OIM - SAP CUA Connector - Unlocking Accounts

Hello All
We are implementing the Oracle Identity Manager connector for SAP CUA, and have the following concern:
If a user is locked manually by the SAP Security Administrator in a target SAP System (Prod for example), what is to prevent the End User from logging into OIM Self Service and unlocking themselves?
The OIM Connector Doc seems to state that the target system is unlocked regardless of locked state (meaning it sends an unlock request regardless of whether the user is locked or not).
How does this take Maintenance/Downtimes into consideration (where no business/end users should be in the system)?  What about fraudulent or suspicious accounts (where the Security team has frozen/locked someone's account to prevent further activity)?
My thinking is that if an SAP Security Admin has locked an account, OIM should not unlock the account.  The only unlocks which should take place are for Incorrect Passwords?
Just wondering if anyone has experience with OIM connecting to SAP CUA

>
Nigel Wyman wrote:
> My thinking is that if an SAP Security Admin has locked an account, OIM should not unlock the account.  The only unlocks which should take place are for Incorrect Passwords?
>
> Just wondering if anyone has experience with OIM connecting to SAP CUA
Not worked with OIM, but worked with SAP IDM/GRC:
But I was asking why you would use CUA once you will have OIM working ?
1.you should have only  a single point of user administration, why dont you lock the user  from OIM instead of logging into CUA.
2.In our  present project , DEV and QA we are using ACCESS enforcer for all user administration purposes with approval workflows, it works very well. security should not login to the systems without approval.

Similar Messages

  • SAP CUA connector changes password in master system AND child systems?

    Please confirm if OIM can change the password in both SAP CUA master and child systems through SAP CUA connector. The connector guide mentions the following parameter can be defined in SAP CUA IT Resource.
    Parameter: SAPChangePasswordSystem Flag that accepts the value X or ' '
    If the value is X, then the password is changed
    only in the master system. If the value is ' ', then
    the password is changed in both master and child
    systems.
    This parameter is used by the Reset
    Password function.
    Thanks!

    Hi,
    1) You can use report RSCCUSND to distribute users from CUA to child client. Check section "Sending User Master Data to a Child System" in [CUA cookbook|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true].
    2) if the user account has not been synced to CUA then you should be able to delete it in child system. The button should be displayed for unsynced users. You can use transaction SCUG to sync users between new child system and CUA. Check section "Transfering Users from New System" in [CUA cookbook|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true].
    Cheers

  • OIM SAP UM Connector gateway port configuration

    Hi All,
    On SAP Target System, port for gateway communication is not the default 3300, but 3301. How do I go about configuring OIM to establish connection on 3301 instead of 3300?
    Thanks in advance
    Edited by: user13015045 on Aug 31, 2011 3:24 PM

    Hello 790345,
    You said:
    There is a variable on SAP called "SYSTEM NUMBER". it takes two digit value .eg : 01.
    port number is derived for that system number. so from above example gateway port will be (33<system number>) i.e., 3301
    If I understand correctly, this variable SYSTEM_NUMBER is on SAP system side (target).
    How about on OIM SAP connector side (source)? have you managed to make it connect to 3301 instead of 3000?
    If yes, how did you do it?
    Thanks,
    Adr.

  • OIM - SAP SRM Connector

    Hi,
    We are planning to integrate OIM 11g with SAP SRM as target system. We are not able to find a connector specific to SRM integration with OIM. Do we need to use SAP User Management Engine Connector (sapume-11.1.1.5.0) or SAP User Management connector (SAP_UM_91220) ?
    Regards

    Oh! my bad. For SAP SRM, you can use sapume-11.1.1.5.0. Refer to certified components->target system of connector documentation. You just need to do some extra configuration for it, as doc days :
    If you install an SAP application, such as SAP BW or SAP SRM, in ABAP stack, then
    you must configure SAP Enterprise Portal against SAP UME of the application. See
    the respective target system documentation for information about this
    configuration
    regards,
    GP

  • IDM-SAP CUA Integration

    I have been under the impression that instead of creating accounts on each SAP child systems (SAP ECC, SAP Portal, SAP BI etc), we can create the accounts in SAP CUA using IdM and then provide information to SAP CUA such that it does further provisoining on SAP child systems
    Is this possible ?
         So, far I have not been able to create such account. I am successful in creating accounts in SAP CUA, however, no matter which attribute I use (cuasystems, activityGroups etc) to represent a list of SAP child systems to be passed to SAP CUA to create account, it does not work.
    I am definitely out of ideas and looking for some help.
    Thanks,
    Rajesh

    I think there is a setting on the SAP CUA system and the child systems that needs to be set correctly.
    We have an environment where we provision a user to CUA and assign the user roles (direct activity groups) that map to BI and ECC.
    CUA then uses those roles and the systems they map to in order to provision to those child systems.
    Check your SAP configuration, because this worked fine for us. One thing to note, is that changing an existing user's password in CUA will NOT replicate to child systems. So you may have to manage those child systems directly to change passwords.

  • Verify SAP HR connector connection with SAP Target system - OIM 11.1.2

    Hi All,
    We are using SAP ER 9.1.2 connector and configured as follows,
    1) Installed SAP ER connector from Admin console (In oim db Common.jar, SAPCommon.jar and SAPER.jar files are created)
    2) The connector guide says to copy sapjco3.jar and sapidoc3.jar shud be placed into Oracle_home/Xellerate/ThirdParty folder. As we r using OIM 11.1.2 placed it in Oracle_IDM1/server/ThirdParty folder. Also Uploaded Thirdparty file into oim db using UploadJars.sh.
    3) copied libsapjco3.so file into /usr/local/jco directory and added the same path to LD_LIBRARY_PATH environment varialble
    4) Restarted OIM server
    5) To check if SAPJCo is correctly installed, ran below command
    java –jar JCO_DIRECTORY/sapjco3.jar
    java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
    Doubt: In OIM 11.1.2 we upload files into oim db. So, how does running files in ThirdParty folder verifies SAPJCo installation.
    6) Configured SAP HR IT resource parameters as given by our SAP application team.
    7) Now Ran "SAP HRMS Employee Type Recon" scheduled job and facing below error,
         "oracle.iam.connectors.sap.common.util.SAPUtil : getJCOFunction() : Connect to message server host failed[[
         Connection parameters: TYPE=B DEST=10.60.1.83 MSHOST=FUSION-ECCQA.hdfcsldm.com GROUP=PUBLIC R3NAME=FPQ PCS=1
         ERROR service 'sapmsFPQ' unknown
         TIME Tue Apr 16 18:20:20 2013
         RELEASE 720
         COMPONENT NI (network interface)
         VERSION 40
         RC -3
         MODULE niuxi.c
         LINE 1814
         DETAIL NiPGetServByName: 'sapmsFPQ' not found
         SYSTEM CALL getaddrinfo
         COUNTER 1 "
    Please help me in configuring SAP connector
    Thanks in advance

    Hi.
    Have you solved this? I'm getting the same error and documentation is not clear.
    It says to add an entry to /etc/service (in my case there's a service using the same tcp port) and the copy a .ini file to "root" directory, which I understand is "/" in a linux system.
    Thank you.
    Alex

  • [OIM 11g] SAP ER connector behavior

    Hi Experts,
    How does the SAP ER Connector works when the IDOC has historical data from the user? I need to know if OIM will look for the latest chances and use this to create the identity.
    Best regards.

    Hey,
    I see the same issue and need to make this change as well, where are these settings? I couldn't find them in the setDomainEnv or setSOADomainEnv.
    Thanks

  • Sap UM connector 9.1.2 trouble with "SAP User Management User Recon" task

    Hello All,
    i have a problem with Sap UM Connector version 9.1.2.
    OIM version 11.1.1.5
    Windows 2008 R2
    Problem is:
    Then accounts in Sap are created through direct provisioning feature of connector everything works ok (subsequent update or delete an account).
    But if a user account is created in Sap using Sap GUI, scheduled task "SAP User Management User Recon" of connector doesn't create reconciliation event to link user.
    Sometimes it does though, but for one user account created using Sap GUI in OIM created two reconciliation events, so corrsponding user in oim have two records for resource SAP.
    In this reconciliation events, one have full set of attributes (Login, First Name, Last Name, E Mail, etc), another one - just these 3 attributes: IT Resource, User ID, Lock.
    "SAP User Management Delete Recon" scheduled task works ok then user account has been deleted using Sap Gui.
    How one can troubleshoot such behavior?
    Can anyone advise please?

    resolved the issue by updating sap um connector to version 9.1.2.5

  • GRC Unlock Account - BUG ?

    Hi All,
    This is regarding an issue we found in our GRC system.
    A UserID has been locked in ECC system sometime back.
    For example: Valid From - 01-Jan-2014 and Valid To - 05-Jan-2014
    UserID is in locked state and validity dates are as mentioned above.
    Now User wants this account to be unlocked and raising a GRC Unlock Request.
    User is selecting the system during Unlock Account creation and system is added with validity dates as shown below.
    Valid From - Today's date
    Valid To - 05-Jan-2014 [Existing UserID Valid To date in ECC system]
    According to me validity dates for the system should be added as shown below
    Valid From - Today's date
    Valid To - 31.12.9999
    Is this a bug? or Is this the standard behaviour? I hope this would be issue for most of the customers.
    Please provide your suggestions on this.
    Regards,
    Madhu.

    Hi Alessandro and Colleen,
    Thanks for your inputs.
    Actually the issue is, the same unlock process is working with VALID TO date as 31.12.9999 in GRC 5.3.
    Now after upgrading to GRC 10.0, this was changed. Hence users are raising it as a concern.
    I understand that system cannot recognize VALID TO date as it can be any date depending on customer requirement, but  since it was working in 5.3 client is expecting the same in 10.0
    While raising termination requests they are updating valid To date to the same day and submitting the requests.
    For the terminated users, later if they need access again, Unlock account request is being raised and here they are not selecting any VALID TO date as it was updating with 31.12.9999 Valid To date in GRC 5.3 and now it is updating with VALID TO date based on SU01 record.
    We raised this to SAP and I assume that this could be desired behavior as mentioned by you. Once SAP also confirms we will include this in our training material to make users used to it.
    If there was any update from SAP will keep you posted.
    Regards,
    Madhu.

  • CUP 5.3: unlock account type request

    Hello,
    Has anyone implemented request type for unlock account type without psw verification for LDAP authentication..but it still limits the user to only be able to unlock themselves, not anyone else? 
    I think Password self service should have included automatic unlocking of the userid as well..since most PSS requests are when the userid is locked in a system due to incorrect logons..so the unlocking request shouldn't have been separate from PSS.. It's a two step process to do currently..the user has to first do an unlock id request and then do a PSS to reset their psw.
    But for those clients that are authenticating GRC system against a SAP system, there's no workaround to not require SAP id and psw ..but how can the user tell you the psw when they're locked out of that system to begin with..due to incorrect logon. SAP has no solution for it. They do need to come up with a solution for that and also automatically unlock the userid for PSS processes instead of having them go thru another request to unlock it.
    Would greatly appreciate other ppl's feedback who have implemented PSS and unlock requests with LDAP authentication without psw verification.. otherwise, I would think anyone can unlock anyone without psw verification. The unlock request in order to automate the option to only unlock yourself but still be able to process requests of change or new account for others, is not available. It's either all or nothing in configuration.
    Alley

    Hello,
    Has anyone implemented request type for unlock account type without psw verification for LDAP authentication..but it still limits the user to only be able to unlock themselves, not anyone else? 
    I think Password self service should have included automatic unlocking of the userid as well..since most PSS requests are when the userid is locked in a system due to incorrect logons..so the unlocking request shouldn't have been separate from PSS.. It's a two step process to do currently..the user has to first do an unlock id request and then do a PSS to reset their psw.
    But for those clients that are authenticating GRC system against a SAP system, there's no workaround to not require SAP id and psw ..but how can the user tell you the psw when they're locked out of that system to begin with..due to incorrect logon. SAP has no solution for it. They do need to come up with a solution for that and also automatically unlock the userid for PSS processes instead of having them go thru another request to unlock it.
    Would greatly appreciate other ppl's feedback who have implemented PSS and unlock requests with LDAP authentication without psw verification.. otherwise, I would think anyone can unlock anyone without psw verification. The unlock request in order to automate the option to only unlock yourself but still be able to process requests of change or new account for others, is not available. It's either all or nothing in configuration.
    Alley

  • SAP Enterprise Connector

    Hi Experts
    I tried generating Proxy classes for first time for FlightAppList using SAP Enterprise connector by selecting Single Server option, I have installed SAP Management Console on the system having host name 'sap-server', the details i provided was as follows:
    HostName:'sap-server'
    System Number: 00
    SAP Router:
    User Account
    Client : 001
    LogonName: pradeep
    Password: password
    Language:ENG
    but i get the error as
    Connect to SAP failed
    Error: Partner not reached
    Do i need to do any settings on SAP Netweaver console.
    Kindly let me know.

    Configuring webasabap needs SAP security library which can be downloaded at sap market place, but it needs a license username password which i dont have.
    I have only downloaded the trial version "SAPNW2004sJavaSP9_Trial"  is there a way i can connect my java program to SAP database without having any license?

  • [SAP UM Connector] Multiple instances?

    Hi all,
    I deployed an instance of the SAP UM connector in OIM 9.1.0.2 BP 15 / Weblogic 10.3.3 / Oracle 10g. It is running.. I would like to know if someone had deployed it on several SAP servers.. a.k.a. made multiple connector instances, in order to know what OIM objects to take care (IT Resource, Process Form, Process, etc).
    Thanks!

    I can go with multiple IT Resources, but we are looking for the more complex way. I am thinking in having multiple resource objects, so they can be audited.
    I think the following objects have to be cloned:
    -IT Resource
    -Resource object
    -Provisioning process
    -Process Form
    -Matching Rule
    I am not sure about lookups, because (for example) profiles form field uses the it Resource id to identify from where Server it was loaded, so I think perhaps there could be some objects shared between connectors.

  • OIM - SAP UM Module

    Hi,
    In my project we are using OIM to integrate with SAP-UM. I am able to provision a user successfully from OIM to SAP with out any issue. After doing the reconcilation I did able to pull out all the Roles and Groups defined in the SAP to the OIM successfully and I did able to create the users in OIM with out any issue. But the users which are there in the SAP-UM are not getting on to the OIM. Can any body tell me where I am missing it.
    Thanks&Regards
    Debi

    Hi,
    we are using the SAP UM connector in our environment, and the best approach that we find to ensure some SoD using OIM was using the access policies based on the Xellerate User profile attributes. So all the roles and profiles mapping was done outside OIM and we configured the access policies using these roles ad profiles. Also, any other profile or role granted to users need to be approved by his manager and the SAP module owner.
    As a detective control to audit if the SoD are been respected we use tools to verify that directly into SAP system. But I think that you can customize a report to do in the OIM side.
    Best Regards.
    Nitto

  • SAP Business Connector on Windows XP

    I've been trying to get the SAP Business Connector 4.7 to work on Windows XP professional but haven't been very successful. The business connector seems to install okay, but when I try to start the business connector through the server.bat file it generates the following errors:
    (loglevel = 4) 
    Loading WmPartners package
    00000E  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.EmailTransport:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.EmailTransport
    00000F  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:saveMessage: [B2BSERV.0026.9106] No method saveMessage in class wm.PartnerMgr.xtn.admin
    000010  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:view: [B2BSERV.0026.9106] No method view in class wm.PartnerMgr.xtn.admin
    000011  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:saveRoutingRule: [B2BSERV.0026.9106] No method saveRoutingRule in class wm.PartnerMgr.gateway.admin
    000012  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:convertWildCards: [B2BSERV.0026.9106] No method convertWildCards in class wm.PartnerMgr.gateway.admin
    000013  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.B2B:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.B2B
    000014  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:editStore: [B2BSERV.0026.9106] No method editStore in class wm.PartnerMgr.xtn.admin
    000015  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.FTPTransport:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.FTPTransport
    000016  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:invokeViewService: [B2BSERV.0026.9106] No method invokeViewService in class wm.PartnerMgr.xtn.admin
    000017  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:viewMsgContent: [B2BSERV.0026.9106] No method viewMsgContent in class wm.PartnerMgr.xtn.admin
    000018  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:updateTransports: [B2BSERV.0026.9106] No method updateTransports in class wm.PartnerMgr.gateway.admin
    000019  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.admin:invokeService: [B2BSERV.0026.9106] No method invokeService in class wm.PartnerMgr.gateway.admin
    00001A  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.xtn.admin:log: [B2BSERV.0026.9106] No method log in class wm.PartnerMgr.xtn.admin
    00001B  [B2BSERV.0028.0005] Loading SAP package
    00001C  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.RFC:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.RFC
    00001D  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.BAPI:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.BAPI
    00001E  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.XML:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.XML
    00001F  [B2BSERV.0026.0002] Failure while loading service sap.bapi:encodeToFile: [B2BSERV.0026.9106] No method encodeToFile in class com.wm.pkg.sap.bapi.BusinessDocumentCoder
    000020  [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:bapi2rfc: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
    000021  [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:rfc2bapi: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
    000022  [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:bapi2ale: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
    000023  [B2BSERV.0026.0002] Failure while loading service sap.admin:listGatewayServices: [B2BSERV.0026.9106] No method listGatewayServices in class sap.admin
    000024  [B2BSERV.0026.0002] Failure while loading service sap.bapi.Mapper:ale2bapi: [B2BSERV.0026.9104] Missing class sap.bapi.Mapper
    000025  [B2BSERV.0026.0002] Failure while loading service wm.PartnerMgr.gateway.transport.ALE:startup: [B2BSERV.0026.9106] No method startup in class wm.PartnerMgr.gateway.transport.ALE
    000026  [B2BSERV.0028.0005] Loading WmSamples package
    000027  [B2BSERV.0028.0026] Warning: Deprecated service type (webtap) in service sample.webtap:logApp in package WmSamples
    000028  [B2BSERV.0028.0005] Loading WmDB package
    These errors don't stop the business connector from starting up, but the errors are not normal behaviour. When I try to start the business connector through a Windows service then I get the message "Could not start the SAP Business Connector Service on Local Computer. Error 126: The specified module could not be found".
    I have a working business connector installation on a Windows 2000 server, and when I checked the error log of that installation I noticed that it had logged the same errors about the 'WmPartners' package. It on the other hand didn't have any problems loading the 'SAP' package.
    I tried installing the business connector on two different systems with identical results. Has anybody been able to get the business connector to work on Windows XP?

    HI,
    I have no idea clearly about BC.. but ..
    See the following links.. may be helpfull..
    Business connector
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a8609b90-0201-0010-c6bc-a41b611c6dac
    SAP Business Connector on Windows XP
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/92e5bd90-0201-0010-b799-dfdc27f3100a
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a8424011-0d01-0010-e19d-e5bd8ca52244
    If usefull .. points rewarded..
    Regards
    Chilla..

  • NULL Value in SAP Business Connector  (BC47_CoreFix7 )

    Dear All,
    I am working with SAP Business Connector and some times i get NULL value in (PROXY SERVER) in Secure Proxy (HTTPS) so i need usualy to remove it manully and save the changes.
    Would you plesae help me to solve this issue either to delete automatically or to have any idea to prevent getting this NULL value.
    Thanks in advance..
    Message was edited by: Hassan Hakeem

    Dear,
    i need the answer ASAP pleasssssssssssse.
    Thanks..
    Message was edited by: Hassan Hakeem

Maybe you are looking for

  • Operating in Lid Closed mode without power connected!

    I was able to hook up my 17" ADC Studio display to my MacBook and operate with the built in display turned off, and with no power adapter. First close the lid of the the MacBook and let it go to sleep. Attach the monitor cable and using an external k

  • Get URL from embedded Flash AS3 movie

    I have a thumbnail scroller app built with AS3 on my website homepage. I have the class files but would like to know of any quick workaround to make the embedded Flash movie clickable without reworking the AS3 files. What I would like to do is if you

  • How do I create mail filters in 6.0.2?

    I asked about mail filters in 6.0.2. Eeeeek! I found it. I was looking in FF help, rather than in yayhoo mail Options. :-( Please disregard original query.

  • Why can't I append-to-disc on DVD+R media, 2009 Mini w/10.6.3?

    I want to be able to burn multiple sessions to DVD+R media on my late-2009 Mac Mini w/ Superdrive. PLEASE do not direct me to the usual instructions on burning multi-session CD-R media. I know all about them; they work fine for CDs, but not for DVD+R

  • How to provide credentials for outbound HTTP connection

    Hi all, My outbound request requires basic authentication How to provide credentials within xsjs for outbound request. My .xshttpdest file has authType=basic: host = "host"; port = 80; description = "decription"; pathPrefix = "/geoserver/"; authType