Basics of SAP Identity Management
Hi All
Currently i need to explore SAP Identity Management , what it is and how to implement, if any one have docs or guides or links then it would be great help to me.
How exactly the Identity Management works??
Thanks,
Sapuser1342
Edited by: TRanSAP on Jun 2, 2011 3:35 AM
This is the overview document:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10c33889-cc14-2a10-a7a8-a8eef7483dee?quicklink=index&overridelayout=true
Similar Messages
-
Integration of MS Active directory with SAP Identity management
Hello
I am implementing SAP identity Management 7.1with external tools MS active Directory with Single sign on using SAP IDM . Is there any documentation as to how do I connect SAP IDM with MS AD with the roles and their user provisioning process .
Also does anyone have a architectural work flow template on this process .Hi
I guess, using VDS you can achive this. ref the LDAP connection part.
https://websmp203.sap-ag.de/~sapidb/011000358700001449652008E
https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
Regards
Shridhar Gowda -
SAP Identity Management Job/Position to Roles mapping
Hi All,
I am working on sap identity management 7.1 and use case is the one where HCM is the source of all employee data.
When i extract employee data from HCM, i need to find the roles the employee has based on their position
I have an excel sheet that describes this mapping in two columns(position/role).
My question is this :
I have two choices :
1- Create MX_role in IDM with an attribute position and load the excel sheet. Then when i receive data from HCM, i will do a select on the roles having the position which will give me the MXREF_ROLE for the user.
2- I would create positions as MX_ROLEs and load the excel sheets with the aclual roles as childs of the position roles. This way once i put MXREF_ROle=position in MX_PERSON, the user will get through inheritance : the roles and the privileges that inherited from the position.
Any idea if anyone tested any of these cases ?
Any other suggestions are welcome.
Thanks a lotHi Jack,
From what I understood, you have MX_ROLE with an attribute position(POSITION_ID), if that is the case, the select will look like:
select * from idmv_vallink_basic where mskey in (
select mskey from idmv_vallink_basic where mcattrname like 'POSITION_ID' and mcsearchvalue like 'POSITION_ID_VALUE' and mskey IN (
select mskey from idmv_vallink_basic where mcattrname='MX_ENTRYTYPE' AND mcsearchvalue like 'MX_ROLE'));
If the case is not like that, just explain it with more details and I'll try to make another select.
Kind Regards,
Simona Lincheva -
How to use Virsa with SAP Identity Management?
I have been assigned to handle my company's SAP Identity Management and
I am asked to use Virsa control.
I am not quite clear about the relationship between the 2 SAP products.
Would you please help? Thanks!Jennifer,
There is no product called virsa control by SAP. Virsa was a small company which made different solution for SOX compliance. It was acquired by SAP. If you are talking about SAP BusinessObjects Access Control 5.3 then see the links below to understand the integration between SAP IdM and SAP AC 5.3.
https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/b0aafd33-e662-2a10-a197-dd3137f7f7e0
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e9355
Regards,
Alpesh -
Workflow Jobs in SAP Identity Management
Hello Experts,
We have SAP Idm 7.1, Novell eDirectory and GRC AC 5.3 Installed successfully.
Now, I have to create 2 workflow jobs in SAP IdM 7.1 for Novell eDirectory.
1- One job to query the Novell IDM Vault for any new identities and populate NW IDM.
2- The second job to query Novell IDM to determine if any identities have been changed from u2018Activeu2019 to u2018Terminatedu2019. If the ID has been changed to u2018Terminatedu2019 then lock the SAP ID and remove the roles, and set the User Group to u2018Expiredu2019, and set the expiration date to the day prior to termination."
Can anyone let me know, how can I create those 2 workflow jobs?
Thanks,
Haleemthe implementation guide contains an error:
in the class MyOnSubmit{...
the head of the function should be:
public IdMValueChange[] onSubmit(Locale aLocale, int aSubjectMSKEY, int aObjectMSKEY, Task aTask, IdMSubmitData aValidate) throws IdMExtensionException {
the guide defines the task as int.
br
Andreas -
Identity Management 8.0 - SAP Provisioning Forms UI display
Hi guys!
I'm trying to setup a new environment with SAP Identity Management 8.0, using the standard SAP Provisioning Framework.
I've already followed all install guide and configuration steps, but the Web forms for default provisioning tasks are not appearing on the Self Service tab or Manage tab. I've already tried to modify the forms to let anonymous and everyone to execute the form, but no clue.
The tabs appears OK, but no tasks are available to choose
We are using the lastest patches available until today.
Any help would be appreciated.Hi Eduardo,
Please go to the forms and right click over the Identity folder.
The option Show Folder in User Interface should be selected
If this doesn't help please try restarting the JMX and check your Datasource.
Regards,
Todor -
Maintenance Optimizer in SAP Solution Manager
what is Maintenance Optimizer in SAP Solution Manager and what are its benefits
Hi
even this may be useful
Ensure your Solution manager system is at the most recent Support Package Level, specifically ST 400 Patch 11, to reduce note application time
Download from oss most recent step-by-step setup guide
Oss note 1024932
Oss Note 1008717 ( N/A )
Relevant up to SP11 for Basis 700
OSS Note 950975 support for IE7 ( N/A we are using GUI)
Oss note 975510 corrections for snote ( Via OSS not snote )
Oss note 1004691 corrections for snote *** Corrections for 975510 ( UP TO SAP_BASIS 11 ) N/A
Common problem notes, but not critical for Maint Opt
0998987: Maintenance Optimizer: Empty error messages
1022072: Maintenance Optimizer: "No Data Available" message o See note 1025381 before applying 1022072.
1020789: Maintenance Optimizer: Allow all systems to be selected
1020802: Maintenance Optimizer List displays incomplete data
1024105: Maintenance Optimizer: two "Cancel" buttons
1025381: Maintenance Optimizer: Link to additional download files
1029453: Maintenance Optimizer - Wrong status displayed
1030405: Maintenance Optimizer: Browser opens in background
1030498: Maintenance Optimizer - IBase is not active
1032463: Maintenance Optimizer: Internet Explorer Script Error
1042704: Maintenance Optimizer: Display only employee partners
Partner Scenario SOLMAN4.0 Only
Os note 1021275 ( RFC Destinations ) N/A ST 400 11
Oss Note: 997780 ( N/A we are at 11 use note 939897 for ST400 SP11 Application )
Relevant for ST400 SP09 ( N/A ST 400 11 )
User:
To setup you must have SAP_ALL
General Users: ( Oss note 1032322 )
Must be assigned to role SAP_MAINT_OPT_ADMIN
Auth Object: D_SOL_VSBL ( visibility of solutions)
Auth Object: CRM_ORD_PR ( for CRM stuff )
/spro
As of Support Package level ST 400 SP10:
Call Transaction SPRO -> SAP Reference IMG ->SAP Solution Manager -> Advanced Configuration -> Basic Settings -> SAP Solution Manager System -> Change Management -> Set Up Maintenance Optimizer
This IMG activity refers to the SAP Note 990534: Solution Manager Maintenance Optimizer: BC Set. Follow the instructions in this SAP Note
N/A as of ST400 SP11
Define a Solution:
Solution_Manager Select Solution Overview New.
Enter Descriptive Name ( Ex. GTS Landscape )
Hit Continue
Select Solution Landscape Maintenance
Select System Groups & Logical Components on the Left hand Side
Select Solution Landscapes and pick the one you created
Define the solutions for that landscape
Highlight each item and click Logical Component (You must have a valid license to set this up)
Assign S-User
Transaction: AISUSER
Enter you user id and your SUSER ID for downloading
Create another SAPOSS Connection called SAP-OSS with S-User assigned
Call SOLUTION_MANAGER
Select Solution Overview
Select the solution you want to work with
Select Change Management Support Package Stacks
Click Maintenance Optimizer around middle of screen
Select the solution you want to get Sps for
Go to OSS and add the files to download basket
When done return to screen and hit continue
Select - Confirm files in Download Basket
Error message comes if your sap user and your oss user are not setup in AISUSER screen
Now go to SAP Download Manager ( On your local pc ) and download the files you just confirmed of course using the same S-User id you just added them to the basket with
Apply support packages via spam per normal process
Return to the SOLUTION_MANAGER window select the landscape you are working on
Hit Maintenance Optimizer List
Choose the maintenance transaction you are working on
You will see a list of the confirmed and downloaded sps you selected
Once you apply these to the system using SPAM you will change the status of implementation to Completed and Hit Save
This completes this activity
If you wish to do more work you will have to create a new transaction.
[Edit section] Add A New Instance to Maintenance Optimizer
Sign into Solution Manager
Ensure new instance has valid license installed and logical clients assigned
Select Landscape Components
Right Click Systems
Select Create new system with assistant
Enter
SID / Description / Product Type / Installation Number ( Get this from SLICENSE in system you are setting up )
Next enter Sys # & MEssgae Server and hit continue
Next select Generate RFC Destinations & Assign Logical Components & Enter Client #
I always get a problem saving since SLD is not setup ignore and continue
Highlight the system you just added under Systems SAP Global Trade Services
Select Assignment to Logical Components
Now add additional software such as Net weaver ABAP & JAVA if your primary setup was of another type ( ex. GTS )
Highlight the system you wish to update under Systems and hit change
Select Header Data
Click Installed Product Versions
In the product box add whatever you require for this system
Select the version from the 2nd box and hit copy
Ex.
If you cannot setup the trusted system here is a workaround:
Create User in Target for Trusted System RFC from SM1
User: <Username>
Pass: <Pass>
Type: Communication
Use this when setting up the trusted connection, remove the trust and use this CPIC user info for the RFC.
Generate RFCs and ensure SMSY setup is done for SID in Solution manager
Now Create a New Solution For your instance:
Go to SOLUTION_MANAGER transaction
Select NEW
Give Descriptive name: ex. GTS Landscape
Under Solution Landscape
Select Solution Landscape Maintenance
Select System Groups and Logical Components Tab
Open Solution Landscapes
Select the one you just defined (GTS Landscape)
SOLTION_MANAGER
Select Change Management Support Package Stacks
Select Maintenance Optimizer
Select the Product Version
GTS 7.1
Select the System Type SID
From here you will be prompted to go to service marketplace and add the items you wish to install. You can do this beforehand as well, be sure to use the same Suser you setup in AISUSER with your sap login
It will ask you to confirm the basket, once you do that you install them normally.
Download with sap download manager, ftp and apply -
Using SPML for Identity Management in EJB WebService
Dear All,
I have a requirement af using SPML(Service Provisioning Markup Language) for Identity management. Identity management is used to manage the user like deleting a user, modifying, adding a user etc for a application.For that the request for all these functions need to be made using the SPML. The idea is that first the data used to make any request will come from the SAP R3 using an EJB which will retrieve that data by calling a BAPI via JCO and then it is needed to be passed to the entitlement system using the SPML.Thus I have to publish a web service which will get data by calling BAPI and give it to entitlement system using SPML and how can I achieve it?. I have less knowledge about SPML, your guidence will help.
Thanks & Regards,
SamirThere is a document on the SAP Service Market Place that covers the SPML in the UME APIs. This quote is from the [UME documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm]:
SPML Support
The UME APIs support access using the Service Provisioning Markup Language (SPML). For more information, see service.sap.com/security > Security in Detail > Secure User Access > Identity Management > SAP Identity Management APIs.
-Michael
Edited by: Michael Shea on Jan 17, 2008 9:01 AM -
Advantage and disadvantages of SAP IDM & Microsoft Identity management Tool
Hi Folks,
I am looking some points on SAP IDM and Microsoft tool for Identity Management. I am looking below mention points.
1. Difference in the feature and prize.
2. Limitation
3. Solution architecture for both
Relevant answers will be rewarded.
Regards,
Akshay ShailHi,
I can add some points about SAP NW IdM. Regarding your question about the prize: If you only connect SAP systems (it can handle all types of SAP ABAP and SAP Java Systems) they don't charge you extra, because it's already in the NetWeaver license. Furthermore, if you use the SAP Central User Administration: It isn't further developed and will be replaced by SAP NW IdM.
The systems you mentioned can be connected, I think these are basics for everey IdM solution. HR interation is possible with SAP IdM, don't know about the other solution in this point.
There are some whitepapers and presentations about SAP NW IdM: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement?rid=/webcontent/uuid/f0b68fb1-d8af-2a10-2a8e-cc431c15bb39&anchor=section2.
Nevertheless, your question about limitations and solution architecture probably needs a PoC if you want to answer them in deep.
Best regards,
Nils -
Details on SAP Warehouse management? Basics, tables and transactions?
Hi
Soon i will be working on a SAP WM module as a abaper. I have worked on SD and MM modules but not worked on WM module.
Can anybody send me the links or guide me where i can find some basic information about SAP warehouse management?
I am looking for the following.
1). the complete process cycle in WM
2). basic tables used in WM
3). Basic transactions used in WM
thanks in advance.check
https://forums.sdn.sap.com/click.jspa?searchID=12324135&messageID=4538695
https://forums.sdn.sap.com/click.jspa?searchID=12324135&messageID=2829284
Re: WM Flow
Regards
Kiran Sure -
The CENTRAL SOURCE OF INFORMATION about SAP NetWeaver Identity Management
Check out the central homepage for "SAP NetWeaver Identity Management" on the SDN:
The direct link to <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/nw-identitymanagement">SAP NetWeaver Identity Management</a> can be found using the following menu path:
- SAP NetWeaver Product
- Complementary Offerings
- <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/nw-identitymanagement">SAP NetWeaver Identity Management</a>
Here you will find all kind of information about the product.
Have fun!
KristianCongratulations!
Very Nice! -
Federated identity management on SAP IDM
Hi Guys
Does SAP IDM support federated Identity Management. If so can you give some configuration documents or how exactly it is possible?.
Please shed some lights into this.
Thank you.Hi All,
SAP support have confirmed the following.
SAP NetWeaver has some federation capabilities with varying
support in different components (SAML 1.1) SAML 2 support
is planned in a future release.
SAP NetWeaver Identity Management does not have federation
support on its own. This could be introduced in future releases.
Does Any one know how SAML 1.1 support Federation capabilities? Which all sap netweaver platforms have them? -
Execute PowerShell Scripts via SAP NetWeaver Identity Management
Hello,
Has anyone implemented the execution of a PowerShell script from SAP NetWeaver Identity Management (7.1, 7.2, 8.0?). Currently implementing 8.0, and our client is looking to kick off PowerShell scripts that would generate Active Directory accounts, Exchange accounts etc.
Thanks!Hey Brendan,
We've done this out of a 7.2 implementation for exchange 2010 admin processes. We started with running powershell via a command line pass. It worked pretty well but it wasn't plain sailing. We used positional parameters to pass data to the scripts in question, we also had to come up with a return process that deals with any errors that might come of the powershell session. We had some issues with the shell sessions closing after the script completed.
We've since redesigned and now drop flat files to a constantly running powershell script that acts a bit like an IDM dispatcher (but obviously not integrated with IDM). It kicks off other powershell sessions and monitors their progress allowing it to process time outs, stack work up, etc.
We also found timing the processes to be an issue. If you create an AD account in IDM and then try to immediately move onto mailbox enable (for example) the account we created wasn't yet replicated to exchange so we had to build wait time into various parts of the process.
Thanks,
Pete. -
Integrate external identity management solution in SAP GRC Access Control
We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
thanks
DetlefUnfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
what do the published webservices do? Is there any documentation about them?
In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
VCC has any documentation that would help me to find how I would do this integrations?
Thanks in advance -
Sap Solution Manager 7.1 SP11 Basic Configuration
Hi Experts,
I am in fresh installation for Sap Solution Manager 7.1 SP11. At Basis Configuartion Phase in step " Configure CA Introscope".
I have successfully installed, but it shows the following message: " Offline - The EM Connection cannot be established (caused by :com.sap.smd.introscope.em.IntroscopeException: java.lang.reflect.InvocationTargetException_) "
Need suggestions how to proceed from here.
thanksRaja,
I assume you're using Linux/UNIX.
Here's the solution. It worked for me.
In /usr/sap/ccms/apmintroscope/config/users.xml, update the Guest password with this MD5 hash: c4582df82299e0581a9fc6bb34c53
In user management screen of "Configure CA Introscope", choose "Guest" as connection user with password "guest12" (without quotation marks)
If it's still not working, then delete the EM and re-install the introscope.
Go to expert mode -> Delete references -> Remove the line
Delete folder /usr/sap/ccms/apmintroscope
Install introscope and management modules againdon't forget to re-set the permission for diagnostic agent user
Go back to solman_setup "Configure CA Introscope" and do import CA again
Save, you'll have a green status
Regards,
Maybe you are looking for
-
FETCHING OUTPUT VALUE FROM PL/SQL BLOCK
hI aLL, I'm working on ODP.NET. I'm executing below pl/sql command. while executing this command in pl/sql it's showing the output which is an xml. declare xmloutput xmltype; xmldata varchar(32767); teid t_id := t_en_id( 'L','L',NULL,12121,'ABC','USE
-
Pictures on Firefox add-ons pages will not load in Firefox but will in IE
My operating system is now Windows 7 on a new computer although I use Firefox, not IE to browse the internet. I am having problems on the Firefox website, especially the add-ons pages. If I click on any pictures relating to add-ons I get a blank page
-
ESS Benefits Generic Enrollment - Different behavior backend v/s portal
We are using the ESS Benefits generic enrollment service for enrollment kicking off the adjustment reasons on IT 0378. Here is the configuration set up, trying to simplify to explain the matter. We are on ECC 6.0 with EHP2. 1. Configured one plan ty
-
today i decided to download some music on my windows 7 laptop, but when i tried to launch itunes it had said "this version of itunes has not been correctly localized for this language. please run the english version." i need help please!!!!! it's ver
-
Hi all, I am getting very tricky kind of problem oracle 10G. When I am try to insert a special character like '?' in 180 degree opposite direction( means imagine if we rotate the given special character ' ? ' in 180 degree), its perfectly inserting a