Password Replication to LDAP from SUS (ABAP system)

Similar Messages

• Delete Role Assignments directly from an ABAP System

  Hi folks!
  I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.
  Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!
  However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.
  I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.
  I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.
  Thanks for your help!
  Matt

  Hello Matt,
  so you want to remove local administrated role?
  If the object really is to undo the local administration, I would do this:
  Create a batch job, the passes would be a FromSAP, a ToGeneric and one/two ToSAP
  At first a cleaning pass (the ToGeneric one) which fixes all incorrect assigned privs (re-add directly or remove, depends on what you want/need). The source tab query and destination tab script have to be written though (I guess that is the most time consuming part of the job during implementation)
  The pending privs have to be considered in the provisioning script (I would prefer our own written script over the SAP delivered anytime)
  Copy the Read ABAP pass for users. Remove everything but the logonuid and the role assignments (profile assignments only if needed, too). Maybe use a different table name like sap<repName>userAssignRecon. If the system is very large, this pass has to be optimized filters
  Copy the role provisioning pass from the in-use plugin (SAP or adjusted one) and adjust it like this:
  Source tab query: A query which selects all mskeys of users that have more assigned in the sap table as in the link view. Using the Identity Store so everything of the identity is selected
  Destination tab: Remove the profiles as you haven't mentioned them. If needed I would do the same for profiles as for the roles in a second pass with the profileAssign table.
  Best regards
  Dominik

• Problem in replication of locations from R/3 system (4.7E) to SRM 5.0

  Hi All,
                       I am getting  "error accessing system T90CLNT090"as an error (Message  no. BBP_LOCATION001) while replicating locations through BBP_LOCATIONS_GET_ALL, from R/3 to EBP System.
  I have checked the RFC connections working perfect.
  R/3 system is 4.7E version and EBP system is SRM5.0.
  Thanks in Advance,
  nanaji

  Hi,
  The problem  is due to the RFC connection only.So please check both the RFC connections and check whether the same RFC user is maintained for the RFC user in both the systems.
  Also check whether the RFC user is a dialog user .Sometimes the problem happens because of this too.If required try to create a seperate RFC destination with a dialog user and test again.
  BR,
  Disha.
  DO reward points for useful answers.

• Importing Data from an ABAP system - JOB Initial Load - IDM 8.0

  Hello all,
  I got the error during the execution  initial load job:
  Value not legal for this attribute:Attribute: MX_USERTYPE" when storing attribute 'MX_USERTYPE=A'
  Value not legal for this attribute:Attribute: MX_DATEFORMAT" when storing attribute 'MX_DATEFORMAT=1'
  I have executed the job read value help content before start initial load job.
  Could anyone explain if this attribute should be created manually in mxi_AttrValueHelp table before run the initial job?
  Thanks

  Hello Rafael,
  There is a possibility that you have encountered a problem that we had with the language translations for the attribute values.
  I would like to ask you to check one file content:  could you try to open the language translations file: this should be located under ICCORE -> Database Schema -> SQL-Server -> 9-language-data.sql
  There is a chance that this file is "broken".  If so - we have fixed this specific problem in the Designtime Component patch 2 (now 3 is also available) - so you would need to update to this one.
  You could also take a look at the table for the attribute values help - via executing "select * from mxi_attrvaluehelp".
  Kind Regards,
  Rali
  SAP Identity Management Development

• Pushing data from abap system to SLD

  Hello,
  I am pushing data from my abap system to SLD.
  Job SAP_SLD_DATA_COLLECT is successfully finished but the job SAP_LMDB_LDB_0000000001. is not visible in sm37 in solman.
  Hence technical system is not visible in LMDB.
  Please guide me
  Thanks and Regards,
  Akshay

  HI Akshay
  I hope you had make sure that in SM61 you have assigned batch servers for the jobs.
  Can you try to sync your LMDB with SLD once. There is option in LMDB to sync the data, Just see if you are getting the technical system details.
  Also, please check the rfc destinatoin with ICM port if it is stable.
  RFC LMDB_SyncDest<X> is using ICM Port 80<NR>
  You can proceed as below
  Please De-Activate the Sync Job in Solman_Setup -> System Preparation -> Prepare Landscape -> Set Up LMDB.
  Execute transaction 'SM59'.
  Locate the HTTP Destination -> 'LMDB_SyncDest<X>'.
  Switch to Edit mode.
  Change the Service No to 5<XX>00 where XX is the instance number.
  Then makesure the Authorization and Connection test are working.
  Then Re-Activate the synch job, via Solman_Setup -> System Preparation -> Prepare Landscape -> Set Up LMDB
  Apart from that, can you check below note if it is applicable for you
  1615263 - LMDB: Incremental Content Sync Job remains "Scheduled"
  Regards
  Rishav

• User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

  I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
  I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
  Situation:
  We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
  and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
  Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
  1.) It is possible to assign manually the user public key to every user --> But to much effort
  2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
  3.) In the distinguished name of the user certificate there is no information about the SAP username itself
      --> you are not able to use any information of the DN to bind a user in the Login Module configuration.
  Now my question:
  Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
  As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
  At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• Problem while connecting to external ABAP system (on 4.6C rel)

  Hi All,
  I've created WebDynpro application that is supposed to fetch info about users from several ABAP systems. J2EE engine that runs this WebDynpro is directly connected to one of the ABAP systems. I've successfully created identical Adaptive RFC models, maintained SLD entries for my ABAP systems and configured JCO connections for my WebDynpro through WebDynpro Content Manager (http://<host>:port/webdynpro/welcome). I was able to reach all ABAP systems testing my JCO connections from WebDynpro Content Manager.
  The problem I am experiencing is the following:
  the application is working fine for the ABAP system that J2EE (where it's executed) is connected to, but failed to reach the remote ABAP system issuing the following message:
  "Accessing System <Remote ABAP system> is not possible because RFC Metadata was retrieved using System <ABAP system that J2EE is connected>. Please assure you have configured the RFC Connections properly. A Server restart may be necessary!"
  Where else should I have define JCO settings ?
  This remote ABAP system is running on 4.6C so I have no options to install J2EE on it or fully configure SLD for that system.
  It may seem like a dummy question since I am new to WebDynpro programming.
  Thanks in advance,
  Mike

  Hi Rich,
  Thank you for a quick reply,
  Here is what I've done to connect to the remote ABAP system:
  1. Configured this remote system in the SLD as a Technical System (SLD=> Technical Landscape).
  2. Opened WebDynpro Content Administrator and created two JCO's for my application pointed to that remote ABAP system (defined in SLD). I was able to test them successfully reaching that remote system.
  But when I run my application the same error occured.
  What did I miss ?
  Thanks & Regards,
  Mike
  Message was edited by: Mykhaylo Puzankev

• UME change from ABAP to other ABAP system

  >Hi,<BR>
  <BR>
  I have a java-only system names QAJ which is mapped to our Solution Manager system for UME (please don't ask why!).<BR>
  <BR>
  I want to change UME to ABAP system QAS.<BR>
  <BR>
  So, I go to NWA -> Administration -> Identity Management     .<BR>
  <BR>
  Under the ABAP system tab, I change necessary info such as servername, user SAPJSF, password and client to my QAS system. I then click on TEST connection which works well. I am asked to restart cluster to activate changes.<BR>
  <BR>
  So, I restart QAJ... and it fails to start. in file std_server.out<BR>
  <BR>
  Service com.sap.security.core.ume.service started. (32515 ms).<BR>
  Sep 1, 2009 9:21:55 AM   ...xt.<init>(UserContextSpi, Properties) [SAPEngine_System_Thread[impl:5]_23] Fatal: Can not instantiate UserContext with given properties.<BR>
    service security ================= ERROR =================<BR>
  Core service security failed. J2EE Engine cannot be started.<BR>
  com.sap.engine.services.security.exceptions.SecurityServiceException: Unexpected exception:<BR>
       at com.sap.engine.services.security.SecurityServerFrame.start(SecurityServerFrame.java:194)<BR>
       at com.sap.engine.core.service630.container.ServiceRunner.startApplicationServiceFrame(ServiceRunner.java:214)<BR>
       at com.sap.engine.core.service630.container.ServiceRunner.run(ServiceRunner.java:144)<BR>
       at com.sap.engine.frame.core.thread.Task.run(Task.java:64)<BR>
       at com.sap.engine.core.thread.impl5.SingleThread.execute(SingleThread.java:83)<BR>
       at com.sap.engine.core.thread.impl5.SingleThread.run(SingleThread.java:156)<BR>
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: No active userstore is set.<BR>
       at com.sap.engine.services.security.server.UserStoreFactoryImpl.getActiveUserStore(UserStoreFactoryImpl.java:80)<BR>
       at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.update(LoginModuleHelperImpl.java:405)<BR>
       at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.<init>(LoginModuleHelperImpl.java:84)<BR>
       at com.sap.engine.services.security.server.SecurityContextImpl.<init>(SecurityContextImpl.java:58)<BR>
       at com.sap.engine.services.security.SecurityServerFrame.start(SecurityServerFrame.java:147)<BR>
       ... 5 more<BR>
  <BR>
  <BR>
  com.sap.engine.services.security.exceptions.SecurityServiceException: Unexpected exception:<BR>
       at com.sap.engine.services.security.SecurityServerFrame.start(SecurityServerFrame.java:194)<BR>
       at com.sap.engine.core.service630.container.ServiceRunner.startApplicationServiceFrame(ServiceRunner.java:214)<BR>
       at com.sap.engine.core.service630.container.ServiceRunner.run(ServiceRunner.java:144)<BR>
       at com.sap.engine.frame.core.thread.Task.run(Task.java:64)<BR>
       at com.sap.engine.core.thread.impl5.SingleThread.execute(SingleThread.java:83)<BR>
       at com.sap.engine.core.thread.impl5.SingleThread.run(SingleThread.java:156)<BR>
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: No active userstore is set.<BR>
       at com.sap.engine.services.security.server.UserStoreFactoryImpl.getActiveUserStore(UserStoreFactoryImpl.java:80)<BR>
       at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.update(LoginModuleHelperImpl.java:405)<BR>
       at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.<init>(LoginModuleHelperImpl.java:84)<BR>
       at com.sap.engine.services.security.server.SecurityContextImpl.<init>(SecurityContextImpl.java:58)<BR>
       at com.sap.engine.services.security.SecurityServerFrame.start(SecurityServerFrame.java:147)<BR>
       ... 5 more<BR>
  <BR>
  [Framework -> criticalShutdown] Core service security failed. J2EE Engine cannot be started.<BR>
  Sep 1, 2009 9:21:55 AM              com.sap.engine.core.Framework [SAPEngine_System_Thread[impl:5]_23] Fatal: Critical shutdown was invoked. Reason is: Core service security failed. J2EE Engine cannot be started.<BR>
  <BR>
  <BR>
  <BR>
  Ok, so something is wrong in my entries even if test connection works fine.<BR>
  <BR>
  Becasue JAVA stack does not start anymore, I need to go to configtool. Everything that I changed is active, I can see everything. Still, I do not know which parameters is causing all this.<BR>
  <BR>
  Anybody know where to go from here?<BR>
  <BR>
  Thanks!<BR>

  I found the problem.
  in configtool, in parameter ume.login.guest_user.uniqueids, value was set to J2EE_GST_QAJ.
  user J2EE_GST_QAJ did not exist in ABAP system QAS. I created it as a service user and gave it role SAP_J2EE_GUEST.
  I also increased values for ume.r3.connection..master.poolmaxsize and ume.r3.connection..master.poolmaxwait
  after Java stack restart, system works fine again.
  thanks to everyone that took time to read my question. Hopefully, someone with the same problem will find a possible solution.

• Password change issue when updating user data in SAP ABAP system

  Hi Guru's,
  One of my reconciliation tasks part of the reconciliation job I've created is doing some strange password updates.
  As you can see below the task selects all users part of my identity store that are part of the account attribute of the particular ABAP system.
  Once these users are selected the task updates different data like username, validto, ... but the task is updating a lot of other things that are not part of the destination tab. What is causing the biggest issue is the password fields that are updated in the ABAP system like, password, productive password, ...
  Can you please advise if I missed something and how to solve?
  Thanks a lot,
  Laurent

  Hello Steffi,
  Yes in the ABAP systems they have the same timestamp. No other jobs are running at the same time.
  It is only happening to a few users depending on the ABAP system. On some ABAP systems there are only a few users for which the PW is reset and other systems 300.
  Example below of a system where I updated all user. In my pass only the following attributes should have been pushed thru to the ABAP system.
  However the valid from, accounting number and password have been updated as well.
  Thx,
  Laurent

• LDAP UME for ABAP + JAVA SYSTEM

  Hi,
  I am using NW 7  SP 15 with both ABAP + JAVA stack. The UME is set to ABAP by default during installation.
  Can we change that to LDAP datasource?
  Under System Configuration -> UME Configuration -> Data Sources (TAB) -> in Data Source dropdown box -> there is only ONE option available "ABAP SYSTEM" and no other option is present.
  Any suggestion?
  Regards
  Deb

  Ups! Obviously a later change from ABAP to some other UME indeed is not supported by SAP. But this means not, that you cannot use LDAP or JAVA from the very beginning.
  Did you not have the option to choose another UME data source for the Java Add-In during the installation process? (this may make sense, because the installation sequence for double stacks is always 1. ABAP stack 2. Java stack).
  If not, then indeed LDAP as the primary UME data source is not supported for double stack installations.
  If yes, you only have the chance to re-install your system.
  In every case you can install 2 separate instances and connect them later. 1 ABAP instance with UME of course ABAP and 1 Java instance with UME LDAP or Java DB.
  But before doing that and if I were you I would open a CSN at SMP and ask the software vendor ...
  Regards,
  Volker

• Inserting a conversion routine in SLT replication from SAP EWM system to HANA

  We are a new SAP HANA customer trying to get the 1st report out… having few issues with data replications from SAP EWM system. EWM material conversion use a Kernel level FM to convert material GUID code to human readable material code, HANA does not use this routine so we are exploring whether we can insert ABAP routine to update the SLT replication or conversion logic, for example we can call  EWM: CONVERSION_EXIT_MDLPD_OUTPUT routine and update human readable material code into correct data field in HANA. With this HANA can see the reportable material code directly. We came across few SLT specific FM’s in EWM, but need to find an enhancement spot to insert a code. I really appreciate If any of you SLT experts can let us know what would be the best way to do this.

  Hi,
  well, some correction notes for SP08 were missing. Mea culpa :-) Unfortunately implementation of the notes did not solve all Problems. Now the field length is correct but the field order and "not null"-Status of the fields is still wrong.
  Best regards
    Harry

• Can I delete an icloud account from apple's system with out password

  My mom is 88..  Apple help desk got her set up for an icould account she did not need becuse they misunderstood the nature of help she needed. It is a second uncessary account and is wreaking havoc with her iPad.  My mom can not remember her password.  How can I permanantely remove the account from Apple's system. 

  Apple IDs (which are used to establish various types of accounts like icloud and itunes store) cannot be permanently deleted, nor can the accounts.  Just don't use the account in question if you don't want it.
  If this is about icloud, then on her ipad, Go to Settings>icloud, scroll to bottom of screen and tap Delete Account.  In the future she can always log back in.  If she needs to do this, then to deal with a forgotten password...
  Try the following link to reset your password.
  https://iforgot.apple.com

• How to call a RFC of a remote system from an ABAP webdynpro component

  Dear Experts,
  I am a newbie in ABAP Webdynpro.
  I am working on a requirement where I have a webdynpro component on ECC system.I need to call a RFC located on CRM system from my webdynpro component on the ECC system.
  How do I do that ?? Please help.
  Regards,
  Mamai.

  Calling RFC from some other system is same as local except the difference is that you have to give destination name while calling.
  And the regarding the method of calling it depends on your FM.
  if it is big RFC with complex structure, you can create the service call for it with destination given as RFC desitination.
  if it is simple straight forward RFC you can directly call it.
  for creating RFC service call call use this method
  1. Starting the Wizard
  To start the wizard, position the cursor on the Web Dynpro component to be edited in the object list at the left margin of the
  workbench window. Open its context menu and choose the entry Create->Service Call. The wizard is started and leads you
  through the creation process.
  Press Continue.
  2. Choice of Controller
  On the second dialog window of the wizard, you can choose whether the service call is to be embedded in an existing
  controller or whether a new controller is to be created for this purpose. Service calls can only always be embedded in
  global controllers u2013 that is, in the component controller or in additionally created custom controllers. It is not possible, to
  embed service calls in view controllers.
  a. Select radio button Use Existent Controller
  b. Do not change the default entry for component: <CC name>
  c. Enter for controller COMPONENTCONTROLLER
  d. Press Continue.
  3. Service Type and Service Selection
  a. You now select, which service type should be used for this service call. Select radio button Function Module. Fill the
  destination here. Press Continue.
  b. Select the service: for Function Module enter <RFC name>. Press Continue.
  4. The Required Methods and Context Elements
  On the two subsequent dialog windows, default values are listed for giving names to the context nodes and attributes
  required by the service call as well as to the required methods. The proposed names are based on the names of the
  embedded service, but you can change them as required. However, heed the respective notes in the corresponding dialog
  box.
  a. Adapt Context: Select from Nodes/Attributes . Press Continue.
  b. Specify Method Name: leave all entries as provided: Component:  Controller: COMPONENTCONTROLLER Method: EXCUTE_ Press Continue.
  5. Completing the Choice
  When you have confirmed the last dialog box, the generation is triggered. Afterwards you now have the required methods
  and contexts at your disposal for using them within your Web Dynpro component.
  or if you want to call directly the use the call statement with destination

• MM-SUS Scenario---Error while posting the PO in SUS System from R/3 system.

  Hi All,
  An error occurred within an XI interface: Exception occurred:BBP_PD:004 -Partner 0000003000 not found E:BBP_PD:147 -Enter a country for partner 0000003000 with type 'Sold-to Party' Programm: CX_BBP_BD_ERROR===============CP; Include: CX_BBP_BD_ERROR===============CM002; Line: 57
  The above is problem occurred in SUS system. I have checked the message SXMb_MONI Tcode for XML message.
  Can any one suggest what could be the problem and the solution for the same.
  we are working on MM-SUS scenario (Plan Driven Procurement).
  Thanks
  Jagan

  Hi
  <b>Please go through the links below -></b>
  purchase order doesn't create in srm sus
  purchase order not create in sus
  Enter a country for partner with type 'Sold-to Party'
  BBP_BUPA_SUPPLIER:101
  Unable to determine logical system of sender
  Help MM-SUS!
  SUS-MM:PO not transferred to SUS--message:'sold to party'
  Error in SUS PO creation
  Re: PO error in SUS-MM Scenario
  Cancellation from SUS hangs in XI interface
  Regards
  - Atul

• RFC destination from XI ABAP engine to 4.5 B system

  I tried to create an RFC destination from XI ABAP engine to 4.5 B system.
  It does not work and gives an error.
  <b>Error Details     DETAIL: NiIGetSockName</b>
  -Naveen.

  Hi Naveen,
  First of all try to ping 4.5B system from XI system (Through TELNET)... This is to ensure the connectivity and the access. The error is not a common error, i suppose, So better first we check the phisical connectivity...
  Plz. confirm...
  Regards,
  Audy