Basics of SAP Identity Management

Similar Messages

• Integration of MS Active directory with SAP Identity management

  Hello
  I am implementing SAP identity Management  7.1with external tools MS active Directory with Single sign on using SAP IDM . Is there any documentation as to how do I connect SAP IDM with MS AD with the roles and their user provisioning process .
  Also does anyone have a architectural work flow template  on this process .

  Hi
  I guess, using VDS you can achive this. ref the LDAP connection part.
  https://websmp203.sap-ag.de/~sapidb/011000358700001449652008E
  https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  Regards
  Shridhar Gowda

• SAP Identity Management Job/Position to Roles mapping

  Hi All,
  I am working on sap identity management 7.1 and use case is the one where HCM is the source of all employee data.
  When i extract employee data from HCM, i need to find the roles the employee  has based on their position
  I have an excel sheet that describes this mapping in two columns(position/role).
  My question is this :
  I have two choices :
  1- Create MX_role in IDM with an attribute position and load the excel sheet. Then when i receive data from HCM, i will do a select on the roles having the position which will give me the MXREF_ROLE for the user.
  2- I would create positions as MX_ROLEs and load the excel sheets with the aclual roles as childs of the position roles. This way once i put MXREF_ROle=position in MX_PERSON, the user will get through inheritance : the roles and the privileges that inherited from the position.
  Any idea if anyone tested any of these cases ?
  Any other suggestions are welcome.
  Thanks a lot

  Hi Jack,
  From what I understood, you have MX_ROLE with an attribute position(POSITION_ID), if that is the case, the select will look like:
    select * from idmv_vallink_basic where mskey in (
        select mskey from idmv_vallink_basic where mcattrname like 'POSITION_ID' and             mcsearchvalue like 'POSITION_ID_VALUE' and   mskey IN (
                    select mskey from idmv_vallink_basic where  mcattrname='MX_ENTRYTYPE' AND                          mcsearchvalue like 'MX_ROLE')); 
  If the case is not like that, just explain it with more details and I'll try to make another select.
  Kind Regards,
  Simona Lincheva

• How to use Virsa with SAP  Identity Management?

  I have been assigned to handle my company's  SAP Identity Management and
  I am asked to use Virsa control.
  I am not quite clear about the relationship between the 2 SAP products.
  Would you please help? Thanks!

  Jennifer,
     There is no product called virsa control by SAP. Virsa was a small company which made different solution for SOX compliance. It was acquired by SAP. If you are talking about SAP BusinessObjects Access Control 5.3 then see the links below to understand the integration between SAP IdM and SAP AC 5.3.
  https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/b0aafd33-e662-2a10-a197-dd3137f7f7e0
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e9355
  Regards,
  Alpesh

• Workflow Jobs in SAP Identity Management

  Hello Experts,
  We have SAP Idm 7.1, Novell eDirectory and GRC AC 5.3 Installed successfully.
  Now, I have to create 2 workflow jobs in SAP IdM 7.1 for Novell eDirectory.
  1- One job to query the Novell IDM Vault for any new identities and populate NW IDM.
  2- The second job to query Novell IDM to determine if any identities have been changed from u2018Activeu2019 to u2018Terminatedu2019. If the ID has been changed to u2018Terminatedu2019 then lock the SAP ID and remove the roles, and set the User Group to u2018Expiredu2019, and set the expiration date to the day prior to termination."
  Can anyone let me know, how can I create those 2 workflow jobs?
  Thanks,
  Haleem

  the implementation guide contains an error:
  in the class MyOnSubmit{...
  the head of the function should be:
  public IdMValueChange[] onSubmit(Locale aLocale, int aSubjectMSKEY, int     aObjectMSKEY, Task aTask, IdMSubmitData aValidate) throws IdMExtensionException {
  the guide defines the task as int.
  br
  Andreas

• Identity Management 8.0  - SAP Provisioning Forms UI display

  Hi guys!
  I'm trying to setup a new environment with SAP Identity Management 8.0, using the standard SAP Provisioning Framework.
  I've already followed all install guide and configuration steps, but the Web forms for default provisioning tasks are not appearing on the Self Service tab or Manage tab. I've already tried to modify the forms to let anonymous and everyone to execute the form, but no clue.
  The tabs appears OK, but no tasks are available to choose
  We are using the lastest patches available until today.
  Any help would be appreciated.

  Hi Eduardo,
  Please go to the forms and right click over the Identity folder.
  The option Show Folder in User Interface should be selected
  If this doesn't help please try restarting the JMX and check your Datasource.
  Regards,
  Todor

• Maintenance Optimizer in SAP Solution Manager

  what is Maintenance Optimizer in SAP Solution Manager and what are its benefits

  Hi
  even this may be useful
  Ensure your Solution manager system is at the most recent Support Package Level, specifically ST 400 Patch 11, to reduce note application time
  Download from oss most recent step-by-step setup guide
  Oss note 1024932
  Oss Note 1008717 ( N/A )
  Relevant up to SP11 for Basis 700
  OSS Note 950975 support for IE7 ( N/A we are using GUI)
  Oss note 975510 – corrections for snote ( Via OSS not snote )
  Oss note 1004691 – corrections for snote *** Corrections for 975510 ( UP TO SAP_BASIS 11 ) N/A
  Common problem notes, but not critical for Maint Opt
  0998987: Maintenance Optimizer: Empty error messages
  1022072: Maintenance Optimizer: "No Data Available" message o See note 1025381 before applying 1022072.
  1020789: Maintenance Optimizer: Allow all systems to be selected
  1020802: Maintenance Optimizer List displays incomplete data
  1024105: Maintenance Optimizer: two "Cancel" buttons
  1025381: Maintenance Optimizer: Link to additional download files
  1029453: Maintenance Optimizer - Wrong status displayed
  1030405: Maintenance Optimizer: Browser opens in background
  1030498: Maintenance Optimizer - IBase is not active
  1032463: Maintenance Optimizer: Internet Explorer Script Error
  1042704: Maintenance Optimizer: Display only employee partners
  Partner Scenario SOLMAN4.0 Only
  Os note 1021275 ( RFC Destinations ) N/A ST 400 11
  Oss Note: 997780 ( N/A we are at 11 use note 939897 for ST400 SP11 Application )
  Relevant for ST400 SP09 ( N/A ST 400 11 )
  User:
  To setup you must have SAP_ALL
  General Users: ( Oss note 1032322 )
  Must be assigned to role SAP_MAINT_OPT_ADMIN
  Auth Object: D_SOL_VSBL ( visibility of solutions)
  Auth Object: CRM_ORD_PR ( for CRM stuff )
  /spro
  As of Support Package level ST 400 SP10:
  Call Transaction SPRO -> SAP Reference IMG ->SAP Solution Manager -> Advanced Configuration -> Basic Settings -> SAP Solution Manager System -> Change Management -> Set Up Maintenance Optimizer
  This IMG activity refers to the SAP Note 990534: Solution Manager Maintenance Optimizer: BC Set. Follow the instructions in this SAP Note
  N/A as of ST400 SP11
  Define a Solution:
  Solution_Manager – Select Solution Overview – New.
  Enter Descriptive Name ( Ex. GTS Landscape )
  Hit Continue
  Select Solution Landscape Maintenance
  Select System Groups & Logical Components on the Left hand Side
  Select Solution Landscapes and pick the one you created
  Define the solutions for that landscape
  Highlight each item and click Logical Component (You must have a valid license to set this up)
  Assign S-User
  Transaction: AISUSER
  Enter you user id and your SUSER ID for downloading
  Create another SAPOSS Connection called SAP-OSS with S-User assigned
  Call SOLUTION_MANAGER
  Select Solution Overview
  Select the solution you want to work with
  Select – Change Management – Support Package Stacks
  Click Maintenance Optimizer around middle of screen
  Select the solution you want to get Sp’s for
  Go to OSS and add the files to download basket
  When done return to screen and hit continue
  Select - Confirm files in Download Basket
  Error message comes if your sap user and your oss user are not setup in AISUSER screen
  Now go to SAP Download Manager ( On your local pc ) and download the files you just confirmed – of course using the same S-User id you just added them to the basket with
  Apply support packages via spam per normal process
  Return to the SOLUTION_MANAGER window select the landscape you are working on
  Hit Maintenance Optimizer List
  Choose the maintenance transaction you are working on
  You will see a list of the confirmed and downloaded sp’s you selected
  Once you apply these to the system using SPAM you will change the status of implementation to Completed and Hit Save
  This completes this activity
  If you wish to do more work you will have to create a new transaction.
  [Edit section] Add A New Instance to Maintenance Optimizer
  Sign into Solution Manager
  Ensure new instance has valid license installed and logical clients assigned
  Select Landscape Components
  Right Click Systems
       Select Create new system with assistant
  Enter
  SID / Description / Product Type / Installation Number ( Get this from SLICENSE in system you are setting up )
  Next enter Sys # & MEssgae Server and hit continue
  Next select Generate RFC Destinations & Assign Logical Components & Enter Client #
  I always get a problem saving since SLD is not setup – ignore and continue
  Highlight the system you just added under Systems – SAP Global Trade Services –
  Select Assignment to Logical Components
  Now add additional software such as Net weaver ABAP & JAVA if your primary setup was of another type ( ex. GTS )
  Highlight the system you wish to update under Systems and hit change
       Select Header Data
       Click Installed Product Versions
       In the product box add whatever you require for this system
       Select the version from the 2nd box and hit copy
  Ex. 
  If you cannot setup the trusted system here is a workaround:
  Create User in Target for Trusted System RFC from SM1
       User:      <Username>
       Pass:   <Pass>
       Type: Communication
  Use this when setting up the trusted connection, remove the trust and use this CPIC user info for the RFC.
  Generate RFC’s and ensure SMSY setup is done for SID in Solution manager
  Now Create a New Solution For your instance:
  Go to SOLUTION_MANAGER transaction
       Select NEW
       Give Descriptive name: ex. GTS Landscape
  Under Solution Landscape
       Select Solution Landscape Maintenance
       Select System Groups and Logical Components Tab
            Open Solution Landscapes
                 Select the one you just defined (GTS Landscape)
  SOLTION_MANAGER
  Select Change Management – Support Package Stacks
  Select Maintenance Optimizer
  Select the Product Version
       GTS 7.1
  Select the System Type – SID
  From here you will be prompted to go to service marketplace and add the items you wish to install. You can do this beforehand as well, be sure to use the same Suser you setup in AISUSER with your sap login
  It will ask you to confirm the basket, once you do that you install them normally.
  Download with sap download manager, ftp and apply

• Using SPML for Identity Management in EJB WebService

  Dear All,
  I have a requirement af using SPML(Service Provisioning Markup Language) for Identity management. Identity management is used to manage the user like deleting a user, modifying, adding a user etc for a application.For that the request for all these functions need to be made using the SPML. The idea is that first the data used to make any request will come from the SAP R3 using an EJB which will retrieve that data by calling a BAPI via JCO and then it is needed to be passed to the entitlement system using the SPML.Thus I have to publish a web service which will get data by calling BAPI and give it to entitlement system using SPML and how can I achieve it?. I have less knowledge about SPML, your guidence will help.
  Thanks & Regards,
  Samir

  There is a document on the SAP Service Market Place that covers the SPML in the UME APIs. This quote is from the [UME documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm]:
  SPML Support
  The UME APIs support access using the Service Provisioning Markup Language (SPML). For more information, see service.sap.com/security > Security in Detail > Secure User Access > Identity Management > SAP Identity Management APIs.
  -Michael
  Edited by: Michael Shea on Jan 17, 2008 9:01 AM

• Advantage and disadvantages of SAP IDM & Microsoft Identity management Tool

  Hi Folks,
  I am looking some points on SAP IDM and Microsoft tool for Identity Management. I am looking below mention points.
  1. Difference in the feature and prize.
  2. Limitation
  3. Solution architecture for both
  Relevant answers will be rewarded.
  Regards,
  Akshay Shail

  Hi,
  I can add some points about SAP NW IdM. Regarding your question about the prize: If you only connect SAP systems (it can handle all types of SAP ABAP and SAP Java Systems) they don't charge you extra, because it's already in the NetWeaver license. Furthermore, if you use the SAP Central User Administration: It isn't further developed and will be replaced by SAP NW IdM.
  The systems you mentioned can be connected, I think these are basics for everey IdM solution. HR interation is possible with SAP IdM, don't know about the other solution in this point.
  There are some whitepapers and presentations about SAP NW IdM: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement?rid=/webcontent/uuid/f0b68fb1-d8af-2a10-2a8e-cc431c15bb39&anchor=section2.
  Nevertheless, your question about limitations and solution architecture probably needs a PoC if you want to answer them in deep.
  Best regards,
  Nils

• Details on SAP Warehouse management? Basics, tables and transactions?

  Hi
  Soon i will be working on a SAP WM module as a abaper. I have worked on SD and MM modules but not worked on WM module.
  Can anybody send me the links or guide me where i can find some basic information about SAP warehouse management?
  I am looking for the following.
  1). the complete process cycle in WM
  2). basic tables used in WM
  3). Basic transactions used in WM
  thanks in advance.

  check
  https://forums.sdn.sap.com/click.jspa?searchID=12324135&messageID=4538695
  https://forums.sdn.sap.com/click.jspa?searchID=12324135&messageID=2829284
  Re: WM Flow
  Regards
  Kiran Sure

• The CENTRAL SOURCE OF INFORMATION about SAP NetWeaver Identity Management

  Check out the central homepage for "SAP NetWeaver Identity Management" on the SDN:
  The direct link to <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/nw-identitymanagement">SAP NetWeaver Identity Management</a> can be found using the following menu path:
  - SAP NetWeaver Product
  - Complementary Offerings
  - <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/nw-identitymanagement">SAP NetWeaver Identity Management</a>
  Here you will find all kind of information about the product.
  Have fun!
  Kristian

  Congratulations!
  Very Nice!

• Federated identity management  on SAP IDM

  Hi Guys
  Does SAP IDM support federated Identity Management.  If so can you give some configuration documents or how exactly it is possible?.
  Please shed some lights into this.
  Thank you.

  Hi All,
  SAP support have confirmed the following.
  SAP NetWeaver has some federation capabilities with varying
  support in different components (SAML 1.1) SAML 2 support
  is planned in a future release.
  SAP NetWeaver Identity Management does not have federation
  support on its own. This could be introduced in future releases.
  Does Any one know how SAML 1.1 support Federation capabilities?  Which all sap netweaver platforms have them?

• Execute PowerShell Scripts via SAP NetWeaver Identity Management

  Hello,
  Has anyone implemented the execution of a PowerShell script from SAP NetWeaver Identity Management (7.1, 7.2, 8.0?).  Currently implementing 8.0, and our client is looking to kick off PowerShell scripts that would generate Active Directory accounts, Exchange accounts etc.
  Thanks!

  Hey Brendan,
  We've done this out of a 7.2 implementation for exchange 2010 admin processes.  We started with running powershell via a command line pass.  It worked pretty well but it wasn't plain sailing.  We used positional parameters to pass data to the scripts in question, we also had to come up with a return process that deals with any errors that might come of the powershell session.  We had some issues with the shell sessions closing after the script completed.
  We've since redesigned and now drop flat files to a constantly running powershell script that acts a bit like an IDM dispatcher (but obviously not integrated with IDM).  It kicks off other powershell sessions and monitors their progress allowing it to process time outs, stack work up, etc.
  We also found timing the processes to be an issue.  If you create an AD account in IDM and then try to immediately move onto mailbox enable (for example) the account we created wasn't yet replicated to exchange so we had to build wait time into various parts of the process.
  Thanks,
  Pete.

• Integrate external identity management solution in SAP GRC Access Control

  We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
  thanks
  Detlef

  Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
  what do the published webservices do? Is there any documentation about them?
  In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
  The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
  Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
  IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
  VCC has any documentation that would help me to find how I would do this integrations?
  Thanks in advance

• Sap Solution Manager 7.1 SP11 Basic Configuration

  Hi Experts,
  I am in fresh installation for Sap Solution Manager 7.1 SP11. At Basis Configuartion Phase in step " Configure CA Introscope".
  I have successfully installed, but it shows the following message: " Offline - The EM Connection cannot be established (caused by :com.sap.smd.introscope.em.IntroscopeException: java.lang.reflect.InvocationTargetException_) "
  Need suggestions how to proceed from here.
  thanks

  Raja,
  I assume you're using Linux/UNIX.
  Here's the solution. It worked for me.
  In /usr/sap/ccms/apmintroscope/config/users.xml, update the Guest password with this MD5 hash: c4582df82299e0581a9fc6bb34c53
  In user management screen of "Configure CA Introscope", choose "Guest" as connection user with password "guest12" (without quotation marks)
  If it's still not working, then delete the EM and re-install the introscope.
  Go to expert mode -> Delete references -> Remove the line
  Delete folder /usr/sap/ccms/apmintroscope
  Install introscope and management modules againdon't forget to re-set the permission for diagnostic agent user
  Go back to solman_setup "Configure CA Introscope" and do import CA again
  Save, you'll have a green status
  Regards,