HCM / IDM Questions

Couple of HCM related questions for all of you:
1. Is it possible to alter the HCM feed? Specifically, we'd want to bring in some custom attributes.
2. Is there a way  to do any kind of event based provisioning as soon as a new HCM record is created?  This does not necessarily need to use the HCM/IDM framework (flat file/db table export?).  We have a use case where certain types of users need to be submitted to IDM workflow immediately and cannot wait for the Extract report to run.
Thanks!
Matt

When you say alter the HCM feed are you talking about the attributes in the mapping on the SAP side? If so, then yes it is possible to add custom attributes. We added them to the data set used by the query used by the extract program.
Jared

Similar Messages

  • GRC -IdM integration (HCM IdM GRC IdM)

    Hi IdM & GRC Gurus,
    We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
    I have following questions
    1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
    2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
    3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
    request provisioned to the GRC Access Control back-ends. It means that the Identity Center
    cannot just ask if a certain entitlement assignment is valid.
    If the request is approved, the accounts and role assignments will always be performed in
    the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
    4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
    Regards,
    Anurag

    Hi Joel,
    within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
    Kind regards
    Frank

  • HCM - IDM Integration issues

    Hello Experts,
    I am working on the HCM & IDM Integration and I have done the configurations on HCM & VDS as per the Systems Landscape document.
    When I Run the export query from the HCM, The data is not coming to the staging area.
    I have turned on the Operational log trace and reran the query and found the following is logged in the logs. But it is not of much help to understand why the roll back is happening.
    Could anyone face such kind of error earlier ? Any thoughts on how to proceed further !!
    I am on IDM 7.2 SP7
    Thanks,
    Krishna.

    Hello Deepak,
    Thanks for your reply.
    Yes, I am using PERNR to calculate my MSKEYVALUE. But I believe in the current issue, it is not going to that stage at all.
    1. When we run the extract programme from HCM, VDS first writes the data to HCM_Staging_Area identity store to the MX_HCM_EMPLOYEE entry type.
    2. When this happens, based on the event tasks defined on MX_HCM_EMPLOYEE type attribute, the job "Write HCM Employee To SAP Master" will be triggered where the MSKEYVALUE is calculated and be written to Master ID store.
    In the current scenario,VDS is not writing the data to HCM_Staging_Area at all.
    When examined, the logs i got entry rejection as mentioned the screenshot in my initial post.
    ~ Krishna.

  • HCM-IdM integration in Enhancement Pack 4

    Hello there
    Are any of the BAdI's available for HCM delta extracts and better integration between IdM and SAP target systems put in HCM business functions that are not switched on by default once Enh. Pack 4 is implemented?
    Best regards,
    Anders

    So far the answer seems to be no... ./Anders

  • HCM IDM Integration

    I'm working on integrating HCM with IDM. I came across the following limitations in one of the documents i happened to glance.
    1. When replicating the data to the Identity Center from SAP HCM over the Virtual
    Directory Server, you can only use scheduled synchronization. You can not
    synchronize the data based on events. This is a limitation of SAP HCM.
    2. The delta mechanism is not pre-configured when importing the data from the SAP
    HCM system into the staging area in the Identity Center. A full load is always
    performed.
    Can someone suggest me ways to achieve this integration. Is there are document available?

    Hi Joel,
    in general, the delta mechanism is only availabe if you are using the Business Suite 6.0 Ehp4 and NW IdM 7.1.
    The documentation describes shortly which BADIs have to be activated to use the delta mechanism (usually you will modify the BADI implementation to catch changes of employee master records which are relevant for your IdM installation only):
    Retrieval of Employee-Related Data by SAP ERP HCM 
    http://help.sap.com/erp2005_ehp_04/helpdata/EN/75/28be4785c247828834285cc3aefc11/frameset.htm
    If you are using this delta mechanism you can schedule the LDAP export with a short repetition period - as a result you get something like nearly event driven synchronization between HCM and IdM.
    Kind regards
    Frank

  • HCM Interview Question

    Hi
    Can anyone please provide SAP HR Interview Question.
    Thanks
    Ash

    hi !
    Thanks for the Sap hr questions ,it will be so useful ,can u send me the answers for all the questions aswell so that i will so helpul ,
    Thanks in Advance

  • HCM install questions from a SAP newbie

    I have been given the task of installing a new SAP ERP system for development use, but have not been given training on how to do it. I have run through the install starting with the SAP Solution Manager installation master DVD successfully and been able to login and see transactions that I am familiar with (SU01 and others) what I do not see is the HR transactions PA40. I have been reading and think that I need to install HCM but in the software I recieved I don't see a DVD for HCM. Is it part of one of the other pieces that I have?
    Any point in the right direction is appreciated.

    HCM is delivered as part of mySAP ERP 2004/2005 (ECC5/6).. You can go through the Installation guides available <a href="https://websmp206.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000591421&">here</a>. But you will need an OSS id to access the url.
    ~Suresh

  • HCM changes to be passed to different vendors.. how to?

    Hi guys,
    This is a HCM technical question...
    WE have the current implementation where we are implementing the benefits HCM sub module. The requirement is. we want to send across the benefits / family (0021 IT) information to other vendors when there is a change in this information.
    For example, if an employee changes his family and memeber information through ESS, we want to pass on the changed information. Similariy we want to send across information when an employee enrolls in a benefits plan.
    What is the best way to do it techincally. Is there a user exit after the data is saved, that can be used to automiatically send the information to external sources.. ( i did not see/find any user exits atleast in PA30 after the data has been saved )
    or do we need to enable infotype logging and then send across a file daily to external vendors?
    or is there any other mechanism to do this. Am sure that this is a common scenario and whats the best way to do this
    regards
    Gogol

    chandra / Manual,
    i was also thinking on similar lines. Just one quick question, how can you trigger as soon as the changes are saved?
    We are on ECC 6.0
    Chandra can you let me know what needs to be done to trigger the idocs real time to the external vendors.
    OR external vendors are mostly non-SAP
    regards
    null

  • Privilege hierarchy

    Hi experts,
    I am working in idm 7.2 SP7 and there is no plan to upgrade to SP08 or SP09 at the moment.
    Here is my problem:
    After making some search I find the internal table MXI_STRUCTURE_ROOT can give us the parent and the root of the privileges and assigned roles but they are not correct as each time I am getting the top root of roles and not the intermediate.
    I am looking for a workaround how to avoid to use this table and get my privilege/role hierarchy ?
    I find SAP IDM question and How to get Privilege information and no workaround was exposed.
    Thank you,
    Nina

    For those not able to upgrade to a version that includes intermediary roles in structure root, this creates a temporary table #STRUCT that does contain all the levels:
    DECLARE @MSKEY int, @MSKEYV VARCHAR(255),@ROOTMSKEY int,@level int,@MAXLEVEL int,@Mylevel int, @Lnum int
    SET @MAXLEVEL = 20
    -- Not setting below values returns all users.
    SET @MSKEY = NULL -- or add user mskey, such as 58
    SET @MSKEYV = NULL -- or add user mskeyvlaue, such as 'User.Test.A'
    -- Create temporary table
    CREATE TABLE #STRUCT (mcChildMskey INT, mcRootMskey INT, mcParentMskey INT, mcEntryType INT, mcLevel INT)
    -- Insert first level links
    insert into #STRUCT (mcChildMskey, mcRootMskey, mcParentMskey, mcEntryType, mcLevel)
        select A.mcThisMskey, A.mcOtherMskey, A.mcOtherMskey, A.mcthisentrytype, 1 from mxi_link A with (nolock)
        where not exists (select 1 from mxi_link B with (nolock) where  A.mcOtherMskey = B.mcThisMskey and B.mcLinkType = 1 AND B.mcLinkState = 0)
        and   A.mcLinkType = 1 AND A.mcLinkState = 0
        and   A.mcAttrId in (select attr_id from mxi_attributes with (nolock) where AttrName = 'MXREF_MX_ROLE')
        and   A.mcotherentrytype in (select ocid from mxi_objectclasses with (nolock) where ocName = 'MX_ROLE')
        and   A.mcthisentrytype in (select ocid from mxi_objectclasses with (nolock) where ocName in ('MX_ROLE', 'MX_PRIVILEGE'))
      -- Other level links
      set @Mylevel = 2
      while @Mylevel < @MAXLEVEL
      begin
      insert into #STRUCT (mcChildMskey, mcRootMskey, mcParentMskey, mcEntryType, mcLevel)
      select A.mcThisMskey, A.mcOtherMskey, A.mcOtherMskey, A.mcthisentrytype, @Mylevel from mxi_link A  with (nolock)
      where A.mcLinkType = 1 and A.mcLinkState = 0
      and   A.mcattrid in (select attr_id from mxi_attributes with (nolock) where AttrName = 'MXREF_MX_ROLE')
      and   A.mcotherentrytype in (select ocid from mxi_objectclasses with (nolock) where ocName = 'MX_ROLE')
      and   A.mcthisentrytype in (select ocid from mxi_objectclasses with (nolock) where ocName in ('MX_ROLE', 'MX_PRIVILEGE'))
      and   A.mcOtherMskey in (select B.mcChildMskey from #STRUCT B with (nolock) where B.mcLevel = @Mylevel - 1)
      and   not exists (select 1 from #STRUCT C with (nolock) where A.mcThisMskey = C.mcChildMskey and A.mcOtherMskey = C.mcRootMskey and A.mcOtherMskey = C.mcParentMskey)
      set @Lnum = @@Rowcount
      -- Build inherit link structure
      insert into #STRUCT (mcChildMskey, mcRootMskey, mcParentMskey, mcEntryType, mcLevel)
      select distinct A.mcChildMskey, B.mcRootMskey, A.mcParentMskey, A.mcEntryType, 0 from #STRUCT A with (nolock)
      inner join #STRUCT B with (nolock) on A.mcParentMskey = B.mcChildMskey
      where A.mcLevel > 1
      and   not exists (select 1 from #STRUCT C with (nolock) where A.mcChildMskey = C.mcChildMskey and B.mcRootMskey = C.mcRootMskey and A.mcParentMskey = C.mcParentMskey)
      if @Lnum = 0
      begin
      break
      end
      set @Mylevel = @Mylevel + 1
      end
      -- Update sub tree nodes to level 0.
      update #STRUCT set mcLevel = 0 where mcLevel > 1
      select U.mcDisplayName, A.mcDisplayName assignment, L.mcAssignedDirect isDirect,SR.mcParentMskey assignmentParentMskey,AP.mcDisplayName assignmentParentName, SR.mcRootMskey assignmentRootMskey, AR.mcDisplayName assignmentRootName
      from idmv_entry_simple U
      inner join mxi_link L on L.mcThisMSkey = U.mcMSkey and L.mcOtherEntryType in (select ocId from mxi_objectclasses where ocName='MX_PRIVILEGE')
      left outer join idmv_entry_simple A ON A.mcMskey = L.mcOtherMSKEY
      left outer join #STRUCT SR ON SR.mcChildMskey = A.mcMSKEY
      left outer join idmv_entry_simple AP ON AP.mcMSKEY = SR.mcParentMskey
      left outer join idmv_entry_simple AR ON AR.mcMSKEY = SR.mcRootMskey
      where U.mcEntryType='MX_PERSON'
      AND ((@MSKEYV IS NOT NULL AND U.mcMskeyValue = @MSKEYV) OR (@MSKEY IS NOT NULL AND U.mcMskey = @MSKEY) OR (@MSKEY IS NULL AND @MSKEYV IS NULL))
      order by U.mcMskey,A.mcMskey,ap.mcMSKEY,ar.mcMSKEY desc
    -- Clean up
    DROP TABLE #STRUCT
    Chris
    Message was edited by: Per Krabsetsve

  • Printing Invoices through FB70 or F-02

    Hi,
    Could anyone please let me know how could we print a invoice entered through FB70 or F-02. Can we use correspondence if yes please let me know the steps that i should follow and any configurations involved.
    Thanks in Advance
    Roville

    Hi Roville,
    On the face of it this does not appear to be an HCM related question. If so, can you please ask it in the relevant Forum? I would venture a guess that this belongs to Sales and Distribution module.

  • SAP IDM 7.2 Questions

    Hi,
    I just recently started with SAP IDM and have a few Questions, maybe someone has the time to explain, thanks in advance!
    - What for is VDS (Virtual Directory Server)? I can write directly into AD? why another target system?
    - If I create a Role in Identity Center for testing its available on the idm portal http://localhost:50000/idm but not in /useradmin or Umeadmin?
    - Repository, does it matter in which repository I upload (CSV Import) users? I have multiple repositories and didn't understand the exact purpose of a repository?
    - Org Units? how can I create Org Units and assign roles for inheritance? is this only available on a Netweaver AS ABAP installation? (I installed AS JAVA) According this link: Indirect Role Assignment Using Organizational Management (OM) - Identity Management - SAP Library
    Thanks, Patrick

    Hi Patrick,
    here is some answers:
    Main purpose of VDS is to be an interface INTO IdM. It is an LDAP interface into the data stored in IdM database. It allows you for example to search, read, write and authenticate to IdM data via LDAP interface.
    IdM has its own UI (http:host:port/idm). You are not supposed to see business roles in useradmin of the J2EE. It is objects known to IdM, not to the J2EE.
    Repositories are objects representing mostly a source or target system. For example AD could be a source system where you get users from. An ABAP client can be a target system where you provision users to. Uploading users is just a way of creating users that you cannot get from some other source system like HCM, AD or ABAP. It depends on your scenarios and user life cycle where you get your user information from (source system) and where you provision to (target system).
    The link you shared regarding the org units is not really related to IdM as a product. If you do some automatic assignments in ABAP directly, you might need to reconcile with IdM. IdM is supposed to be a central user administration tool. If you have information about org units in IdM and want to use it to automatically assign authorizations you can do that for example by using dynamic groups.
    IdM is a very powerful tool opening a lot of possibilities as you can basically implement every requirement if you only have the required information available somewhere. It might be helpful for you to have someone to answer all your questions and help you solving your requirements in best way in the beginning, enabling you to use it in the most efficient way.
    Regards
    Norman

  • HCM / VDS / IDM Attribute Mapping

    Hi folks!
    So we have a bunch of attributes in SAP that start with SYHR, and we have a couple of questions about them.
    1. How are these fields mapped to IDM? We've found some information in Identity Management for SAP System Landscapes: Configuration Guide, but we are looking for something more.  It seems attributes mapped in the PNP database (or tables?) is not shown that clearly.  Our Business Analysts want more information.
    2. It seems most of these fields are calculated somehow. As a bonus, we'd like to know how these fields are calculated in the first place.
    Thanks for any help you can provide,
    Matt

    I am not sure how well the document reflects the attribute mapping in the transfer event task in the Staging Id Store. I guess that you need to both look at the document and the event task in Staging Id Store that moves the data to Productive Id Store to see all the attribute mappings.
    The real question is how would you need to map them between HCM and IdM. It's pretty normal requirement analysis work to figure out what to export. You should only export relevant attributes.
    I am not sure about "calculated attributes" and I am not an ABAP'per, but if you have HCM-consultants on site have them analyze the query definition shipped with HCM. Any transformation that takes place should be in the query and it's data mappings.
    I wrote this while ago, won't give you any technical tips etc but more of what I've faced in HCM-integration: Considerations in connecting SAP IdM with Leading Identity System(s)
    regards, Tero

  • HCM/VDS/IDM Integration

    Hi there!
    I'm stuck in the middle of various groups in the project that I am on and need some guidance about Best Practices for the Integration between HCM/VDS/IDM.
    When the HR group creates a new hire, they do not populate SYSUNAME since it is supposed to be provided by IDM.  However when we write the new account into the Master Identity Store from the Staging Identity store, we seem to need this attribute.
    So my question is: Do we need to have HR change their processes?  What should they be putting in there?
    Thanks,
    Matt

    Hi Matt,
    Tis information is documented here,
    Setting up the Identity Center to Assign the User Account Name - SAP NetWeaver Identity Management for SAP System Landsc…
    Kind regards,
    Jaisuryan

  • Provisioning from HCM Staging Area to SAP Master question from a newbie

    Hi
    I have built a sandbox idM 7.2 PL3 (MS-SQL 2008/Windows 2003).
    I've had a few stumbles on the way and my latest issue is that I have extracted the HCM data from our ERP (EHP5) HCM instance via LDAP to the VDS.  The transfer completes successfully and the statistics on the HCM_Staging_Area indicate that the records have been added to this Identity Store.
    The event handling on the Entity Type, MX_HCM_EMPLOYEE, has the task +189/Write HCM Employee To SAP Master_ configured.  This Job (and it's tasks) is enabled.  I can see the records (cn = "<SID666SAP 0000001>") with an objectclass of MX_HCM_EMPLOYEE.
    Hiowever, nothing is logged in the System Log or Job Log to indicate that this task has been executed by the load.  The SAP_Master is not updated.
    I'm using the idM for SAP Landscape Configuration Guide (October 2011)  for this installation.
    Am I missing something?  Is there a log file or trace that I can look at to try and figure out what is going on.
    Thanks
    Doug

    Thanks for the reply.
    This is my first attempt at setting up the idM so I've added what I've checked to answer your questions.  I would be glad to hear of any additional checks I could perform.
    Achim:
    - Dispatcher is started:  Yes, Windows Service is running (started).
    - Dispatcher is configured to run standard and provisioning jobs:  Yes, all jobs in Job tab of dispatcher are selected
    - are there any entries within the provisioning queue: I believe so, On the statistics tab of the HCM_staging_area Identity store there are 513 entries provisioning queue size
    - Jobs and Tasks are enabled, assigned to a dispatcher and configured to run as provisioning jobs:  * Yes, the tasks are enabled and the schedule rule is set to provisioning for both tasks*
    Bernd:
    The exported entries are reaching the Identity Store.  I can query the data and the statistics indicate this as well.  The provisioning queue size increases as well.  I have set the SAP_MASTER_IDS_ID to the appropriate id for SAP_Master  (4) and HR_STAGING_AREA_IDS_ID to HCM_Staging_Area Identity Store (5).
    Thankis again.
    Doug

  • Error while connecting HCM with IDM

    HI SDN,
    I am now working on connecting HCM (source system) with IDM by referring the document u201C [IDM for SAP System Landscape u2013 Configuration Guide|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb]u201D .
    In that I am following the HCM Use case implementation. I configured all the steps up to Exporting the HR data to Staging Area (Identity Store) via VDS by using a SQL query. If I say all the steps I followed it will take more time. so I request you to go through the mentioned document. While executing the report (RPLDAP_EXTRACT)  getting some Runtime error. Here is the short dump of that error.
    Short text
        "Function SPLDAP_RECEIVE_ATTRIBUTES is not available"
    What happened?
        Error in the ABAP Application Program
        The current ABAP program "SAPLLDA_EXTRACTION" had to be terminated because it
         has
        come across a statement that unfortunately cannot be executed.
        The error occurred during an RFC call to another system.
        In the target system, a short dump has been written as well.
        More detailed information on the error cause can be found there.
    Error analysis
        An error occurred when executing a REMOTE FUNCTION CALL.
        It was logged under the name "RFC_EXTERNAL_ABORT"
    I have that particular function module in my system and my RFC test connection is also success. so i am very much confused why i am getting that error?
    can anbody help me in fixing this error?
    /* points assured*/
    Regards,
    Tamil K

    Troy, did you ever figure out why you were getting the cannot modify object class error?
    I was able to get around it by fiddling with the IDS config, but comparing that modified config against a new one (that gets the cannot modify object class error) I can't see any relevant difference...
    I'd appreciate some guidance if you have overcome this.
    Thanks. Des.

Maybe you are looking for

  • How to prevent a portal user from using the BEx Analyzer ?

    Hi, we have different type of users : most users may use the portal as well as the analyzer ; we have one special user with extended authorizations : this user should use the portal , where he has a limited set of queries to run with hardcoded filter

  • Hiding Files in Windows...

    How would you go about hiding specific files in Windows.. I've checked the File class, FileWriter class and found no methods that hide files, just a method that determines if it is hidden.. Please help!

  • Java.lang.NullPointerException with rich:pickList

    Hi every Body, I still getting a problem with my <rich:pickList> and really I need help. I got an error when executing the application, I debugged the application and I have notice that the problem cames from the PickList tag. the error is as follow:

  • AS2 to FTP sceanario- time out error

    Hi All I am using AS2 to FTPS scenario. The message was shown twice in RWB(successful). But it showed failure in moni and shows a 500 timeout error. Why it is showing error in moni if it is processed successfully?? and how can i fix it?

  • What does the video size or resolution have to be when converting videos?

    I have a program to convert videos, but whenever i put them on my ipod they're not in widescreen format. The image is streched out and too big. What size do i need to convert the video to for it to be the right size?