HCM/VDS/IDM Integration

Similar Messages

• Issue with RFC destination during HCM - VDS - IDM configuration

  Hi,
  I am trying to configure HCM and IDM (v7.1) using VDS. I am following the Configuration Guide. While creating the RFC Destination, I specified program ID as LDAP_VD and in Gatewayhost I have entered the host of IDM Server (where VDS is also installed). In Gateway service I have put sapgw00. But when I do connection test, I get u201CERROR: SAP gateway connection failed. Is SAP gateway started?u201D. Looks like it is trying to connect to IDM server and is looking for sapgw00 (on port 3300) and is not able to find it.
  What could be the reason for error? Am I doing RFC destination configuration correct? Do I need to put HCM system host in the Gatewayhost field?
  Regards,
  Anurag

  Hi Anurag
  You have to enter the hostname of the SAP server, not the LDAP server.
  The LDAP connection is configured later.

• HCM / VDS / IDM Attribute Mapping

  Hi folks!
  So we have a bunch of attributes in SAP that start with SYHR, and we have a couple of questions about them.
  1. How are these fields mapped to IDM? We've found some information in Identity Management for SAP System Landscapes: Configuration Guide, but we are looking for something more.  It seems attributes mapped in the PNP database (or tables?) is not shown that clearly.  Our Business Analysts want more information.
  2. It seems most of these fields are calculated somehow. As a bonus, we'd like to know how these fields are calculated in the first place.
  Thanks for any help you can provide,
  Matt

  I am not sure how well the document reflects the attribute mapping in the transfer event task in the Staging Id Store. I guess that you need to both look at the document and the event task in Staging Id Store that moves the data to Productive Id Store to see all the attribute mappings.
  The real question is how would you need to map them between HCM and IdM. It's pretty normal requirement analysis work to figure out what to export. You should only export relevant attributes.
  I am not sure about "calculated attributes" and I am not an ABAP'per, but if you have HCM-consultants on site have them analyze the query definition shipped with HCM. Any transformation that takes place should be in the query and it's data mappings.
  I wrote this while ago, won't give you any technical tips etc but more of what I've faced in HCM-integration: Considerations in connecting SAP IdM with Leading Identity System(s)
  regards, Tero

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• HCM - IDM Integration issues

  Hello Experts,
  I am working on the HCM & IDM Integration and I have done the configurations on HCM & VDS as per the Systems Landscape document.
  When I Run the export query from the HCM, The data is not coming to the staging area.
  I have turned on the Operational log trace and reran the query and found the following is logged in the logs. But it is not of much help to understand why the roll back is happening.
  Could anyone face such kind of error earlier ? Any thoughts on how to proceed further !!
  I am on IDM 7.2 SP7
  Thanks,
  Krishna.

  Hello Deepak,
  Thanks for your reply.
  Yes, I am using PERNR to calculate my MSKEYVALUE. But I believe in the current issue, it is not going to that stage at all.
  1. When we run the extract programme from HCM, VDS first writes the data to HCM_Staging_Area identity store to the MX_HCM_EMPLOYEE entry type.
  2. When this happens, based on the event tasks defined on MX_HCM_EMPLOYEE type attribute, the job "Write HCM Employee To SAP Master" will be triggered where the MSKEYVALUE is calculated and be written to Master ID store.
  In the current scenario,VDS is not writing the data to HCM_Staging_Area at all.
  When examined, the logs i got entry rejection as mentioned the screenshot in my initial post.
  ~ Krishna.

• HCM IDM Integration

  I'm working on integrating HCM with IDM. I came across the following limitations in one of the documents i happened to glance.
  1. When replicating the data to the Identity Center from SAP HCM over the Virtual
  Directory Server, you can only use scheduled synchronization. You can not
  synchronize the data based on events. This is a limitation of SAP HCM.
  2. The delta mechanism is not pre-configured when importing the data from the SAP
  HCM system into the staging area in the Identity Center. A full load is always
  performed.
  Can someone suggest me ways to achieve this integration. Is there are document available?

  Hi Joel,
  in general, the delta mechanism is only availabe if you are using the Business Suite 6.0 Ehp4 and NW IdM 7.1.
  The documentation describes shortly which BADIs have to be activated to use the delta mechanism (usually you will modify the BADI implementation to catch changes of employee master records which are relevant for your IdM installation only):
  Retrieval of Employee-Related Data by SAP ERP HCM 
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/75/28be4785c247828834285cc3aefc11/frameset.htm
  If you are using this delta mechanism you can schedule the LDAP export with a short repetition period - as a result you get something like nearly event driven synchronization between HCM and IdM.
  Kind regards
  Frank

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......

• AC 53 IdM Integration Implementation Assistance Guide released in BPX

  Hi Everyone,
  The first version of AC 53 IdM Integration Implementation Assistance Guide has been released in BPX.  You can find this document directly via this link:
  https://www.sdn.sap.com/irj/bpx/index?rid=/library/uuid/20bfb824-ea45-2c10-b093-bd097a579793&overridelayout=true
  Thanks!
  Ankur Baishya
  SAP GRC RIG

• HCM-IdM integration in Enhancement Pack 4

  Hello there
  Are any of the BAdI's available for HCM delta extracts and better integration between IdM and SAP target systems put in HCM business functions that are not switched on by default once Enh. Pack 4 is implemented?
  Best regards,
  Anders

  So far the answer seems to be no... ./Anders

• Error while connecting HCM with IDM

  HI SDN,
  I am now working on connecting HCM (source system) with IDM by referring the document u201C [IDM for SAP System Landscape u2013 Configuration Guide|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb]u201D .
  In that I am following the HCM Use case implementation. I configured all the steps up to Exporting the HR data to Staging Area (Identity Store) via VDS by using a SQL query. If I say all the steps I followed it will take more time. so I request you to go through the mentioned document. While executing the report (RPLDAP_EXTRACT)  getting some Runtime error. Here is the short dump of that error.
  Short text
      "Function SPLDAP_RECEIVE_ATTRIBUTES is not available"
  What happened?
      Error in the ABAP Application Program
      The current ABAP program "SAPLLDA_EXTRACTION" had to be terminated because it
       has
      come across a statement that unfortunately cannot be executed.
      The error occurred during an RFC call to another system.
      In the target system, a short dump has been written as well.
      More detailed information on the error cause can be found there.
  Error analysis
      An error occurred when executing a REMOTE FUNCTION CALL.
      It was logged under the name "RFC_EXTERNAL_ABORT"
  I have that particular function module in my system and my RFC test connection is also success. so i am very much confused why i am getting that error?
  can anbody help me in fixing this error?
  /* points assured*/
  Regards,
  Tamil K

  Troy, did you ever figure out why you were getting the cannot modify object class error?
  I was able to get around it by fiddling with the IDS config, but comparing that modified config against a new one (that gets the cannot modify object class error) I can't see any relevant difference...
  I'd appreciate some guidance if you have overcome this.
  Thanks. Des.

• GRC-IDM Integration: missing web-service?

  Hi Experts,
  I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
  However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
  uLDAPGetEntry got exception
  javax.naming.NameNotFoundException: [LDAP: error code 32 -
  Couldn't perform DN to Data source mapping]; remaining name '
  After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
  Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
  Any idea would be appreciated!
  Kind regards,
  Jean-Christophe

  Hi ,
  After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
  Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
  Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
  Kind regards,
  JC

• SAP IDM Integration with LDAP VS Rest.

  Hi,
  I'm looking for an best approach through I can integrate my custom application with SAP IDM 7.2. I have read couple of article and found IDM is based on VDS and allow LDAP as well as Restful web services.
  Would like to know the best approach.
  Here what I want to achieve:
  1. Dynamic Schema detection for User, Role and Employee
  2. Get all User List and there corresponding Role.
  3. Password Reset/Set/Change
  Thanks
  Shital

  Hi Nits,
  This guide presents the official SAP Connectors for IdM. SAP and 3rd-party.
  It seems that are no official connector for ADOBE CQ and HYBRIS.
  But you can build you own connector. (JDBC, WebServices, LDAP)
  Using the same concept as the SAP Standard connectors, Folders (Aplication Actions, Plugins) HOOK Tasks.
  It will depended in what integration layer this solutions offer.

• SAP GRC - SAP IDM integration

  Hello,
  may I ask you how SAP GRC Access Control can be integrated with Identity Management?
  I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
  Thank you to all
  Daniela

  Hi Daniela,
  there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
  - CUP can call IdM to provision roles to non-SAP systems through IdM
  - IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
  As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
  The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
  Kind regards,
  Frank.

• SAP IDM integration in SLD

  Hi there
  one of our customers raised the question if SAP IDM can be integrated with SLD (system landscape directory)? Obviously, one of the dispatchers showed up in the SLD for one time (maybe during installation).
  best regards
  Matthias

  Hi Billy
  in fact the core components of SAP IDM are not implemented in NetWeaver. They are running on a Windows Server (e.g. the dispatchers). Those are the components we want to register in SLD.
  Only the UI components are running in an NetWeaver AS Java, but this one is already in SLD.
  best regards
  Matthias