Filter condition in ABAP Initial Load Job

Similar Messages

• Filter on SAP ABAP Initial Loads

  Hi all,
  I'm trying to put a filter on the pass "ReadABAPuser" of an ABAP Initial Load. My SAP ABAP System has over 10000 users and I need only part of them.
  I tried so to add "FILTER" entry (as on ReadABAProle for example) on Source tab of the pass "ReadABAPuser" with value "A*".
  But seems the pass does not make attention of this FILTER and still request the full user list.
  Do you have met this issue ?
  Thanks for your help,
  Benjamin

  Hi Benjamin,
  well, I've never worked with the pass attribute FILTER for the pass type "FromSAP". Therefore, I'm not sure about the following -  but maybe it's a starting point for further investigation... 
  I believe that it works differently for different data types:
  Roles: simple filter value which filters for the role name (you can use *)
  Roles, if you connect to a CUA central system: not supported
  Users: it seems to work with a multivalue name=value syntax.
  Conclusion: I guess it is easier to filter users in the source tab of the ToPass "WriteABAPUsers".
  Kind regards
  Frank Buchholz

• Error when we are running the job "AS ABAP - Initial Load" for a ABAP Syste

  Hi,
  We are getting the below error when we are running the job "AS ABAP - Initial Load" for a ABAP System.
  Pls note that we have maintained the below entry types to the Identieny Store & we are still getting the error.
  Request you to help me
  MX_TITLE_SUPPLEMENT
  MX_SALUTATION
  MX_NAME_PREFIX
  MX_ACADEMIC_TITLE
  Error----
  runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_ACADEMIC_TITLE!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_ACADEMIC_TITLE' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_ACADEMIC_TITLE!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_ACADEMIC_TITLE' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_NAME_PREFIX!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_NAME_PREFIX' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_NAME_PREFIX!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_NAME_PREFIX' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_SALUTATION!!Mr.!!EN)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_SALUTATION' AND ValText = 'Mr.' AND ValLocale = 'EN') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_TITLE_SUPPLEMENT!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_TITLE_SUPPLEMENT' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_ACADEMIC_TITLE!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_ACADEMIC_TITLE' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_ACADEMIC_TITLE!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_ACADEMIC_TITLE' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_NAME_PREFIX!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_NAME_PREFIX' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_NAME_PREFIX!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_NAME_PREFIX' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_SALUTATION!!Mr.!!EN)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_SALUTATION' AND ValText = 'Mr.' AND ValLocale = 'EN') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error runFunctionsInString($FUNCTION.sap_getHelpValKey(MX_TITLE_SUPPLEMENT!!)$$) got exception
  org.mozilla.javascript.EvaluatorException: uSelect(select ValKey from dbo.mxi_attrvaluehelp where ValId = 'MX_TITLE_SUPPLEMENT' AND ValText = '') got exception java.sql.SQLException: ORA-00942: table or view does not exist
  Error putNextEntry failed storingMANJUHB
  Exception from Add operation:com.sap.idm.ic.ToPassException: ToIDStore.addEntry failed storing entry 'MANJUHB'. IDStore returned error message: " Value not legal for this attribute:Attribute: MX_ACADEMIC_TITLE_2" when storing attribute 'MX_ACADEMIC_TITLE_2=$FUNCTION.sap_getHelpValKey(MX_ACADEMIC_TITLE!!)$$'
  Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed updating entry 'MANJUHB'. IDStore returned error message: "Entry does not exist" when fetching entry

  The Probelm was resolved after editing the Script..... "sap_getHelpValKey.js"

• Connection Refused Error while running AS ABAP Initial Load

  All,
  I've never connected SAP NW IdM to an actual SAP system before, and I feel like I'm missing some obvious step of configuration, but I can't figure out what.
  We are in the process of trying provision user accounts to our SAP ABAP systems. My first step was to try to read all of the existing accounts from the ABAP system:
  Our Basis team created me a Communication user with the proper authorizations (I ensured that the authorizations included in SAP_BC_SEC_IDM_COMMUNICATION)
  I created a repository using the SAP NewWeaver AS ABAP (Specific Application Server) Repository Template (No CUA, No SNC) using that user's credentials
  I then used the Job Wizard and used the job template AS ABAP - Initial Load, specifying my repository above.
  When I run the job I get the following:
  Initializing SAP connection with parameters:
  com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server failed Connect_PM MSHOST=<IPADDRESS>, R3NAME=<SID>, GROUP=PUBLIC LOCATION CPIC (TCP/IP) on local host ERROR partner not reached (host <IPADDRESS>, service sapms<SID>) TIME Wed Jun 01 13:54:36 201 RELEASE 640 COMPONENT NI (network interface) VERSION 37 RC -10 MODULE nixxi_r.cpp LINE 8840 DETAIL NiPConnect2 SYSTEM CALL SiPeekPendConn ERRNO 10061 ERRNO TEXT WSAECONNREFUSED: Connection refused COUNTER 1
  Error Init failed
  I'm running SAP NW IdM 7.1 SP5 on Windows Server 2003 with MSSQL 2005. The ABAP server is on a UNIX box with an Oracle 10.2 dB.
  Is there additional configuration that needs to take place on the ABAP side to accept the connection?
  I've tried to find documentation on this, but have been unsuccessful. If someone could point me to the correct documents, or at least point me in the right direction for troubleshooting, it would be greatly appreciated.

  Ankur,
  Looks like the endpoint URL of the webservice is not updated and still pointing to the localhost. Try changing it to http://<ip_addres_of_your_server>:7101..... and see if it works fine then.
  -Arun

• GRC-IDM initial load job not enriching one system's privs

  Hi GRC Experts,
  We have integrated IDM 7.1 and GRC 5.3 and tested provisioning to one target system in DEV; this worked perfectly; when testing a similar configuration in Quality, we were setting up the system, and had to run the IDM-GRC Initial Load job in order to enrich the imported privileges for use with GRC AC 5.3; in the Quality system, instead of just connecting to 1 target system, we have connected to 5 ABAP systemes, ECC, PI, POSDM, BW & SRM; for some strange reason when performing the GRC-IDM Initial load job 4 of the target system's privileges get enriched, while the ECC system's privileges aren't getting enriched; I would say through random sampling all ECC profiles are getting enriched but none of the ECC privileges are getting enriched; why could this be happening? we've tried running the ECC Initial Load job  and then the GRC-IDM initial load job about 8-10 times but with no luck; the set of privileges we're investigating are still not enriched; we also ran the GRC CUP role load job, also selecting the option to over-write all existing roles in the system; via this method the CUP roles have been refreshed twice so far, but running the GRC-IDM initial load job even after refreshing the ECC system's privileges in CUP has had no effect whatsoever, all ECC privileges are still left to be enriched, but strangely enough the ECC Profiles have been enriched.
  Any clues as to why this could be happening? We've checked and re-checked and there is no filtering or delta being applied to any of the passes, so it really makes no sense. Is there something we should be doing apart from what we've already done? Would greatly appreciate your help with this!
  Thanks a lot in advance!
  Best regards,
  Sandeep

  What you could do is simply add the attributes by a background job to the privileges. This works fine in most cases. You need to be sure that GRC knows the role and then it is fine. The load only adds those 2 privileges and does nothing of any deeper complexity.
  MX_AC_ROLEID = <rolename>
  MX_APPLICATION_ID = <system name>

• IDM: AS ABAP - Initial Load

  Hi,
  I have installed IDM server and completed all the initial configuration steps.
  I have created repository which connects to the IDES server using the template SAP Netweaver AS ABAP (specific application server).
  Now i am running initial load for that repository but nothing is happening. I cant see any job log,system log for that initial load.
  I have created another blank test job , which i execute and running fine.I can see the log of that blank job.But nothing is there for the job Initial Load.
  schedule rule : on demand and i am executing it by clicking on RUN NOW. If i see the status of the job it shows idle.
  Can you please help me in this?
  Edited by: Abhilashak on May 5, 2011 9:13 AM

  First, make sure it is set to use the correct dispatcher.
  Second, go to the Status area for whatever folder that job is in. It should list all jobs for that folder, and any jobs that are "queued" will be bolded.
  If it is bolded (it probably will be), it means that the job is queued to run but the dispatcher isn't running it for some reason. In that case, it could be the dispatcher it is set to run on isn't configured properly... Not sure what else would cause that.
  I'm talking about this status area:
  http://min.us/mvjy3gm

• Error AS ABAP initial load

  At my initial load AS ABAP, the following error showed up:
  putNextEntry failed storingS_A.SHOW
  Exception from Add operation:com.sap.idm.ic.ToPassException: ToIDStore.addEntry failed storing entry 'S_A.SHOW'. IDStore returned error message: " No such attribute:Attribute: ACCOUNTM23_ME5" when storing attribute 'ACCOUNTM23_ME5=S_A.SHOW'
  Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed updating entry 'S_A.SHOW'. IDStore returned error message: "Entry does not exist" when fetching entry
  This error message affects all users. Where can I add the missing attributes?
  Thanks for your help!!!

  Gerhard,
  Could you please share the solution?
  Thanks.

• Regarding ABAP initial load errors

  hi experts
  I have below errors left while doing Initial load for AS ABAP as follows
  Error type 1:
  Error :runFunctionsInString($FUNCTION.sap_encryptPassword()$$) got exception - Exception:org.mozilla.javascript.JavaScriptException: java.lang.UnsupportedOperationException: java.lang.ExceptionInInitializerError
  I referred page 37  in System landscape configuration guide. but could not understand what and where password has to be set.
  Could you please suggest me how to solve this two problem.
  Also i would like to know where the Users, roles,profiles will be written in Identity store.
  regards

  hi guys
  Regardless of this error, i got the users/profiles/roles written in Identity center, i am able to see in monitoring webpage.
  But how to solve this error is my concern...appreciate if you can give me some ideas
  regards

• SAP IDM 7.2 SP09 initial load jobs error

  Hello IDM experts
  We are getting below error while loaidng initial jobs in IDM 7.2 SP09
  java.lang.Throwable: java.lang.ExceptionInInitializerError: JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'JCO.nativeInit(): Could not initialize dynamic link library sapjcorfc [C:\Windows\System32\sapjcorfc.dll: Can't find dependent libraries]. java.library.path [C:\Program Files (x86)\Java\jre1.8.0_40\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\;C:\j2sdk1.4.2_17-x64\bin\;C:\Program Files (x86)\Microsoft SQL Server\100\DTS\Binn\;;.]
  Could you please help us
  Thanks
  Krishna Gompa

  Hi Krishna,
  Seems to be something wrong with the JCO installation.
  Check this: scn.sap.com/thread/2071966
  Regards,
  Ole K.

• ABAP - CUA : Initial load : too many records in the CUA?

  We are running :
  SP03 for IDENT. CENTER DESIGNTIME 7.1 Patch 0
  SP03 for IDENTITY CENTER RUNTIME 7.1 Patch 1
  SP03 for NW IDM IC UIS 7.00 Patch 1
  We have connected our customer's CUA system to IdM : we created an Identity Store called 'SAP_Master', created the CUA repository, defined the required attributes as defined in the guide 'IDM 7.1 - IdM For SAP Systems - Configuration 7-3.pdf', created the jobs based upon the templates etc. The dispatcher used has 'run provisioning jobs' disabled.
  On our sandbox server, when we connect to our sandbox CUA system (CUA_YS5_200), everything is ok, the 'AS ABAP - Initial load' job with only 'ReadABAPRoles' enabled, runs fine.
  On our QA system, when we connect to our 'production' CUA system (CUA_YP0_400), the 'AS ABAP - Initial load' job with
  only 'ReadABAPRoles' enabled, finished with message 'could not start job, rescheduling'. Since there is a huge number of records (we looked it up in the system : 311.679 records), we decided to switch on parameter 'bootstrap job'. Now the result is that it takes forever, after half a day the job is still running. In the database, table 'sapCUA_YP0_400role' is still completely empty (no records). Therefore, it seemed interesting to connect our QA IdM system to our development CUA system (CUA_YS5_200). After a while, the exact same job has finished and table 'sapCUA_YS5_200role' contains 18.580 records.
  After some additional testing, we might have discoved the cause of the issue could be that the number of records in our CUA is too big.
  In the java code of the fromSAP pass there are 2 calls to the SAP system for reading the roles into Idm. The first one reads table USRSYSACT (311.000 records), the second one reads table USRSYSACTT (1.000.000 records). All these records are stored into a java hashmap - we think that 1 million records exceeds the hashmaps capability, although no java error is thrown.
  When we debug the functionmodule RFC_READ_TABLE and change the rowcount to 100.000 then everything works fine. When we set the rowcount to 200.000 the java-code does not generate an error but the job in idm never
  ends...
  When running functionmodule RFC_READ_TABLE in the backend system the 1.000.000 records are processed in less than one minute. So apparently, the issue is related to the processing in the Java code.
  Java Dispatcher heap size is set to 1024.
  Anybody already came accros this issue?
  Thanks & best regards,
  Kevin

  Installing the patch, re- importing the SAP Provisioning framework (I selected 'update') and recreating the jobs didn't yield any result.
  When examining pass 'ReadABAPRoles' of Job 'AS ABAP - Initial Load' -> tab 'source', there are no scripts used .
  After applying the patch we decided anyway to verify the scripts (sap_getRoles, sap_getUserRepositories) in our Identity Center after those of 'Note 1398312 - SAP NW IdM Provisioning Framework for SAP Systems' , and they are different
  File size of SAP Provisioning Framework_Folder.mcc of SP3 Patch 0 and Patch 1 are also exactly the same.
  Opening file SAP Provisioning Framework_Folder.mcc with Wordpad : searched for 'sap_getRoles'  :
  <GLOBALSCRIPT>
  <SCRIPTREVISIONNUMBER/>
  <SCRIPTLASTCHANGE>2009-05-07 08:00:23.54</SCRIPTLASTCHANGE>
  <SCRIPTLANGUAGE>JScript</SCRIPTLANGUAGE>
  <SCRIPTID>30</SCRIPTID>
  <SCRIPTDEFINITION> ... string was too long to copy
  paste ... </SCRIPTDEFINITION>
  <SCRIPTLOCKDATE/>
  <SCRIPTHASH>0940f540423630687449f52159cdb5d9</SCRIPTHASH>
  <SCRIPTDESCRIPTION/>
  <SCRIPTNAME>sap_getRoles</SCRIPTNAME>
  <SCRIPTLOCKSTATE>0</SCRIPTLOCKSTATE>
  -> Script last change 2009-05-07 08:00:23.54 -> that's no update !
  So I assume the updates mentioned in Note 1398312 aren't included in SP3 Patch 1. Manually replaced the current scripts with those of the note and re- tested : no luck. Same issue.
  Thanks again for the help,
  Kevin

• Importing Data from an ABAP system - JOB Initial Load - IDM 8.0

  Hello all,
  I got the error during the execution  initial load job:
  Value not legal for this attribute:Attribute: MX_USERTYPE" when storing attribute 'MX_USERTYPE=A'
  Value not legal for this attribute:Attribute: MX_DATEFORMAT" when storing attribute 'MX_DATEFORMAT=1'
  I have executed the job read value help content before start initial load job.
  Could anyone explain if this attribute should be created manually in mxi_AttrValueHelp table before run the initial job?
  Thanks

  Hello Rafael,
  There is a possibility that you have encountered a problem that we had with the language translations for the attribute values.
  I would like to ask you to check one file content:  could you try to open the language translations file: this should be located under ICCORE -> Database Schema -> SQL-Server -> 9-language-data.sql
  There is a chance that this file is "broken".  If so - we have fixed this specific problem in the Designtime Component patch 2 (now 3 is also available) - so you would need to update to this one.
  You could also take a look at the table for the attribute values help - via executing "select * from mxi_attrvaluehelp".
  Kind Regards,
  Rali
  SAP Identity Management Development

• Initial Load from ABAP Failed

  Hi.
  Initial load from ABAP described in following PDF document failed.
  Identity Management for SAP System Landscapes: Configuration Guide
  http://service.sap.com/~sapidb/011000358700001449662008E
  System log Error
  lang.ExceptionInInitializerError: JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'
  JCO.nativeInit(): Could not initialize dynamic link library sapjcorfc [C:\WINDOWS\system32\sapjcorfc.dll: Can't find dependent libraries]. java.library.path [C:\Program Files (x86)\Java\j2re1.4.2_16\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS;......
  Environment is
  IdM 7.1
  NW AS JAVA 7.0 SP 17
  Windows 2003 Server 64bit
  SQL Server
  Any help will be most appreciated !

  Hi You Nakamura,
      We are facing the same problem during AS ABAP - initial load with the same error message.
  I downloaded the msvcp71.dll file and placed it in System32 folder. But the problem remains the same (even after server restart).
  The system log shows the same error message and no entries in job log.
  Please let me know if you had followed any different way to install the dll file.
  Regards,
  Vijay.K

• Error in ABAP inital load

  Dear Expert,
  Find the below error while executing the job from identity center "ABAP INITIAL LOAD",
  lang.ExceptionInInitializerError: JCO.classInitialize(): Could not load middleware layer 'com.sap.mw.jco.rfc.MiddlewareRFC'
  JCO.nativeInit(): Could not initialize dynamic link library sapjcorfc. Found version "2.1.9 (2010-01-28)" but required version "2.1.8 (2006-12-11)".
  JCO 2.1.8 is no longer supported and it is not available for download from SMP.
  The second problem, I face is "Workflow" tab in the identity center, after applying SP4 also could not see the tab.
  Any lead on this highly appreciated.
  Thanks
  Ahamed

  Hi,
  Sorry for hacking the thread .. Actually we are also on same boat, We are implementing SAP Netweaver IDM 7.1 SP5 and facing similar issue with ABAP Initial load .
  I had given a broad search in Google and even in SMP but not able to get the correct version(2.1.8).
  May be you can help .
  Regards,

• Privileges getting removed during initial load

  Hi All,
  I was performing initial load,There is no error as such in initial load however privileges are removed from backend but available on IDM , any changes perform to identity all roles are provisioning to back end system.
  When i have googled it , I have found few good links(http://scn.sap.com/thread/3400455) which says issue is fixed in IDM 7.2 SP8 ,however i am using SP8 but still facing same issue.
  I have attached current version of Provisioning framework which is been used .... Please let me know it is right version.
  Secondly, I have also attached script & version of IDM , Please advice on it.
  Regards,
  Ali

  Hi Ali,
  I have seen and experienced this before.  If you are doing an initial load when the users are already in the system, you may well experience this since the load job is overwriting what your users have.
  Take a look at this blog post I wrote:  Setting Write Permissions on ABAP Initial Loads.
  I think it might help point you in the right direction.
  Thanks,
  Matt

• Handling password while initial load process

  Dear Experts,
  This is about password handling in IDM. While doing initial load, I do not want to bring passwords from my target systems (AD/SAP) into IDM.
  So which password(s) the users will use to login into target systems (AD/SAP) after initial load ? What can be achieved with pass "update system privilege trigger attribute" which is available in initial load job ?
  Is it something like, IDM creates a default password on initial load which is sent back to target systems(from which initial load was done) which changes the password for the target systems to this new default password ?
  Can we handle this default password being sent to target systems with the help of this pass "update system privilege trigger attribute" in initial load? so that this default password is not sent to target systems ??
  So if the default password is not sent back to target systems after initial load, then users will keep using their existing passwords for their login in the target systems. After that, If I need to assign UMEJAVA only privilege to the users, the password for the target systems will be changed with the default password being sent on email to the users. Since the password on AD is now changed, how the users gonna login into AD to check their emails for the
  new password ?
  It seems I have written a BIG query here .... sorry for that. But please let me know if any thing above does not make any sense.
  Also please share your views/expertise/best practice on the same.
  Many thanks in advance!
  Naveen
  Version: IDM 7.2

  Hi Naveen,
  Firstly to answer your query on what basis we decide he backend type for your UMEJAVA repository, its the business. If you want users to authenticate against AD, when they try to login to IDM UI, you have to configure the LDAP as backend and you have to choose datasource as Microsoft ADS (Deep Hierarchy) + Database (ume database).
  If you want the Users to authenticate against UME database, by default ume points to UME database and you need to create the users in the UME database.
  So, if you have configured AS JAVA with ADS+Database, in IDM you have to select the repository as SAP netweaver as Java (ldap backend)
  In the repository constants, there is an attribute called BACKED_REPOSITORY which should be your AD repository name that is configured.
  If you have a look at the AS JAVA connectors in the provisionign framework, in the create user plugin, IDM first checks for backend type. If it is LDAP backend, it just sets the JAVA account attibute, If the backend type is DB, IDM will create the user in the UME database.
  Considering your system details, i would suggest you the below approach.
  1. Configure your UMEJAVA with Microsoft ADS (Deep Hierarchy) + Database (ume database). For more information on how to configure your     
      UMEJAVA with LDAP backend refer to this link
  2. So, now the users who try to login to IDM UI or any app on AS Java, will be authenticated against your active directory.
  3. Perform the initial load from HR.
  4. Perform the initial load from AD.
  5. Perform the initial load from you AS UMEJAVA.
  6. Now, all the user information/role assignment information is loaded to IDM.
  7. Now lets discuss about password management. There are two things here
    a. Change password (by user)  - User changes password in IDM --> password changes are provisioned to AD and user can login with new password.
    b .Password reset self service. - User resets password in IDM --> password changes in AD (as UME is configured to use AD)
  Change password (by user)
  By default the users who are successfully authenticated when they try to login to IDM UI, will get access to self-services tab. To allow users to change the password on their own, you create the corresponding ordered tasks and maintain the access control tab for selfservice.
  So that when users wants to change their passwords, they can change on their own.
  How IDM will provision the new password to target system is something you have to configure the logic. For example, my sandbox looks like this.
  Password reset self-service.
  The user can reset their password on their own if they cannot remember their password. To implement this, look at this document. http://scn.sap.com/docs/DOC-17111
  Hope this helps. please let me know for any further queries.
  ~ Krishna.