Delete Role Assignments directly from an ABAP System
Hi folks!
I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend. Easy enough!
However if the privilege is not in IDM but is in the back-end, it needs to be removed. Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
I looked in the business suite and plain ABAP portions of the framework. I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
Thanks for your help!
Matt
Hello Matt,
so you want to remove local administrated role?
If the object really is to undo the local administration, I would do this:
Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
Best regards
Dominik
Similar Messages
-
Provisioning of roles to ABAP system deletes role assignments in backend
Hi all,
following scenario:
user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
What will happen is that the user will get role B but assignment of role A will be deleted.
This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
I hope I was able to describe my problem properly and you have answers...
Best regards
Jörn KaplanNo, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
See http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
Kind regards
Frank Buchholz -
Role assignments not set in ABAP but IdM indicates OK status
Hi,
We went live with IDM 7.2 SP8 last month. We have started to see issues with Business Role assignments in target systems. Generally, BR assignments are parsed to respective privileges and assigned correctly. Sometimes privileges in one target will get assigned but not in another target. Occassionally assigning privileges to one target does not get through either. In all cases the IdM assignment is marked as 'OK', but when we check the backend the assignment is not there. Log entries don't show any jobs triggered for the target that failed to update (and consequently there is no log entries in that target either). But why would IdM mark the specific privilege as 'OK' status -- it should either remain 'Pending' or 'Failed' but certainly not 'OK'.
This effect is inconsistent -- it works correctly at times and fails at others -- increasingly more failures. There is nothing different about the users or environment. We see this in ECC, BW, GTS, etc. We have 36 prd and non-prd systems linked systems. Initially we thought this only affected prd systems as BR's only have prd privileges and the PRD targets are load-balanced. For non-prd systems the assignments are direct privileges, not BRs, and they are not load-balaced. We are now seeing this in behavior in all environments for BR's or direct privilege assignments, in prd and non-prd targets.
Since BR's have appovers we cannot remove BR's and re-assign in production. So for non-prd targets we have removed the privileges, those that indicated 'OK' but did not get set in the target, and reapplied -- the privileges get deleted successfully without any corresponding job being triggered and then when we re-add it the assignment goes into 'OK' status without any job being triggered.
When we tried assigning another user the same privileges it went through fine to the target and IDM marked 'OK' -- exactly as it is supposed to work (non-prod privileges have no approvals).
We are not able to re-produce this in our DEV environment -- the targets are non-load balanced. The assignments work consistently, both BR's and privileges.
Has anyone seen such behavior by IdM?
Thanks for your thoughts.
AshokHi,
Thanks for the suggestion. But ours was a different problem.
The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
Best regards,
Ashok -
Can I delete an icloud account from apple's system with out password
My mom is 88.. Apple help desk got her set up for an icould account she did not need becuse they misunderstood the nature of help she needed. It is a second uncessary account and is wreaking havoc with her iPad. My mom can not remember her password. How can I permanantely remove the account from Apple's system.
Apple IDs (which are used to establish various types of accounts like icloud and itunes store) cannot be permanently deleted, nor can the accounts. Just don't use the account in question if you don't want it.
If this is about icloud, then on her ipad, Go to Settings>icloud, scroll to bottom of screen and tap Delete Account. In the future she can always log back in. If she needs to do this, then to deal with a forgotten password...
Try the following link to reset your password.
https://iforgot.apple.com -
Navigating directly from ECC(ABAP) to CRM UI Work Center/Link
Hi gurus,
I tried searching and couldn't find a relevant answer so I hope someone can help. We'd like to go directly from an ECC custom transaction we use to view our inventory and navigate directly to a specific work center/logical link within the WebUI that will display some custom development we've done to streamline the quote entry process. Parameters are passed from the inventory transaction and then pre-populated into a custom screen we developed.
I've seen tons of documentation on launching R/3 transactions from within WebUI and I know how to go directly to a specific object using a formatted URL but I can't find any info on going directly to a specific work center menu entry and/or a direct logical link from within ABAP.
Can anyone shed some light on this? Thanks in advance.Hi James,
I am working on some navigation issue myself and posted [this|Direct URL access to a component usage; in the forums today. It might just help you:
SAP has at least some documentation on this one. It is freely available form the [Service Market Place|https://websmp203.sap-ag.de/crm-inst]. [DirectLink|https://websmp203.sap-ag.de/~sapdownload/011000358700001715762008E/Cookbook_Ex_Comp_CRM2007.pdf]
In the document mentioned above is a way to create a URL to the WebClient directly opening a specifc UI Component in the UI Frame.
You could even open this one in an HTML control inside your transaction.
cheers Carsten -
Can I delete song file directly from iTunes?
Currently if I want to delete any songs from my HDD I have to:
○ Right click th song in iTunes .
○ Click "Show in Windows Eplorer".
○ Delete the file.
○ Delete song in iTunes library.
◙ And repeat it all if there are more than one song I need to delete.
Is there any way to delete files from iTunes directly?Stuwawah wrote:
You can but in order to be able to do it directly from iTunes, the song/songs need to be store in the "iTunes folder" in your media directory or the Default folder to chose Under:
** Preferences -> Advanced -> Itunes Media folder location
That is not accurate.
I do not keep my media in the iTunes folder because I personally cannot stand the way iTunes manages the folders.
I am able to delete media from my computer via iTunes by simply selecting delete and then selecting the option to let iTunes remove it from the drive. -
Password Replication to LDAP from SUS (ABAP system)
Hi,
We have integrated ABAP(SUS) system with LDAP. We want to replicate all the user accounts created in SUS to LDAP ( both user id and password). We need this password in LDAP because LDAP is used for authentication when the user is logging from out side the company by ISA server ( reverse proxy server ) and when the users are logging in internally from the network they will be authenticated against SUS system directly. So we need the user account created at both places with password.
Any help around this topic is much appreciated.
Thanks & Regards,
SeshuHi Yaramala Reddy,
I have done Synchronization of users created on ABAP with LDAP directory.
You can use LDAP tcode or LDAPMAP tcode to do the required settings for mapping the SAP User Data fields to the LDAP directory attributes.
Once the mapping is defined, then run the report RSLDAPSYNC_USER which will replicate all the users created on the ABAP side or viceversa.
You can also schedule the report dialy as a backgroundjob for delta synchronization.
Hope this helps.
Regards,
Kiran Kandepalli. -
Upgrade direct from 9i File System DB to 10g ASM instance
Can I upgrade from a 9i file system based instance directly to a 10g ASM based instance? without the middle step of a 10g file system instance.
Thanks
MNThe minimum compatibility for ASM storage system is 10.1.0, it is not possible to manage 9i instances in ASM, and there is no way to waive the 10g migration requirement.
If you are planning to use 10g ASM storage then you will have to migrate or upgrade your database to 10g first. Next you will have to move your datafiles, control and log files into the ASM storage.
0. Configure your +ASM instance
1. Upgrade to 10g (Upgrade procedure) or Migrate (exp from 9i/imp to 10g)
2. In case you upgraded then use RMAN as stated in the below given reference to move your datafiles to the ASM instance, or if you created the database in 10g make sure you defined +ASM as the default storage mechanism
Ref. Oracle® Database Backup and Recovery Advanced User's Guide
10g Release 2 (10.2)
Part Number B14191-03
Chapter 16.
http://download.oracle.com/docs/cd/B19306_01/backup.102/b14191/rcmasm.htm#i1016581
~ Madrid
http://hrivera99.blogspot.com -
Importing Data from an ABAP system - JOB Initial Load - IDM 8.0
Hello all,
I got the error during the execution initial load job:
Value not legal for this attribute:Attribute: MX_USERTYPE" when storing attribute 'MX_USERTYPE=A'
Value not legal for this attribute:Attribute: MX_DATEFORMAT" when storing attribute 'MX_DATEFORMAT=1'
I have executed the job read value help content before start initial load job.
Could anyone explain if this attribute should be created manually in mxi_AttrValueHelp table before run the initial job?
ThanksHello Rafael,
There is a possibility that you have encountered a problem that we had with the language translations for the attribute values.
I would like to ask you to check one file content: could you try to open the language translations file: this should be located under ICCORE -> Database Schema -> SQL-Server -> 9-language-data.sql
There is a chance that this file is "broken". If so - we have fixed this specific problem in the Designtime Component patch 2 (now 3 is also available) - so you would need to update to this one.
You could also take a look at the table for the attribute values help - via executing "select * from mxi_attrvaluehelp".
Kind Regards,
Rali
SAP Identity Management Development -
How do I delete songs directly from my iPhone 5s?
How can I delete specific songs directly from my iPhone 5s? I do not have a personal computer to download the iTunes app. I need to make room for the new iOS 8.0 update.
You can delete individual tracks by swiping/dragging across them from right-to-left on the song selection screen in the Music app. But check that the single/album is still available in your country's store, if the rights-holder has removed it then you won't be able to redownload it (and similarly if you delete any apps, films etc, they could also have been removed from the store)
-
Delete a .csv file from desktop system
Hi All,
My requirement is to read the .csv file from the desktop system having the shared folder and delete the file after read successfully.
Here I can read the .csv file from the location using the function RFC_REMOTE_FILE and updated the content into internal table.
But I cant delete the file from the presentation server ( Desktop system).
Can anyone tell me how to delete the .csv file from the desktop system on different location.
Note:
I followed this link to read file:
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/9831750a-0801-0010-1d9e-f8c64efb2bd2&overridelayout=trueHi Rob,
Thanks. I solved this problem myself.
The solution to delete the file from remote system is
concatenate 'DEL' i_filename i_dirname into v_bkfile separated by space .
call function 'RFC_REMOTE_EXEC'
destination c_dest
exporting
command = v_bkfile
exceptions
system_failure = 1 MESSAGE v_ermsg
communication_failure = 2 MESSAGE v_ermsg. -
Pushing data from abap system to SLD
Hello,
I am pushing data from my abap system to SLD.
Job SAP_SLD_DATA_COLLECT is successfully finished but the job SAP_LMDB_LDB_0000000001. is not visible in sm37 in solman.
Hence technical system is not visible in LMDB.
Please guide me
Thanks and Regards,
AkshayHI Akshay
I hope you had make sure that in SM61 you have assigned batch servers for the jobs.
Can you try to sync your LMDB with SLD once. There is option in LMDB to sync the data, Just see if you are getting the technical system details.
Also, please check the rfc destinatoin with ICM port if it is stable.
RFC LMDB_SyncDest<X> is using ICM Port 80<NR>
You can proceed as below
Please De-Activate the Sync Job in Solman_Setup -> System Preparation -> Prepare Landscape -> Set Up LMDB.
Execute transaction 'SM59'.
Locate the HTTP Destination -> 'LMDB_SyncDest<X>'.
Switch to Edit mode.
Change the Service No to 5<XX>00 where XX is the instance number.
Then makesure the Authorization and Connection test are working.
Then Re-Activate the synch job, via Solman_Setup -> System Preparation -> Prepare Landscape -> Set Up LMDB
Apart from that, can you check below note if it is applicable for you
1615263 - LMDB: Incremental Content Sync Job remains "Scheduled"
Regards
Rishav -
Exposing WebService directly from ABAP Class not from BAPI
Hi guys,
is it possible ti expose a Webservice direct from an ABAP OO-Class.
I know the possebility to do it for RFC enabled Funktionmodules but I think it is no good coding style to call ABAP-OO-Methods using RFC-Module only for providing them as methods of an WebService...
Is there anyone who has exerience on that area ?
Thanks in advance.
Bast regards
AndréHi Micky,
thanks for your answer. But the WS-Call are OO codings and the class is OO coding. From my point of view it is not a good style using an RFC Functionmodule as "middleware" between OO-Classes.
However, if it is not possible I have to live with the possabilities SAP provides.
regards
André -
Deleting invalid role assignments
Hello,
is there a way to delete role assignments automatically if the validity period is out of date? I know that you can do it manually via transaction SU01/SU10 but maybe there is a report that recognizes if there are invalid assignments.
Kind regardsHell Dennis,
As pointed out by Juan standard SAP doesnot provide that functionality. However I guess you can do that by writing a simple update report.
Look out for AGR_USERS table as data source.
Regards
Ruchit. -
How to delete the structure created from Tx: EEWB ?
Hi SAP Gurus
I have an issue at hand. I have added three components in the structure <b>BUS000___I</b> and the components are <b>ZZ1, ZZ2, ZZ3</b>, I was following the <b>EEWB</b> wizard and from there these three components were made, now I cannot delete these components directly from <b>SE11</b>. Because after adding these components the system is not allowing me to do so and is asking for the access code.
I am getting a syntax error in all the tx where <b>Business Partner</b> is used. No old versions for this structure was found in the system. The only structure that has come into this BP structure is <b>ZBSTC0000000000</b> followed by three data elements of this structure.
I know the <b>Project and the enhancement</b> that was created and I have tried deleting the enhancement from EEWB but when i try deleting it, it always fall into an intermediate stage where it leaves some entries and due to these left over entries these errors are coming.
Another imp thing is that the structure that i have reported is a newly created one I cannot find this anywhere else. looks like this structure was created after executing the EEWB transaction only.
Now when I try activating the enhancement again the <b>magic wand button</b> used to activate an enhancement and the <b>generate button</b> is also inactive in EEWB and now it is not getting activated, even after rt click enhancement then clicking change or by clicking on the edit-change button on the top tool bar. Do you think if I create another enhancement this button might get activated?
Please let me know how do I delete these components.
Kindly reply at the earliest.
Regards,
AmitHi, I had the similar problem (and here the solution):
Spezifikation: Deletion of EEWB fields manually, error in middleware bdoc,
Kurztext
Deletion of EEWB fields manually, error in middleware bdoc,
Langtext
BDOC-Error from function module BAPI_CRM_SAVE. no further using of the
middleware for sales activities (sales order) possible.
see steps for reconstruction
Schritte zur Rekonstruktion
what done before:
- added one field via transaction code EEWB to business object
SALES_TRANSACTION (Verkaufsvorgang), "Erweiterungstyp CUSTOMER_I
(Positions-Zusatzextension erweitern) with one existing data element
type Z_, Geschäftsvorgangstypen = Verkauf
no selection of "Datenaustausch mit den Mobile Clients",
"Datenaustausch mit R/3 Supply Chain Execution" or
"Business Information Warehouse".
- deleted the extension manually, deleted the eewb project manually
(successful)
- got an short dump on saving a sales order via transaction code
CRMD_ORDER:
dump type: LOAD_TYPE_VERSION_MISMATCH
Der Abbruch trat im ABAP-Programm "SAPLCRM_UPLOAD" auf, und zwar in
"CRM_UPLOAD_BUS_TRANS_MSG". Das Hauptprogramm war "CRM_1O_FRAME ".
Im Quelltext befindet sich die Abbruchstelle in Zeile 5
des (Include-)Programms "LCRM_UPLOAD$18".
(bei Anwahl des Editors: 50) der ABAP-Source "LCRM_UPLOAD$18".
000040 *********************************************************
FUNCTION $$UNIT$$ CRM_UPLOAD_BUS_TRANS_MSG
000060
000070 IMPORTING
000080 REFERENCE(IV_GUID) TYPE !CRMT_OBJECT_GUID
000090 EXPORTING
000100 REFERENCE(ES_BDOC_HEADER) TYPE !SMW3_FHD
000110 REFERENCE(ES_BDOC_MESSAGE) TYPE !/1CRMG0/BUS_TRANS_MSG
000120 REFERENCE(ES_BUS_TRANS_MSG) TYPE !BAD_BUS_TRANSN_MESSAGE
000130 EXCEPTIONS
000140 !ERROR_OCCURED .
- re-generation of a lot of of function modules
(e.g. CRM_UPLOAD_BUS_TRANS_MSG)
and some corresponding structures (e.g. CRMT_CUSTOMER_I_COM)
- fixed the short dumps with this gereration
Current Errors:
- the crm middleware (mBdoc) cannot copy sales orders from crm to r/3
- via transaction code CRMD_ORDER i copy an existing sales order and
save or try to change just one field and save.
- saving is succesfull (message type s), but on changing again, the
order is locked by middleware
- bdoc in transaction SMW02 is on state yellow "An Empfänger gesendet
(nicht alle haben bestätigt) BUS_TRANS_MSG"
- in transaction code SMW02 occurs:
Mdt Benutzer Funktionsbaustein Queue-Name
100 CPIC_FILO BAPI_CRM_SAVE R3AD_SAL_ERR
Datum Zeit
12.04.2007 17:52:10
Statustext
Inkonsistenz zwischen den DDIC-Typen CRMT_CUSTOMER_I_COMT und ABAP-
genera
SOLUTION:
re-generation of *ALL* code which using structure CRMT_CUSTOMER_I_COMT had solved it.
Maybe you are looking for
-
Create sales order with reference to 10 quotation
Create sales order with reference to 10 quotation I want to put all quotation means take reference in one sales order how I can do it because when tried va01 and taken reference of question it allow to put only one question number how can I do it for
-
ACR 8.8 is available - so far only via the manual-installer page
Camera Raw plug-in installer Notably, it includes support for the Olympus E-M5 Mark II Hopefully we'll get an DNG Converter 8.8 so Lightroom folks w/o CC can use it, although maybe that's the point, only CC users get to have it, and they can use Brid
-
Newbie question on managing catalog files & external drives
I'm new to Lightroom and just downloaded a trial version of LR4 earlier this week. I'm an amatuer photographer (and I really mean amatuer ) ... and serve as a volunteer for a local summer baseball team (college players). I've taken - on average - 5
-
Acrobat X closes immediately when PDF is double clicked
I run CS6 (English) on Windows 8 (German). If I double click a PDF Acrobat opens and immediately closes again. I can drag the PDF document on window head and the document opens fine. I can also click to a PDF that is pinned to the task bar and it ope
-
I am trying to alter individual RGB channels within the tone curve box, but I don't get a pop up dialoge box. I saw a mention of PV 2010 and PV 2003, but I don't know what these are, or if one can convert to them.