ??
  Thanks.

  Greetings,
  It has been my experience that the system will show any of the available questions when a user has not had any answers set. Sometimes, there is a disconnect with the Unique ID entered and the user ID stored in the identity store and it just cannot find the stored answers. As long as the additional question attributes you created follow the existing convention, they should be fine.
  I would start by looking at what question attributes you have commited for the user and which ones show in the pwdreset task screen for the user. You can also run the guided task several times with the same ID to see what rotation of questions you see to see if it is going through all 10 or only a certain subset.
  Do you have a self-service task configured to set the question answers?
  Thanks,
  Jared

• SAP IDM 7.2 Questions

  Hi,
  I just recently started with SAP IDM and have a few Questions, maybe someone has the time to explain, thanks in advance!
  - What for is VDS (Virtual Directory Server)? I can write directly into AD? why another target system?
  - If I create a Role in Identity Center for testing its available on the idm portal http://localhost:50000/idm but not in /useradmin or Umeadmin?
  - Repository, does it matter in which repository I upload (CSV Import) users? I have multiple repositories and didn't understand the exact purpose of a repository?
  - Org Units? how can I create Org Units and assign roles for inheritance? is this only available on a Netweaver AS ABAP installation? (I installed AS JAVA) According this link: Indirect Role Assignment Using Organizational Management (OM) - Identity Management - SAP Library
  Thanks, Patrick

  Hi Patrick,
  here is some answers:
  Main purpose of VDS is to be an interface INTO IdM. It is an LDAP interface into the data stored in IdM database. It allows you for example to search, read, write and authenticate to IdM data via LDAP interface.
  IdM has its own UI (http:host:port/idm). You are not supposed to see business roles in useradmin of the J2EE. It is objects known to IdM, not to the J2EE.
  Repositories are objects representing mostly a source or target system. For example AD could be a source system where you get users from. An ABAP client can be a target system where you provision users to. Uploading users is just a way of creating users that you cannot get from some other source system like HCM, AD or ABAP. It depends on your scenarios and user life cycle where you get your user information from (source system) and where you provision to (target system).
  The link you shared regarding the org units is not really related to IdM as a product. If you do some automatic assignments in ABAP directly, you might need to reconcile with IdM. IdM is supposed to be a central user administration tool. If you have information about org units in IdM and want to use it to automatically assign authorizations you can do that for example by using dynamic groups.
  IdM is a very powerful tool opening a lot of possibilities as you can basically implement every requirement if you only have the required information available somewhere. It might be helpful for you to have someone to answer all your questions and help you solving your requirements in best way in the beginning, enabling you to use it in the most efficient way.
  Regards
  Norman

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• SAP IDM - GRC Integration Scenario Query

  Hello Experts
  I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
  Current Situation:
  SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
  SAP GRC Access Control 10.1
  Both systems installed, configured and connected (web service connection works well)
  Desired scenario:
  Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
  If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
  If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
  Problem:
  In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
  …and the “AC Validation” task:
  Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
  That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
  Question:
  How can this problem be solved? Is the desired scenario feasible?
  Thanks a lot in advance.
  Regards,
  Krishna.

  Hi Krishna,
  I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
  IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
  Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
  Kind regards,
  Jai

• Reg: SAP IDM License

  Hello Experts,
  As I came to know SAP IDM is free with Netweaver license , Can somebody let me know the licensing term for SAP IDM ?
  If I use IDM for only provisioning to SAP system then would it be free or will be there be any license cost ?
  And how licensing differs when we connect IDM with Non-SAP systems i.e AD ?
  Regards
  Deepak Gupta

  Hello Deepak,
                       IdM is covered under the main license for the netweaver based product you are installing. There are no additional fees for connecting to non SAP (or other SAP) systems.
  I Hope this helps. If you have further license questions then please open a support incident under the component XX-SER-LAS.
  Best regards,
  Chris
  SAP Active Global Support

• SAP IDM vs Microsoft Forefront Client(FIM)

  Hi experts,
  Actually my companyBig Company) is planning to implement tool for Identity Management but there are couple of options which we are thinking of considering particularly the last  2 options are SAP IDM and Microsoft Forefront(FIM) ... But I am not able to enough information or comparision points that will help me in convincing to my sr management to finally say to one of these tool.
  I would really appreciate a quick response, if some one can explain the comparisions points among these 2 tools.
  Thanks
  SAP_Enthu

  Hi All ,
  Just to add to my previous question as currently we have MS Active Directory already and as per plan implementing SAP in almost all areas entreprise wide with GRC. So with this background , I will appreciate the advantages and disadvantages of SAP IDM 7.1(might use 7.2 if it comes within next 3 months as planned) with MS Forefront IDM(FIM 2010) in terms of Technical , functionally , architecture ,economic point of view.
  This will help in selecting the best tool among them.
  Thanks
  SAP_Enthu

• SAP IDM vs SAP GRC

  Hi All,
  One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
  1. SAP IDM and GRC both can accomplish access request and provisioning.
  2. SAP IDM and GRC both has capability of risk management.
  Then why SAP IDM is required?
  Thanks,
  Dhiman Paul.

  Hi Dhiman,
  SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
  I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
  My simple opinion.  There may be other points as well.
  BR,
  Ganesh

• SAP IDM Connector list

  Hi there!
  So I was looking at the most recent version of the SAP IDM Connector List, and I don't see BI or BOBJ.  Can anyone provide best practices information on connecting / working with these systems?  We are considering leveraging AD for Authentication and Authorization. 
  Please advise.
  Thanks,
  Matt

  AFAIK there is no direct provisioning from IdM 7.2 to BO. In my current project the BO access rights are delivered via AD groups. BI is just an ABAP system.
  It was possible to map the BO access rights agains BI-privileges. But  AD was chosen as that enabled SSO-login to BO.
  Your BO/BI/authorization-folks should know how the mapping of access rights works.
  regards, Tero

• SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?

  Hello IDM-experts,
  where can my customer find information about
  SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?
  Customer situation description:
  The situation is that we are using SAP IDM 7.2. We are using a functionality to allow our users to access a webpage from where they can gain
  SSO access to the Abap systems via the SAPGui. See screenshot as an example.
  Now what we want is to access the CRM and GRC WebUI also with the same SSO possibility. We cannot find any guide/best practice on how to do
  this or if it is possible via SAP IDM 7.2.
  You can see a weblink in the first screenshot but it does not work. It will ask you for a username and password, see second screenshot.
  Kind regards,
  Daniela

  Do you know how the SAP GUI SSO is setup ? Is it using SNC/Kerberos ?
  If it is (I suspect it is), then you will need to use similar method of authentication for the ICF Services. These cannot use SNC since they are accessed via browser, but what you want is possible.
  Thanks
  Tim

• SAP IDM with MS Active Directory (OU names in Arabic)

  Dear Gurus,
  With SAP IDM , we need to integrate with MS Active directory such a way that SAP IDM only fetches users who have “SAP” in one of the AD field. That means do not read entire AD but only fetches users in SAP who have “SAP” tagged in one of the AD field.
  Is it possible ? We tried that in SAP LDAP connector but its not possible in LDAP connector in SAP as LDAP connector is reading through all the users in our CUA system.
  Question is it possible through SAP IDM that we use some thing (maybe  BAPI) to restrict users and do not read all users but only users having “SAP” in one of the AD field.
  Also note that our AD has some OU's name in Arabic.
  Regards,

  If you want to filter this in the ADS Initial Load job then you can modify the repository LDAP Filter:
  (&(objectclass=person)(orgUnit=SAP))
  Replace orgUnit=SAP with your your attribute and tag.
  Br,
  Chris

• SAP IDM - Can it be powered by SAP HANA

  Can SAP IDM powered by SAP HANA ? I have seen few Demo's on how SAP HANA can improve Performance drastically . Can IDM be integrated with HANA??

  Jerry,
  Great question.  The answer is not yet.  From what I understand this is planed for a later release of IDM.  Right now about all IDM does with HANA is provision to it.
  Hope this helps!
  Matt

• Authentication Questions Deleted When Saving User View

  I am working with IDM version 6, SP1
  We wish to start using the user self server reset password function.
  Howerver, the user authentication questions and answeres keep getting deleted.
  Any time a user view is checked out and checked back in, the questions are deleted.
  This happens from the Admin Interface, from workflows, and even from the BPE.
  Has anyone seen this before and if so is there a fix?
  Upgrading is a concideration but is not on the "Todo" list for quite a while.
  This is a real problem as it is stopping us from moving forward with user self serve password resets.
  Regards
  Mike F.

  We have a similar issue with version 7.0. I had posted questions about it here (forums) and have an open bug report in with Sun.
  Searching on another forum (which you may or may not have access to), it looks like there is a bug -- at least in in version 7.0 -- where several pages are +"doing a setViewId and not setting it to readonly, so a checkout was done on the user for every page"+. It sounds like this bug may be fixed in version 7.1 and later. If I search through the jsps, I see liberal calls to "form.setViewId()".
  I haven't yet tried explicitly setting these calls to readonly (I don't even know what the syntax would be at this point). Your problem sounds somewhat different (ours only occurs on failed validations) but perhaps you are seeing a similar bug in version 6.
  In case you are interested, my issue is described in this post:
  http://forums.sun.com/thread.jspa?forumID=764&threadID=5414572
  That's the problem description, not a description of the fix. And while it talks about a different problem, we also see cases where if a validation fails when the user is entering data, AuthN questions are deleted, which is what makes me think this may be a similar problem.