OIM - SAP CUA Connector - Unlocking Accounts
Hello All
We are implementing the Oracle Identity Manager connector for SAP CUA, and have the following concern:
If a user is locked manually by the SAP Security Administrator in a target SAP System (Prod for example), what is to prevent the End User from logging into OIM Self Service and unlocking themselves?
The OIM Connector Doc seems to state that the target system is unlocked regardless of locked state (meaning it sends an unlock request regardless of whether the user is locked or not).
How does this take Maintenance/Downtimes into consideration (where no business/end users should be in the system)? What about fraudulent or suspicious accounts (where the Security team has frozen/locked someone's account to prevent further activity)?
My thinking is that if an SAP Security Admin has locked an account, OIM should not unlock the account. The only unlocks which should take place are for Incorrect Passwords?
Just wondering if anyone has experience with OIM connecting to SAP CUA
>
Nigel Wyman wrote:
> My thinking is that if an SAP Security Admin has locked an account, OIM should not unlock the account. The only unlocks which should take place are for Incorrect Passwords?
>
> Just wondering if anyone has experience with OIM connecting to SAP CUA
Not worked with OIM, but worked with SAP IDM/GRC:
But I was asking why you would use CUA once you will have OIM working ?
1.you should have only a single point of user administration, why dont you lock the user from OIM instead of logging into CUA.
2.In our present project , DEV and QA we are using ACCESS enforcer for all user administration purposes with approval workflows, it works very well. security should not login to the systems without approval.
Similar Messages
-
SAP CUA connector changes password in master system AND child systems?
Please confirm if OIM can change the password in both SAP CUA master and child systems through SAP CUA connector. The connector guide mentions the following parameter can be defined in SAP CUA IT Resource.
Parameter: SAPChangePasswordSystem Flag that accepts the value X or ' '
If the value is X, then the password is changed
only in the master system. If the value is ' ', then
the password is changed in both master and child
systems.
This parameter is used by the Reset
Password function.
Thanks!Hi,
1) You can use report RSCCUSND to distribute users from CUA to child client. Check section "Sending User Master Data to a Child System" in [CUA cookbook|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true].
2) if the user account has not been synced to CUA then you should be able to delete it in child system. The button should be displayed for unsynced users. You can use transaction SCUG to sync users between new child system and CUA. Check section "Transfering Users from New System" in [CUA cookbook|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true].
Cheers -
OIM SAP UM Connector gateway port configuration
Hi All,
On SAP Target System, port for gateway communication is not the default 3300, but 3301. How do I go about configuring OIM to establish connection on 3301 instead of 3300?
Thanks in advance
Edited by: user13015045 on Aug 31, 2011 3:24 PMHello 790345,
You said:
There is a variable on SAP called "SYSTEM NUMBER". it takes two digit value .eg : 01.
port number is derived for that system number. so from above example gateway port will be (33<system number>) i.e., 3301
If I understand correctly, this variable SYSTEM_NUMBER is on SAP system side (target).
How about on OIM SAP connector side (source)? have you managed to make it connect to 3301 instead of 3000?
If yes, how did you do it?
Thanks,
Adr. -
Hi,
We are planning to integrate OIM 11g with SAP SRM as target system. We are not able to find a connector specific to SRM integration with OIM. Do we need to use SAP User Management Engine Connector (sapume-11.1.1.5.0) or SAP User Management connector (SAP_UM_91220) ?
RegardsOh! my bad. For SAP SRM, you can use sapume-11.1.1.5.0. Refer to certified components->target system of connector documentation. You just need to do some extra configuration for it, as doc days :
If you install an SAP application, such as SAP BW or SAP SRM, in ABAP stack, then
you must configure SAP Enterprise Portal against SAP UME of the application. See
the respective target system documentation for information about this
configuration
regards,
GP -
I have been under the impression that instead of creating accounts on each SAP child systems (SAP ECC, SAP Portal, SAP BI etc), we can create the accounts in SAP CUA using IdM and then provide information to SAP CUA such that it does further provisoining on SAP child systems
Is this possible ?
So, far I have not been able to create such account. I am successful in creating accounts in SAP CUA, however, no matter which attribute I use (cuasystems, activityGroups etc) to represent a list of SAP child systems to be passed to SAP CUA to create account, it does not work.
I am definitely out of ideas and looking for some help.
Thanks,
RajeshI think there is a setting on the SAP CUA system and the child systems that needs to be set correctly.
We have an environment where we provision a user to CUA and assign the user roles (direct activity groups) that map to BI and ECC.
CUA then uses those roles and the systems they map to in order to provision to those child systems.
Check your SAP configuration, because this worked fine for us. One thing to note, is that changing an existing user's password in CUA will NOT replicate to child systems. So you may have to manage those child systems directly to change passwords. -
Verify SAP HR connector connection with SAP Target system - OIM 11.1.2
Hi All,
We are using SAP ER 9.1.2 connector and configured as follows,
1) Installed SAP ER connector from Admin console (In oim db Common.jar, SAPCommon.jar and SAPER.jar files are created)
2) The connector guide says to copy sapjco3.jar and sapidoc3.jar shud be placed into Oracle_home/Xellerate/ThirdParty folder. As we r using OIM 11.1.2 placed it in Oracle_IDM1/server/ThirdParty folder. Also Uploaded Thirdparty file into oim db using UploadJars.sh.
3) copied libsapjco3.so file into /usr/local/jco directory and added the same path to LD_LIBRARY_PATH environment varialble
4) Restarted OIM server
5) To check if SAPJCo is correctly installed, ran below command
java –jar JCO_DIRECTORY/sapjco3.jar
java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
Doubt: In OIM 11.1.2 we upload files into oim db. So, how does running files in ThirdParty folder verifies SAPJCo installation.
6) Configured SAP HR IT resource parameters as given by our SAP application team.
7) Now Ran "SAP HRMS Employee Type Recon" scheduled job and facing below error,
"oracle.iam.connectors.sap.common.util.SAPUtil : getJCOFunction() : Connect to message server host failed[[
Connection parameters: TYPE=B DEST=10.60.1.83 MSHOST=FUSION-ECCQA.hdfcsldm.com GROUP=PUBLIC R3NAME=FPQ PCS=1
ERROR service 'sapmsFPQ' unknown
TIME Tue Apr 16 18:20:20 2013
RELEASE 720
COMPONENT NI (network interface)
VERSION 40
RC -3
MODULE niuxi.c
LINE 1814
DETAIL NiPGetServByName: 'sapmsFPQ' not found
SYSTEM CALL getaddrinfo
COUNTER 1 "
Please help me in configuring SAP connector
Thanks in advanceHi.
Have you solved this? I'm getting the same error and documentation is not clear.
It says to add an entry to /etc/service (in my case there's a service using the same tcp port) and the copy a .ini file to "root" directory, which I understand is "/" in a linux system.
Thank you.
Alex -
[OIM 11g] SAP ER connector behavior
Hi Experts,
How does the SAP ER Connector works when the IDOC has historical data from the user? I need to know if OIM will look for the latest chances and use this to create the identity.
Best regards.Hey,
I see the same issue and need to make this change as well, where are these settings? I couldn't find them in the setDomainEnv or setSOADomainEnv.
Thanks -
Sap UM connector 9.1.2 trouble with "SAP User Management User Recon" task
Hello All,
i have a problem with Sap UM Connector version 9.1.2.
OIM version 11.1.1.5
Windows 2008 R2
Problem is:
Then accounts in Sap are created through direct provisioning feature of connector everything works ok (subsequent update or delete an account).
But if a user account is created in Sap using Sap GUI, scheduled task "SAP User Management User Recon" of connector doesn't create reconciliation event to link user.
Sometimes it does though, but for one user account created using Sap GUI in OIM created two reconciliation events, so corrsponding user in oim have two records for resource SAP.
In this reconciliation events, one have full set of attributes (Login, First Name, Last Name, E Mail, etc), another one - just these 3 attributes: IT Resource, User ID, Lock.
"SAP User Management Delete Recon" scheduled task works ok then user account has been deleted using Sap Gui.
How one can troubleshoot such behavior?
Can anyone advise please?resolved the issue by updating sap um connector to version 9.1.2.5
-
GRC Unlock Account - BUG ?
Hi All,
This is regarding an issue we found in our GRC system.
A UserID has been locked in ECC system sometime back.
For example: Valid From - 01-Jan-2014 and Valid To - 05-Jan-2014
UserID is in locked state and validity dates are as mentioned above.
Now User wants this account to be unlocked and raising a GRC Unlock Request.
User is selecting the system during Unlock Account creation and system is added with validity dates as shown below.
Valid From - Today's date
Valid To - 05-Jan-2014 [Existing UserID Valid To date in ECC system]
According to me validity dates for the system should be added as shown below
Valid From - Today's date
Valid To - 31.12.9999
Is this a bug? or Is this the standard behaviour? I hope this would be issue for most of the customers.
Please provide your suggestions on this.
Regards,
Madhu.Hi Alessandro and Colleen,
Thanks for your inputs.
Actually the issue is, the same unlock process is working with VALID TO date as 31.12.9999 in GRC 5.3.
Now after upgrading to GRC 10.0, this was changed. Hence users are raising it as a concern.
I understand that system cannot recognize VALID TO date as it can be any date depending on customer requirement, but since it was working in 5.3 client is expecting the same in 10.0
While raising termination requests they are updating valid To date to the same day and submitting the requests.
For the terminated users, later if they need access again, Unlock account request is being raised and here they are not selecting any VALID TO date as it was updating with 31.12.9999 Valid To date in GRC 5.3 and now it is updating with VALID TO date based on SU01 record.
We raised this to SAP and I assume that this could be desired behavior as mentioned by you. Once SAP also confirms we will include this in our training material to make users used to it.
If there was any update from SAP will keep you posted.
Regards,
Madhu. -
CUP 5.3: unlock account type request
Hello,
Has anyone implemented request type for unlock account type without psw verification for LDAP authentication..but it still limits the user to only be able to unlock themselves, not anyone else?
I think Password self service should have included automatic unlocking of the userid as well..since most PSS requests are when the userid is locked in a system due to incorrect logons..so the unlocking request shouldn't have been separate from PSS.. It's a two step process to do currently..the user has to first do an unlock id request and then do a PSS to reset their psw.
But for those clients that are authenticating GRC system against a SAP system, there's no workaround to not require SAP id and psw ..but how can the user tell you the psw when they're locked out of that system to begin with..due to incorrect logon. SAP has no solution for it. They do need to come up with a solution for that and also automatically unlock the userid for PSS processes instead of having them go thru another request to unlock it.
Would greatly appreciate other ppl's feedback who have implemented PSS and unlock requests with LDAP authentication without psw verification.. otherwise, I would think anyone can unlock anyone without psw verification. The unlock request in order to automate the option to only unlock yourself but still be able to process requests of change or new account for others, is not available. It's either all or nothing in configuration.
AlleyHello,
Has anyone implemented request type for unlock account type without psw verification for LDAP authentication..but it still limits the user to only be able to unlock themselves, not anyone else?
I think Password self service should have included automatic unlocking of the userid as well..since most PSS requests are when the userid is locked in a system due to incorrect logons..so the unlocking request shouldn't have been separate from PSS.. It's a two step process to do currently..the user has to first do an unlock id request and then do a PSS to reset their psw.
But for those clients that are authenticating GRC system against a SAP system, there's no workaround to not require SAP id and psw ..but how can the user tell you the psw when they're locked out of that system to begin with..due to incorrect logon. SAP has no solution for it. They do need to come up with a solution for that and also automatically unlock the userid for PSS processes instead of having them go thru another request to unlock it.
Would greatly appreciate other ppl's feedback who have implemented PSS and unlock requests with LDAP authentication without psw verification.. otherwise, I would think anyone can unlock anyone without psw verification. The unlock request in order to automate the option to only unlock yourself but still be able to process requests of change or new account for others, is not available. It's either all or nothing in configuration.
Alley -
Hi Experts
I tried generating Proxy classes for first time for FlightAppList using SAP Enterprise connector by selecting Single Server option, I have installed SAP Management Console on the system having host name 'sap-server', the details i provided was as follows:
HostName:'sap-server'
System Number: 00
SAP Router:
User Account
Client : 001
LogonName: pradeep
Password: password
Language:ENG
but i get the error as
Connect to SAP failed
Error: Partner not reached
Do i need to do any settings on SAP Netweaver console.
Kindly let me know.Configuring webasabap needs SAP security library which can be downloaded at sap market place, but it needs a license username password which i dont have.
I have only downloaded the trial version "SAPNW2004sJavaSP9_Trial" is there a way i can connect my java program to SAP database without having any license? -
[SAP UM Connector] Multiple instances?
Hi all,
I deployed an instance of the SAP UM connector in OIM 9.1.0.2 BP 15 / Weblogic 10.3.3 / Oracle 10g. It is running.. I would like to know if someone had deployed it on several SAP servers.. a.k.a. made multiple connector instances, in order to know what OIM objects to take care (IT Resource, Process Form, Process, etc).
Thanks!I can go with multiple IT Resources, but we are looking for the more complex way. I am thinking in having multiple resource objects, so they can be audited.
I think the following objects have to be cloned:
-IT Resource
-Resource object
-Provisioning process
-Process Form
-Matching Rule
I am not sure about lookups, because (for example) profiles form field uses the it Resource id to identify from where Server it was loaded, so I think perhaps there could be some objects shared between connectors. -
Hi,
In my project we are using OIM to integrate with SAP-UM. I am able to provision a user successfully from OIM to SAP with out any issue. After doing the reconcilation I did able to pull out all the Roles and Groups defined in the SAP to the OIM successfully and I did able to create the users in OIM with out any issue. But the users which are there in the SAP-UM are not getting on to the OIM. Can any body tell me where I am missing it.
Thanks&Regards
DebiHi,
we are using the SAP UM connector in our environment, and the best approach that we find to ensure some SoD using OIM was using the access policies based on the Xellerate User profile attributes. So all the roles and profiles mapping was done outside OIM and we configured the access policies using these roles ad profiles. Also, any other profile or role granted to users need to be approved by his manager and the SAP module owner.
As a detective control to audit if the SoD are been respected we use tools to verify that directly into SAP system. But I think that you can customize a report to do in the OIM side.
Best Regards.
Nitto -
SAP Business Connector on Windows XP
I've been trying to get the SAP Business Connector 4.7 to work on Windows XP professional but haven't been very successful. The business connector seems to install okay, but when I try to start the business connector through the server.bat file it generates the following errors:
(loglevel = 4)
Loading WmPartners package
00000E [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.EmailTransport:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.EmailTransport
00000F [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:saveMessage: [B2BSERV.0026.9106] No method saveMessage in class wm.PartnerMgr.xtn.admin
000010 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:view: [B2BSERV.0026.9106] No method view in class wm.PartnerMgr.xtn.admin
000011 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:saveRoutingRule: [B2BSERV.0026.9106] No method saveRoutingRule in class wm.PartnerMgr.gateway.admin
000012 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:convertWildCards: [B2BSERV.0026.9106] No method convertWildCards in class wm.PartnerMgr.gateway.admin
000013 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.B2B:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.B2B
000014 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:editStore: [B2BSERV.0026.9106] No method editStore in class wm.PartnerMgr.xtn.admin
000015 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.FTPTransport:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.FTPTransport
000016 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:invokeViewService: [B2BSERV.0026.9106] No method invokeViewService in class wm.PartnerMgr.xtn.admin
000017 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:viewMsgContent: [B2BSERV.0026.9106] No method viewMsgContent in class wm.PartnerMgr.xtn.admin
000018 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:updateTransports: [B2BSERV.0026.9106] No method updateTransports in class wm.PartnerMgr.gateway.admin
000019 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:invokeService: [B2BSERV.0026.9106] No method invokeService in class wm.PartnerMgr.gateway.admin
00001A [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:log: [B2BSERV.0026.9106] No method log in class wm.PartnerMgr.xtn.admin
00001B [B2BSERV.0028.0005] Loading SAP package
00001C [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.RFC:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.RFC
00001D [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.BAPI:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.BAPI
00001E [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.XML:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.XML
00001F [B2BSERV.0026.0002] Failure while loading service sap.bapi:encodeToFile: [B2BSERV.0026.9106] No method encodeToFile in class com.wm.pkg.sap.bapi.BusinessDocumentCoder
000020 [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:bapi2rfc: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
000021 [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:rfc2bapi: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
000022 [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:bapi2ale: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
000023 [B2BSERV.0026.0002] Failure while loading service sap.admin:listGatewayServices: [B2BSERV.0026.9106] No method listGatewayServices in class sap.admin
000024 [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:ale2bapi: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
000025 [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.ALE:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.ALE
000026 [B2BSERV.0028.0005] Loading WmSamples package
000027 [B2BSERV.0028.0026] Warning: Deprecated service type (webtap) in service sample.webtap:logApp in package WmSamples
000028 [B2BSERV.0028.0005] Loading WmDB package
These errors don't stop the business connector from starting up, but the errors are not normal behaviour. When I try to start the business connector through a Windows service then I get the message "Could not start the SAP Business Connector Service on Local Computer. Error 126: The specified module could not be found".
I have a working business connector installation on a Windows 2000 server, and when I checked the error log of that installation I noticed that it had logged the same errors about the 'WmPartners' package. It on the other hand didn't have any problems loading the 'SAP' package.
I tried installing the business connector on two different systems with identical results. Has anybody been able to get the business connector to work on Windows XP?HI,
I have no idea clearly about BC.. but ..
See the following links.. may be helpfull..
Business connector
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a8609b90-0201-0010-c6bc-a41b611c6dac
SAP Business Connector on Windows XP
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/92e5bd90-0201-0010-b799-dfdc27f3100a
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a8424011-0d01-0010-e19d-e5bd8ca52244
If usefull .. points rewarded..
Regards
Chilla.. -
NULL Value in SAP Business Connector (BC47_CoreFix7 )
Dear All,
I am working with SAP Business Connector and some times i get NULL value in (PROXY SERVER) in Secure Proxy (HTTPS) so i need usualy to remove it manully and save the changes.
Would you plesae help me to solve this issue either to delete automatically or to have any idea to prevent getting this NULL value.
Thanks in advance..
Message was edited by: Hassan HakeemDear,
i need the answer ASAP pleasssssssssssse.
Thanks..
Message was edited by: Hassan Hakeem
Maybe you are looking for
-
Operating in Lid Closed mode without power connected!
I was able to hook up my 17" ADC Studio display to my MacBook and operate with the built in display turned off, and with no power adapter. First close the lid of the the MacBook and let it go to sleep. Attach the monitor cable and using an external k
-
Get URL from embedded Flash AS3 movie
I have a thumbnail scroller app built with AS3 on my website homepage. I have the class files but would like to know of any quick workaround to make the embedded Flash movie clickable without reworking the AS3 files. What I would like to do is if you
-
How do I create mail filters in 6.0.2?
I asked about mail filters in 6.0.2. Eeeeek! I found it. I was looking in FF help, rather than in yayhoo mail Options. :-( Please disregard original query.
-
Why can't I append-to-disc on DVD+R media, 2009 Mini w/10.6.3?
I want to be able to burn multiple sessions to DVD+R media on my late-2009 Mac Mini w/ Superdrive. PLEASE do not direct me to the usual instructions on burning multi-session CD-R media. I know all about them; they work fine for CDs, but not for DVD+R
-
How to provide credentials for outbound HTTP connection
Hi all, My outbound request requires basic authentication How to provide credentials within xsjs for outbound request. My .xshttpdest file has authType=basic: host = "host"; port = 80; description = "decription"; pathPrefix = "/geoserver/"; authType