HCM - IDM Integration issues

Similar Messages

• HCM-IdM integration in Enhancement Pack 4

  Hello there
  Are any of the BAdI's available for HCM delta extracts and better integration between IdM and SAP target systems put in HCM business functions that are not switched on by default once Enh. Pack 4 is implemented?
  Best regards,
  Anders

  So far the answer seems to be no... ./Anders

• HCM IDM Integration

  I'm working on integrating HCM with IDM. I came across the following limitations in one of the documents i happened to glance.
  1. When replicating the data to the Identity Center from SAP HCM over the Virtual
  Directory Server, you can only use scheduled synchronization. You can not
  synchronize the data based on events. This is a limitation of SAP HCM.
  2. The delta mechanism is not pre-configured when importing the data from the SAP
  HCM system into the staging area in the Identity Center. A full load is always
  performed.
  Can someone suggest me ways to achieve this integration. Is there are document available?

  Hi Joel,
  in general, the delta mechanism is only availabe if you are using the Business Suite 6.0 Ehp4 and NW IdM 7.1.
  The documentation describes shortly which BADIs have to be activated to use the delta mechanism (usually you will modify the BADI implementation to catch changes of employee master records which are relevant for your IdM installation only):
  Retrieval of Employee-Related Data by SAP ERP HCM 
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/75/28be4785c247828834285cc3aefc11/frameset.htm
  If you are using this delta mechanism you can schedule the LDAP export with a short repetition period - as a result you get something like nearly event driven synchronization between HCM and IdM.
  Kind regards
  Frank

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• GRC-IDM Integration: missing web-service?

  Hi Experts,
  I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
  However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
  uLDAPGetEntry got exception
  javax.naming.NameNotFoundException: [LDAP: error code 32 -
  Couldn't perform DN to Data source mapping]; remaining name '
  After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
  Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
  Any idea would be appreciated!
  Kind regards,
  Jean-Christophe

  Hi ,
  After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
  Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
  Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
  Kind regards,
  JC

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• Reports 6i and WeBDB 2.2 Integration Issues

  1. I have installed reports6i andintegrated with WebDB 2.2 by running the fo
  llo
  wingScripts:
  oracle_home\report60\server\security\rwwwvins.sql webdb and
  \oracle_home\report60\server\security\rwenable.sql
  as described in the webdb& reports6i integration issues document in oracle r
  epo
  rts6i beta site.
  Afterinstalling, when i logged to webdb as webdb user, i was able to see sev
  er
  access and rdf access options in webdb 2.2
  However, when i log as an userwhere i have created forms components i am una
  ble
  to access the abovecomponents. (there is no documentation on what privileg
  es
  needs to be providedto the user., however i had given grants to following ro
  les
  withRW_ADMINISTRATOR, RW_POWER_USER, RW_DEVELOPER AND RW_BASIC_USer
  null

  Hi Matt,
  You didn't mention but do you also wish to install the database(8i) on the same machine ?
  I am also trying to install all these products(+8i and designer 6i) on the same box but I am concerned more about the min. resources needed before I get started.(I put up a question about it on the 6i Forum, but nobody has answered yet !)
  The correct install order should be Forms/Reports 6i then Forms/Reports 6i Server and then WebDb 2.2.
  Forms /reports server needs a http listener and installs en configures the WebDb listener for the job.(you are prompted for this during tho have the install process).This is handy if you are intending to use WebDb anyway. When you install Webdb it detects the already installed WebDb listener and does not reinstall.
  You do have the SYS password on the database you will use to stored the WDK and WebDb schema.
  About installing the demo.....
  I dont' think there are any special issues.I have never done it.
  If you are intending to install an 8i database on the same box there are some important things to consider with respect to the install order and what products in which Oracle home must be installed.
  1.Forms/Reports first in the default_oracle
  home.
  2.Then Oracle 8i in a 2nd oracle home call
  it ora81 for example.
  3.Then WebDb in the non oracle 8i home !!
  This is just a quick summary.
  If you run into any problems let me know
  Good Luck.
  Dave.

• OIM - SOA 11g R1  Integration Issue

  Hi ,
  I am facing an integration issue in my newly set up Dev environment .
  We have single node OIM and SOA environment . I was executing the basic connectivity checks to ensure that the environment is good and ready for use .
  When I ran the SOA-OIM Configuration test (http://i.tinyuploads.com/M1zyaP.jpg ) in the environment from Diagnostic Dashboard, it failed .
  I have verified the URLs from EM and also in MDS (in oim-config.xml) file . All entries seem to be there , not sure why its failing ? Any pointers ??
  I have checked the rmi and soap urls here Application Defined MBeans ->oracle.iam->Server (OIM ServerName)->Application:oim->XML Config->Config->XMLConfig.SOAConfig->SOAConfig  and they looked perfectly fine .
  Any clues ??
  Regards
  Suren

  did you tried accessing the oim and soa urls:
  1. http://<hostname>:<port>/oim (login with xelsysadm user)
  2. http://<hostname>:<port>/soa-infra (login with weblogic user)
  Are you able to login to both urls.

• HCM / IDM Questions

  Couple of HCM related questions for all of you:
  1. Is it possible to alter the HCM feed? Specifically, we'd want to bring in some custom attributes.
  2. Is there a way  to do any kind of event based provisioning as soon as a new HCM record is created?  This does not necessarily need to use the HCM/IDM framework (flat file/db table export?).  We have a use case where certain types of users need to be submitted to IDM workflow immediately and cannot wait for the Extract report to run.
  Thanks!
  Matt

  When you say alter the HCM feed are you talking about the attributes in the mapping on the SAP side? If so, then yes it is possible to add custom attributes. We added them to the data set used by the query used by the extract program.
  Jared

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......

• AC 53 IdM Integration Implementation Assistance Guide released in BPX

  Hi Everyone,
  The first version of AC 53 IdM Integration Implementation Assistance Guide has been released in BPX.  You can find this document directly via this link:
  https://www.sdn.sap.com/irj/bpx/index?rid=/library/uuid/20bfb824-ea45-2c10-b093-bd097a579793&overridelayout=true
  Thanks!
  Ankur Baishya
  SAP GRC RIG

• Photoshop Fill - A major integration issue?

  For the first time in a production environment, I was ready
  to use FW CS3 to slice and dice a colleague's PSD. I opened it in
  Photoshop and then in Fireworks for comparison - the two looked
  nothing alike.
  This particular colleague likes to take advantage of PS's
  Fill setting (as opposed to opacity and I can understand why in
  certain situations) - but Fireworks has no understanding of this
  Fill concept so every layer that uses it is darker in FW. So what's
  a guy to do?
  Is this a known integration issue? Will there be a solution
  for CS4? Can I wait that long? Is it ever really worth trying to
  open a PSD in Fireworks?
  I'm more than a little disappointed...
  Matt
  Firewoiks

  I haven't tried this yet, but here's a thought:
  PS is layer based, FW is object bases. As a result, in FW you
  can
  control the opacity of layers AND objects. Is it similar
  enough to
  Photoshop's Fill and Opacity in a layer? Maybe adjusting the
  opacity of
  the object will get you what you need? It might impact the
  stroke on the
  object, but you could possibly duplicate the object and
  remove/mask it's
  fill, so the solid stroke remains.
  It's a workaround, and a bit more work, but it might solve
  the problem
  for now.
  Jim Babbage - .:Community MX:. & .:Adobe Community
  Expert:.
  Extending Knowledge, Daily
  http://www.communityMX.com/
  CommunityMX - Free Resources:
  http://www.communitymx.com/free.cfm
  .:Adobe Community Expert for Fireworks:.
  news://forums.macromedia.com/macromedia.fireworks
  news://forums.macromedia.com/macromedia.dreamweaver
  Stowball wrote:
  > Linda
  >
  > The problem is not caused by any colour mode or embedded
  profiles - it's
  > caused by Fireworks' lack of support for Photoshop's
  Fill feature.
  >
  > The Fill feature is useful, because you can change the
  opacity of the actual
  > fill, without changing the opacity of any effects - like
  strokes - that are
  > applied to the layer.
  >
  > My colleague uses this method frequently in his his
  designs.
  >
  > This PNG demonstrates it perfectly:
  >
  http://www.mattstow.com/downloads/fill_test.png
  >
  > And the original PSD can be found here:
  >
  http://www.mattstow.com/downloads/fill_test.psd
  >
  > This is a real issue for PS->FW interoperability - I
  basically could not use
  > FW for the task of preparing a design for the web.
  >
  > I'd be interested to hear how this will affect other
  users.
  >
  > Regards
  >
  > Matt
  >

• Lync 2013 Outlook Integration Issues

  I have a client that is having Exchange Outlook Integration issues when trying to set up Lync 2013.
  The email address is [email protected] The sip address is
  [email protected] But the Lync server is lync.domain.local. Client is on Exchange 2010.
  The address book is not downloading and the outlook integration issue error icon appears on the bottom right.
  If the client is set manually to [email protected] the address book downloads.
  But can Lync work in the long run set up like this?

  Hi,
  Did you solve the issue with the help of Andrew provided?
  Which sip domain name did you use for default SIP domain ([email protected] or
  [email protected])?
  Did the issue happen internal or external?
  For the issue of cannot download address book, please check the External Base URL on Lync topology with the help of the link below:
  http://ucken.blogspot.in/2011/07/configuring-lync-for-external-access.html
  For the issue of Lync and Exchange integration you can refer to the link below:
  http://blog.schertz.name/2010/11/lync-and-exchange-im-integration/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
  Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• HCM/VDS/IDM Integration

  Hi there!
  I'm stuck in the middle of various groups in the project that I am on and need some guidance about Best Practices for the Integration between HCM/VDS/IDM.
  When the HR group creates a new hire, they do not populate SYSUNAME since it is supposed to be provided by IDM.  However when we write the new account into the Master Identity Store from the Staging Identity store, we seem to need this attribute.
  So my question is: Do we need to have HR change their processes?  What should they be putting in there?
  Thanks,
  Matt

  Hi Matt,
  Tis information is documented here,
  Setting up the Identity Center to Assign the User Account Name - SAP NetWeaver Identity Management for SAP System Landsc…
  Kind regards,
  Jaisuryan

• ADF LDAP Integration Issue

  Hi Experts,
  I am new to ADF Development, and trying to implement LDAP in  my application. As per some forums i am using ADF Security. I have modified my WebLogic server, myrealm with LDAP details and added below mentioned codes in JPS-Config.xml file:
        <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider"" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
           <description>LDAP-based IdentityStore Provider</description>
        </serviceProvider>
          <serviceInstance name=idstore.ldap provider=idstore.ldap.provider>
              <property name=idstore.config.provider  value=oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider/>
              <property name=CONNECTION_POOL_CLASS value=oracle.security.idm.providers.stdldap.JNDIPool/>
              <property name="username.attr" value="userPrincipalName"/>
              <property name="user.login.attr" value="userPrincipalName"/>
              <property name="virtualize" value="true" />
              <property name="ldap.url" value="directory.corp"/>
              <property name="idstore.type" value="ACTIVE_DIRECTORY"/>
        </serviceInstance>
  <serviceInstanceRef ref="idstore.ldap"/>
  But i am not able to see Identity store menu option in the left pane of Configure ADF Security window. Could you please help me to fix this issue. Thanks in advance
  I am using jDev 11g
  Please find the below link for Configure ADF Security window
  http://4.bp.blogspot.com/_earSixbe3dw/SUbg7OWLCQI/AAAAAAAAB-4/Fos2I5eBxWM/s1600-h/adf_sec_6.png

  http://mahmoudoracle.blogspot.ca/2012/02/adf-integration-with-ldap.html#.UcCxHPm1GSo
  http://biemond.blogspot.ca/2008/12/using-weblogic-provider-as.html