CUP Provisioning into LDAP

Hi Gurus,
We are trying to figure out if we can provision a NEW user ID into LDAP (AD) through CUP? Ideally we will have a Manager enter a request into CUP that includes a user's SAP access as well as AD and have CUP autoprovision this access.
In reading the guides it seems CUP can only write groups to existing AD users.
Does anyone have any thoughts or experiences?
Thanks,
Grace Rae

Grace,
CUP can provision existing LDAP groups to existing IDs, but as you said, cannot create new ones.  The best method to incorporate this would be to connect CUP to an IDM system to provision the ID and access.  If this is not acceptable, the other option is to create a custom connector that would communicate with a third party application (such as a macro/script) that would create the IDs through a separate process.
I know this isn't the news you want to hear, but I hope it helps!
Tyler

Similar Messages

  • SAP HR data retriveal into LDAP using ABAP Report

    Hi ,
    Does anyone have an idea for extracting SAP HR Employee data into LDAP (Directory based service)by using any abap report and function module
    Rohit

    I'm also interested...
    @Rohit Kumar Shukla
    Did you already receive an answer?
    Kind regards,
    Mario Möllenbeck

  • SAP HR DATA Retrieval into LDAP

    Hi ,
    Does anyone have an idea for extracting SAP HR Employee data into LDAP (Directory based service).
    Rohit

    <b>Option 1:</b>
    Replicate HR employee data to the directory directly:
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/8e/b98c3b98b8704fe10000000a114084/frameset.htm">HR Data Retrieval in an LDAP-Enabled Directory Service</a>
    <b>Option 2:</b>
    Create users for your employees (which might be used for ESS scenarios anyway) using infotype 0105 and transaction HRUSER and transfer these users into the directory.
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/95/49cb3a663bfc70e10000000a114084/frameset.htm">Synchronization of SAP User Administration with an LDAP-Compatible Directory Service</a>
    <b>Option 3:</b>
    Use an external identity Management solution
    e.g. <a href="http://service.sap.com/siemensdirx">Siemens DirX Identity</a>
    Kind regards
    Frank Buchholz

  • Hashed password import into LDAP

    hello,
    is it possible to import MD5 hashed password direct into LDAP instead of creating a new one?
    Any help would be appreciated.
    Ales Hrncarek
    [email protected]

    Hello
    I'm also interrested in the same topic.
    We are working on a project that require programatic registration of portal users.
    We found out that the best way to register a new portal user was going directly into ldap.
    The only problem i have is finding the right way to encrypt the passwords.
    I tried to set the password in clean text, but ofcourse it didn't work (i didn't actually think it would either ;) )
    How do you encrypt the password? Is there a java api i can use?
    Regards
    Per-Jarle Sfther

  • OIM - OID (11g) auto-provision thru ldap sync

    Hi,
    I have configured ldap sync. I have following questions
    1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
    2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
    Please let me know if any one know the solution.

    Hi,
    Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
    Thanks in advance

  • CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

    Hi All,
    I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
    Here is an example of the audit trail log from Change Account:
    Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
    Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
    Auto provisioned for request on 06/28/2010 17:14 
       User Provisioning failed for System(s) : DEV. Error Message :
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
    Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
       Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
    Note: the role names were replaced with "xxxxxxx."
    The system log gives an error, but it is very vague:
    2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
    com.virsa.ae.service.ServiceException
         at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
         at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
         at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
    Any ideas or suggestions?
    Current software level AC5.3 SP12.
    -Dylan

    Hello Varun,
    Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
    Results
    New Account with User Defaults configured:
    User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
    New Account without User Defaults configured:
    User provisioned successfully, no Auto-Provision error.
    Change Account with User Defaults configured:
    User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
    Change Account without User Defaults configured:
    User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
    In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
    For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
    What about on your side? Am I the only guy using SP12 here?

  • GRC AC 10 CUP : Provisioning of Approved roles (Line Item)

    Hello Gurus,
    We have configured CUP in GRC AC 10, and mapped a workflow for the same.
    Now when a user request for new roles e.g.) 3 roles
    Role 1 , Role 2 , Role 3 each roles has a different role owner.
    When the request goes to the role owner for approval and 1 of the 3 role owner rejects the request the whole request gets rejected.
    Is it possible to have functionality where roles which are approved will go ahead and get "Provisioned" and the whole request wont completely get rejected ??
    Looking forward for your inputs !!
    Thanks in advance.
    Regards,
    Victor

    Hello Victor,
    I guess you can work with the approval/ rejection level (stage 5 in the WF configuration).
    Have a look at here: http://forums.sdn.sap.com/thread.jspa?threadID=1637574
    Cheers,
    Diego.

  • LDAP Connector in CUP . No LDAPS? Surely not?

    Hi all,
    I have the LDAP Connector in CUP sucessfully binding to an Active Directory over port 389. It's now time to switch to LDAPS/SSl over port 636..but I have read on this forum that CUP does not support LDAPS connections. Surely this cannot be true???? No company in their right mind would allow an unencrypted connection to their Production AD/LDAP.
    And I can't use the UME to connect to AD over LDAPS as this is already configured as an ABAP dataSource so cannot be switched (according to SAP and the customer).
    Regards
    Daniel

    Found the OSS note saying it is not supported. Hard to believe.

  • Manual CUP provisioning

    We are using CUP (BO AC 5.3 SP14) with role provisioning via SAP CUA. Whenever there is a system upgrade etc on our CUA systems, we would prefer if any role requests could be "put on hold" in CUP, ie keep all workflow functionality but just not provision the role to the user in the last step. There are also other reasons why we during certain periods would like to control when roles are provisioned from CUP to SAP
    When turning off "Auto provision at end of each path" the system completes all workflow steps without problems, but the request is closed and the role not assigned in SAP
    Just turning off "Role auto provisioning" does not fulfill our requirements, as this assigns the role to the user in SAP but do not run the last user compare step
    So, is there any way to manually trigger/import the role assignment from CUP request database that have been approved in e.g the last 12h, or since the last manual import (delta)?
    Many thanks
    Mikael

    Hello Frank, and thanks for your reply - interesting alternative solution, though you also confirm this cannot easily be "imported" from the CUP database. I think we need to test this scenario in order to find the best option.
    I assume we need to setup a specific user for the CUA connector, so that all other connectors are still available when the CUA user is disabled. We already have a Manager and Role owner approval in our CUP workflow. The SAP role is assigned following role owner approval. If possible, we could perhaps redirect all requests that fails due to technical connector issues in the last approval/role assignment step to a Basis admin. That might mean we would automatically manage all technical scenarios whithout changing workflows
    Indeed this is not a very common scenario, but due to upgrades we will have several periods with downtime on our central CUA in the next coming months. We also have regular "freeze periods" in our environment, meaning no roles are allowed to be assigned. If we can still manage to run the workflow seamless for an end-user, then that would very useful
    Thanks for your input
    Mikael

  • How to change the DN of a user when provisioning to LDAP (iPlanet User)

    When I provision a new user to iPlanet User (LDAP) resource, it creates the account with DN = uid=<user login>,ou=people,dc=test,dc=com
    How can I change it so that it will create the account with DN = cn=<Fullname>, ou=people,dc=test,dc=com ?
    I don't see the DN field defined in the iPlanet User form.

    Is this a live environment? I would suggest setting this from the start, and not trying to change later. Most likely its using this prefix for both pre and post name so when you change it in the middle, one of them won't be found.
    -Kevin

  • CUP Provisioning workflows

    Hello
    We have a unique use case.
    Say we have two roles A and B in a single workflow request.
    We want to create a workflow in CUP, that will auto provision A and not auto provision B (just capture the approval).
    Is this possible in CUP workflow?
    Thanks
    Prakash Sankar

    Hi Prakash
    It sounds like you are trying to set up portal role provsioning through GRC.  We are trying to do the same thing.  Do you have the portal setup completed is that side working?

  • CUP 5.2 - LDAP Authentication error - "User credentials not valid."

    Hi Experts ,
    I have set up LDAP "SUN ONE" as a authentication source for our CUP 5.2 SP11 Patch1 (Build-62316). But when I try to logon with my network id,I receive error "User credentials not valid."
    Please find the log below.
    Thank you for your help,
    Regards,
    Abderrahim
    2011-03-01 12:07:57,232 [SAPEngine_Application_Thread[impl:3]_27] ERROR Failed to log in a867168
    com.virsa.ae.service.umi.AuthenticationFailureException: No user details found
         at com.virsa.ae.service.umi.ldap.LDAPAuthenticator.validate(LDAPAuthenticator.java:140)
         at com.virsa.ae.actions.LoginAction.requestorLoginHandler(LoginAction.java:847)
         at com.virsa.ae.actions.LoginAction.execute(LoginAction.java:82)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:256)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:423)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:207)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by:
    com.virsa.ae.service.umi.UMIException: SUNONE error reading search results
         at com.virsa.ae.service.umi.ldap.LDAPSearchUser.getUsers(LDAPSearchUser.java:698)
         at com.virsa.ae.service.umi.ldap.LDAPSearchUser.getUserById(LDAPSearchUser.java:760)
         at com.virsa.ae.service.umi.ldap.LDAPAuthenticator.validate(LDAPAuthenticator.java:131)
         at com.virsa.ae.actions.LoginAction.requestorLoginHandler(LoginAction.java:847)
         at com.virsa.ae.actions.LoginAction.execute(LoginAction.java:82)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:256)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:423)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:207)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by:
    javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name ''
         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3030)
         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2757)
         at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1828)
         at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1751)
         at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
         at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:347)
         at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:332)
         at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:252)
         at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:252)
         at com.virsa.ae.service.umi.ldap.LDAPSearchUser.getUsers(LDAPSearchUser.java:518)
         at com.virsa.ae.service.umi.ldap.LDAPSearchUser.getUserById(LDAPSearchUser.java:760)
         at com.virsa.ae.service.umi.ldap.LDAPAuthenticator.validate(LDAPAuthenticator.java:131)
         at com.virsa.ae.actions.LoginAction.requestorLoginHandler(LoginAction.java:847)
         at com.virsa.ae.actions.LoginAction.execute(LoginAction.java:82)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:256)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:423)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:207)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

    My issue is stil not received, i hav send a document to the system team to follow for the integration. The AD configuration for QM shud be very expicit or else integration will not work. I am attachin the doc here. Let me knw if that helps.

  • Group Provisioning in LDAP

    HI,
    Can I provision a 'group' in LDAP through Sun Idm? if so please let me know the steps to do that.
    Thanks
    Message was edited by:
    Raja.Samy
    Message was edited by:
    Raja.Samy

    Can you be a bit more specific when you say provision a group? Do you mean create a new group in LDAP, modify and existing group? Off the top of my head I believe you can use the create resource object from. On the resources Tab, under Resource Actions ( I believe) there is a selection for create resource object. That might suit your needs.

  • Bulk provisioning to LDAP using sun connector

    Hi guys,
    I am able to provision only single OIM user at time to LDAP directory using sun connector.
    Could any one please suggest me the approach of how to provision multiple users at a time.
    divya

    What Octavian has said is right have 2 it resources and then have a ItResourceLookup Field in your process form. You can either have it to default to any one of the ItResource (OID server) or you can allow the admin to select this during direct provisioning. Depends on how you are doing provisioning i.e. direct or request based or policy based.

  • OIM - Provisioning into ADAM

    Hi ,
    I am trying to use ADAM to provision users into ADAM. Can some one please post documentation I can use or oracle guides / even if there is a Lab which i can take to configure it.
    Thanks
    Gaurav

    If you see AD connector guide you'll see it for ADAM as well.
    http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/toc.htm
    You don't need any extra docs for ADAM.

Maybe you are looking for

  • Samba won't tango

    I have a D-Link 2750 DSL router with a USB port. I'm trying to use it as network attached storage with a 32GB memory stick. My Mac (10.7.5) will mount the disk as guest, I can read files on it, and delete files, and create empty folders, but not writ

  • How do I upgrade OSx 10.5.8 to newer or latest version?

    Hi there. I have Mac Pro Dual Power PC G5 (3.0) 2.5 GHz processor, 6.5 SB DDR SDRAM and its currently running on OSx 10.5.8. I was ok with that but now I need to install few programs and they are not supported by current architecture((( looks like I

  • Do anybody know how to use HHTP post within Oracle 9i trigger

    What you do is write a stored procedure/trigger in pl/sql that fires an http POST request when a candidate registers. The http POST request can be handled by the server hosting the temp e-mail system. The resulting address is then passed back to Orac

  • OpenGL "As it will render from my output device"

    I'm trying to decide if I need to use OpenGL (there's no question I would use it if my videocard made it available, but that's another issue) An excellent article about it is on http://www.tomshardware.com/reviews/photoshop-cs6-gimp-aftershot-pro,320

  • News on iOS update?

    I apologize if this has already been answered. I know it is only the beginning of June but is there any news on when the Flash Builder update to allow iOS Flex mobile packaging will be released?