HCM - IDM Integration issues
Hello Experts,
I am working on the HCM & IDM Integration and I have done the configurations on HCM & VDS as per the Systems Landscape document.
When I Run the export query from the HCM, The data is not coming to the staging area.
I have turned on the Operational log trace and reran the query and found the following is logged in the logs. But it is not of much help to understand why the roll back is happening.
Could anyone face such kind of error earlier ? Any thoughts on how to proceed further !!
I am on IDM 7.2 SP7
Thanks,
Krishna.
Hello Deepak,
Thanks for your reply.
Yes, I am using PERNR to calculate my MSKEYVALUE. But I believe in the current issue, it is not going to that stage at all.
1. When we run the extract programme from HCM, VDS first writes the data to HCM_Staging_Area identity store to the MX_HCM_EMPLOYEE entry type.
2. When this happens, based on the event tasks defined on MX_HCM_EMPLOYEE type attribute, the job "Write HCM Employee To SAP Master" will be triggered where the MSKEYVALUE is calculated and be written to Master ID store.
In the current scenario,VDS is not writing the data to HCM_Staging_Area at all.
When examined, the logs i got entry rejection as mentioned the screenshot in my initial post.
~ Krishna.
Similar Messages
-
HCM-IdM integration in Enhancement Pack 4
Hello there
Are any of the BAdI's available for HCM delta extracts and better integration between IdM and SAP target systems put in HCM business functions that are not switched on by default once Enh. Pack 4 is implemented?
Best regards,
AndersSo far the answer seems to be no... ./Anders
-
I'm working on integrating HCM with IDM. I came across the following limitations in one of the documents i happened to glance.
1. When replicating the data to the Identity Center from SAP HCM over the Virtual
Directory Server, you can only use scheduled synchronization. You can not
synchronize the data based on events. This is a limitation of SAP HCM.
2. The delta mechanism is not pre-configured when importing the data from the SAP
HCM system into the staging area in the Identity Center. A full load is always
performed.
Can someone suggest me ways to achieve this integration. Is there are document available?Hi Joel,
in general, the delta mechanism is only availabe if you are using the Business Suite 6.0 Ehp4 and NW IdM 7.1.
The documentation describes shortly which BADIs have to be activated to use the delta mechanism (usually you will modify the BADI implementation to catch changes of employee master records which are relevant for your IdM installation only):
Retrieval of Employee-Related Data by SAP ERP HCM
http://help.sap.com/erp2005_ehp_04/helpdata/EN/75/28be4785c247828834285cc3aefc11/frameset.htm
If you are using this delta mechanism you can schedule the LDAP export with a short repetition period - as a result you get something like nearly event driven synchronization between HCM and IdM.
Kind regards
Frank -
GRC -IdM integration (HCM IdM GRC IdM)
Hi IdM & GRC Gurus,
We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
I have following questions
1 Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
2 GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
3 "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
request provisioned to the GRC Access Control back-ends. It means that the Identity Center
cannot just ask if a certain entitlement assignment is valid.
If the request is approved, the accounts and role assignments will always be performed in
the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
4 If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
Regards,
AnuragHi Joel,
within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
Kind regards
Frank -
GRC-IDM Integration: missing web-service?
Hi Experts,
I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
uLDAPGetEntry got exception
javax.naming.NameNotFoundException: [LDAP: error code 32 -
Couldn't perform DN to Data source mapping]; remaining name '
After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
Any idea would be appreciated!
Kind regards,
Jean-ChristopheHi ,
After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
Kind regards,
JC -
ActiveDirectory - SAP IDM integration in Identity Life cycle Management
Hi Experts
In our landscape SAP HCM is supposed to be the leading data source and SAP IDM takes identity information from SAP HCM. From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
Here are the questions
1) How can we leverage on the investment on Active directory after SAP IDM -Active directory investment ? I mean after SAP IDM comes to a landscape, Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source. What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
2) After the user details are taken from SAP HCM system, will the user record will be created in SAP IDM on Identity store ? Is it where we actually assign the SAP IDM business role and the related technical role to the user?
3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and select the privileges and provision it ? Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
Thank you in advance for your help.Hi Matt,
Thank you very much.
Only change we have is before approval it should go to GRC AC check all the compliance and only after that it is approved and it should come back to SAP IDM .
I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained. I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any specific clues?
Also I am describing the exact steps that will follow . Correct me if I am wrong.
1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
4) Create same user in third party systems and with the privileges on their target systems as per the business role definition.
With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
So some other information i wanted is
1) When you assign business role at work flow, how exactly SAP IDM know about the target systems that user should be created and assigned roles and made their authentication source.
for eg:- for a business role "employee" should get access to ERP with role X, AD with group Y, Portal with role Z. So in work flow when business role employee is assigned how SAP IDM will know that user should be created on to ERP with role X, AD with group Y, Portal with role Z. Can you explain technically along with detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
Thank you once again for the fabulous help . You/Matthew is a tremendous help in understanding SAP IDM better. -
Reports 6i and WeBDB 2.2 Integration Issues
1. I have installed reports6i andintegrated with WebDB 2.2 by running the fo
llo
wingScripts:
oracle_home\report60\server\security\rwwwvins.sql webdb and
\oracle_home\report60\server\security\rwenable.sql
as described in the webdb& reports6i integration issues document in oracle r
epo
rts6i beta site.
Afterinstalling, when i logged to webdb as webdb user, i was able to see sev
er
access and rdf access options in webdb 2.2
However, when i log as an userwhere i have created forms components i am una
ble
to access the abovecomponents. (there is no documentation on what privileg
es
needs to be providedto the user., however i had given grants to following ro
les
withRW_ADMINISTRATOR, RW_POWER_USER, RW_DEVELOPER AND RW_BASIC_USer
nullHi Matt,
You didn't mention but do you also wish to install the database(8i) on the same machine ?
I am also trying to install all these products(+8i and designer 6i) on the same box but I am concerned more about the min. resources needed before I get started.(I put up a question about it on the 6i Forum, but nobody has answered yet !)
The correct install order should be Forms/Reports 6i then Forms/Reports 6i Server and then WebDb 2.2.
Forms /reports server needs a http listener and installs en configures the WebDb listener for the job.(you are prompted for this during tho have the install process).This is handy if you are intending to use WebDb anyway. When you install Webdb it detects the already installed WebDb listener and does not reinstall.
You do have the SYS password on the database you will use to stored the WDK and WebDb schema.
About installing the demo.....
I dont' think there are any special issues.I have never done it.
If you are intending to install an 8i database on the same box there are some important things to consider with respect to the install order and what products in which Oracle home must be installed.
1.Forms/Reports first in the default_oracle
home.
2.Then Oracle 8i in a 2nd oracle home call
it ora81 for example.
3.Then WebDb in the non oracle 8i home !!
This is just a quick summary.
If you run into any problems let me know
Good Luck.
Dave. -
OIM - SOA 11g R1 Integration Issue
Hi ,
I am facing an integration issue in my newly set up Dev environment .
We have single node OIM and SOA environment . I was executing the basic connectivity checks to ensure that the environment is good and ready for use .
When I ran the SOA-OIM Configuration test (http://i.tinyuploads.com/M1zyaP.jpg ) in the environment from Diagnostic Dashboard, it failed .
I have verified the URLs from EM and also in MDS (in oim-config.xml) file . All entries seem to be there , not sure why its failing ? Any pointers ??
I have checked the rmi and soap urls here Application Defined MBeans ->oracle.iam->Server (OIM ServerName)->Application:oim->XML Config->Config->XMLConfig.SOAConfig->SOAConfig and they looked perfectly fine .
Any clues ??
Regards
Surendid you tried accessing the oim and soa urls:
1. http://<hostname>:<port>/oim (login with xelsysadm user)
2. http://<hostname>:<port>/soa-infra (login with weblogic user)
Are you able to login to both urls. -
Couple of HCM related questions for all of you:
1. Is it possible to alter the HCM feed? Specifically, we'd want to bring in some custom attributes.
2. Is there a way to do any kind of event based provisioning as soon as a new HCM record is created? This does not necessarily need to use the HCM/IDM framework (flat file/db table export?). We have a use case where certain types of users need to be submitted to IDM workflow immediately and cannot wait for the Extract report to run.
Thanks!
MattWhen you say alter the HCM feed are you talking about the attributes in the mapping on the SAP side? If so, then yes it is possible to add custom attributes. We added them to the data set used by the query used by the extract program.
Jared -
Hi All,
I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
Best Wishes,
ArunaHi Frank,
Thanks for the response,
1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
Regards...... -
AC 53 IdM Integration Implementation Assistance Guide released in BPX
Hi Everyone,
The first version of AC 53 IdM Integration Implementation Assistance Guide has been released in BPX. You can find this document directly via this link:
https://www.sdn.sap.com/irj/bpx/index?rid=/library/uuid/20bfb824-ea45-2c10-b093-bd097a579793&overridelayout=true
Thanks!
Ankur Baishya
SAP GRC RIG -
Photoshop Fill - A major integration issue?
For the first time in a production environment, I was ready
to use FW CS3 to slice and dice a colleague's PSD. I opened it in
Photoshop and then in Fireworks for comparison - the two looked
nothing alike.
This particular colleague likes to take advantage of PS's
Fill setting (as opposed to opacity and I can understand why in
certain situations) - but Fireworks has no understanding of this
Fill concept so every layer that uses it is darker in FW. So what's
a guy to do?
Is this a known integration issue? Will there be a solution
for CS4? Can I wait that long? Is it ever really worth trying to
open a PSD in Fireworks?
I'm more than a little disappointed...
Matt
FirewoiksI haven't tried this yet, but here's a thought:
PS is layer based, FW is object bases. As a result, in FW you
can
control the opacity of layers AND objects. Is it similar
enough to
Photoshop's Fill and Opacity in a layer? Maybe adjusting the
opacity of
the object will get you what you need? It might impact the
stroke on the
object, but you could possibly duplicate the object and
remove/mask it's
fill, so the solid stroke remains.
It's a workaround, and a bit more work, but it might solve
the problem
for now.
Jim Babbage - .:Community MX:. & .:Adobe Community
Expert:.
Extending Knowledge, Daily
http://www.communityMX.com/
CommunityMX - Free Resources:
http://www.communitymx.com/free.cfm
.:Adobe Community Expert for Fireworks:.
news://forums.macromedia.com/macromedia.fireworks
news://forums.macromedia.com/macromedia.dreamweaver
Stowball wrote:
> Linda
>
> The problem is not caused by any colour mode or embedded
profiles - it's
> caused by Fireworks' lack of support for Photoshop's
Fill feature.
>
> The Fill feature is useful, because you can change the
opacity of the actual
> fill, without changing the opacity of any effects - like
strokes - that are
> applied to the layer.
>
> My colleague uses this method frequently in his his
designs.
>
> This PNG demonstrates it perfectly:
>
http://www.mattstow.com/downloads/fill_test.png
>
> And the original PSD can be found here:
>
http://www.mattstow.com/downloads/fill_test.psd
>
> This is a real issue for PS->FW interoperability - I
basically could not use
> FW for the task of preparing a design for the web.
>
> I'd be interested to hear how this will affect other
users.
>
> Regards
>
> Matt
> -
Lync 2013 Outlook Integration Issues
I have a client that is having Exchange Outlook Integration issues when trying to set up Lync 2013.
The email address is [email protected] The sip address is
[email protected] But the Lync server is lync.domain.local. Client is on Exchange 2010.
The address book is not downloading and the outlook integration issue error icon appears on the bottom right.
If the client is set manually to [email protected] the address book downloads.
But can Lync work in the long run set up like this?Hi,
Did you solve the issue with the help of Andrew provided?
Which sip domain name did you use for default SIP domain ([email protected] or
[email protected])?
Did the issue happen internal or external?
For the issue of cannot download address book, please check the External Base URL on Lync topology with the help of the link below:
http://ucken.blogspot.in/2011/07/configuring-lync-for-external-access.html
For the issue of Lync and Exchange integration you can refer to the link below:
http://blog.schertz.name/2010/11/lync-and-exchange-im-integration/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
HCM/VDS/IDM Integration
Hi there!
I'm stuck in the middle of various groups in the project that I am on and need some guidance about Best Practices for the Integration between HCM/VDS/IDM.
When the HR group creates a new hire, they do not populate SYSUNAME since it is supposed to be provided by IDM. However when we write the new account into the Master Identity Store from the Staging Identity store, we seem to need this attribute.
So my question is: Do we need to have HR change their processes? What should they be putting in there?
Thanks,
MattHi Matt,
Tis information is documented here,
Setting up the Identity Center to Assign the User Account Name - SAP NetWeaver Identity Management for SAP System Landsc…
Kind regards,
Jaisuryan -
Hi Experts,
I am new to ADF Development, and trying to implement LDAP in my application. As per some forums i am using ADF Security. I have modified my WebLogic server, myrealm with LDAP details and added below mentioned codes in JPS-Config.xml file:
<serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider"" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
<description>LDAP-based IdentityStore Provider</description>
</serviceProvider>
<serviceInstance name=idstore.ldap provider=idstore.ldap.provider>
<property name=idstore.config.provider value=oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider/>
<property name=CONNECTION_POOL_CLASS value=oracle.security.idm.providers.stdldap.JNDIPool/>
<property name="username.attr" value="userPrincipalName"/>
<property name="user.login.attr" value="userPrincipalName"/>
<property name="virtualize" value="true" />
<property name="ldap.url" value="directory.corp"/>
<property name="idstore.type" value="ACTIVE_DIRECTORY"/>
</serviceInstance>
<serviceInstanceRef ref="idstore.ldap"/>
But i am not able to see Identity store menu option in the left pane of Configure ADF Security window. Could you please help me to fix this issue. Thanks in advance
I am using jDev 11g
Please find the below link for Configure ADF Security window
http://4.bp.blogspot.com/_earSixbe3dw/SUbg7OWLCQI/AAAAAAAAB-4/Fos2I5eBxWM/s1600-h/adf_sec_6.pnghttp://mahmoudoracle.blogspot.ca/2012/02/adf-integration-with-ldap.html#.UcCxHPm1GSo
http://biemond.blogspot.ca/2008/12/using-weblogic-provider-as.html
Maybe you are looking for
-
Commitment only after release of purchaseorder
I'm investigating the possibilty that commitments are only registrered when a purchase order with release strategy is released. is it possible to have no commitments of a purchaseorder until release ?? I have found this thread which is about the oppo
-
How do I attach a grid to a photograph?
How do I attach a simple grid to a photograph for the purpose of sketching. I prefer to draw from an image via photoshop as opposed to a print out being that the quality is better. There is also the added advantage of being able to zoom in.
-
Conversion from German to English to convert a filed of table EKPO
Hi Guys, I want to know how to convert a filed of particular table from German to English for EKPO-MEINS field. This is a unit of measure field which I'm checking from SE11, it shows it in german (LE instead of ACT, MON instead of MO etc). I'm using
-
i need help. i just got LR5 yesterday i could edit in LR then go to photo and choose edit in photoshop and it worked. today its not what happens when i do this now is it open in PS as the orginal not edited in LR settings. how can i get this to wor
-
Alternate product for xml form builder
Hi, I have just set up my portal environment with different xml forms. These forms are created with the xml forms builder I was wondering if there is an alternative for this because I'm experiencing that the xml form builder doesn't have a lot of opt