SAP Identity Management Job/Position to Roles mapping

Similar Messages

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Integration of MS Active directory with SAP Identity management

  Hello
  I am implementing SAP identity Management  7.1with external tools MS active Directory with Single sign on using SAP IDM . Is there any documentation as to how do I connect SAP IDM with MS AD with the roles and their user provisioning process .
  Also does anyone have a architectural work flow template  on this process .

  Hi
  I guess, using VDS you can achive this. ref the LDAP connection part.
  https://websmp203.sap-ag.de/~sapidb/011000358700001449652008E
  https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  Regards
  Shridhar Gowda

• How to use Virsa with SAP  Identity Management?

  I have been assigned to handle my company's  SAP Identity Management and
  I am asked to use Virsa control.
  I am not quite clear about the relationship between the 2 SAP products.
  Would you please help? Thanks!

  Jennifer,
     There is no product called virsa control by SAP. Virsa was a small company which made different solution for SOX compliance. It was acquired by SAP. If you are talking about SAP BusinessObjects Access Control 5.3 then see the links below to understand the integration between SAP IdM and SAP AC 5.3.
  https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/b0aafd33-e662-2a10-a197-dd3137f7f7e0
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e9355
  Regards,
  Alpesh

• Basics of SAP Identity Management

  Hi All
  Currently i need to explore SAP Identity Management , what it is and how to implement, if any one have docs or guides or links then it would be great help to me.
  How exactly the Identity Management works??
  Thanks,
  Sapuser1342
  Edited by: TRanSAP on Jun 2, 2011 3:35 AM

  This is the overview document:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10c33889-cc14-2a10-a7a8-a8eef7483dee?quicklink=index&overridelayout=true

• SAP works manager 6.2 with ESRI maps

  Dear Experts
  We are using SAP Work Manager 6.2 with SMP 3.0 (SP05) Agentry and attempting to implement the ESRI location tab in the IOS agentry app but  coming up with the following issue. 
  we have followed the exact steps in the SAP® EAM and service mobile app SDK Installation Guide with the exception that we are using Xcode 6.1 instead of Xcode 5.  we have  also had to include the System.Configuration framework but apart from this it has gone together without a problem.
  We can run the existing SAP Works Manager app on the IPAD so we are able to successfully connect to the SMP agentry server but when we try to run the custom agentry app it halts at the following screen. We have tried different agentry users but with no success.
  Could you please suggest if there are any other information available to get this working .
  Following are the other SCN links we tried following
  Quick Guide - Checklist to set ESRI in SAP Work Manager 6.1.X (WPF client)
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b3f3d8-9d8f-3210-4cbc-f3e42e6df649?QuickLink=index&…

  Hi Sid,
  Check the SDK version that was used to build your custom Agentry Client. Not the Server version.
  From the initial screen click on the Info/About icon to see which version you're using to build your client e.g.
  Looking at your image you can see the input field where you're meant to enter the Work Manager URL is behind the header field. I had the same issue when I was using an old version of the SMP SDK / Agentry Client.
  I suggest you download the latest SDK version from the SAP Service Marketplace and rebuild a new client using that.
  SK

• Workflow Jobs in SAP Identity Management

  Hello Experts,
  We have SAP Idm 7.1, Novell eDirectory and GRC AC 5.3 Installed successfully.
  Now, I have to create 2 workflow jobs in SAP IdM 7.1 for Novell eDirectory.
  1- One job to query the Novell IDM Vault for any new identities and populate NW IDM.
  2- The second job to query Novell IDM to determine if any identities have been changed from u2018Activeu2019 to u2018Terminatedu2019. If the ID has been changed to u2018Terminatedu2019 then lock the SAP ID and remove the roles, and set the User Group to u2018Expiredu2019, and set the expiration date to the day prior to termination."
  Can anyone let me know, how can I create those 2 workflow jobs?
  Thanks,
  Haleem

  the implementation guide contains an error:
  in the class MyOnSubmit{...
  the head of the function should be:
  public IdMValueChange[] onSubmit(Locale aLocale, int aSubjectMSKEY, int     aObjectMSKEY, Task aTask, IdMSubmitData aValidate) throws IdMExtensionException {
  the guide defines the task as int.
  br
  Andreas

• Identity Management 8.0  - SAP Provisioning Forms UI display

  Hi guys!
  I'm trying to setup a new environment with SAP Identity Management 8.0, using the standard SAP Provisioning Framework.
  I've already followed all install guide and configuration steps, but the Web forms for default provisioning tasks are not appearing on the Self Service tab or Manage tab. I've already tried to modify the forms to let anonymous and everyone to execute the form, but no clue.
  The tabs appears OK, but no tasks are available to choose
  We are using the lastest patches available until today.
  Any help would be appreciated.

  Hi Eduardo,
  Please go to the forms and right click over the Identity folder.
  The option Show Folder in User Interface should be selected
  If this doesn't help please try restarting the JMX and check your Datasource.
  Regards,
  Todor

• Using SPML for Identity Management in EJB WebService

  Dear All,
  I have a requirement af using SPML(Service Provisioning Markup Language) for Identity management. Identity management is used to manage the user like deleting a user, modifying, adding a user etc for a application.For that the request for all these functions need to be made using the SPML. The idea is that first the data used to make any request will come from the SAP R3 using an EJB which will retrieve that data by calling a BAPI via JCO and then it is needed to be passed to the entitlement system using the SPML.Thus I have to publish a web service which will get data by calling BAPI and give it to entitlement system using SPML and how can I achieve it?. I have less knowledge about SPML, your guidence will help.
  Thanks & Regards,
  Samir

  There is a document on the SAP Service Market Place that covers the SPML in the UME APIs. This quote is from the [UME documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm]:
  SPML Support
  The UME APIs support access using the Service Provisioning Markup Language (SPML). For more information, see service.sap.com/security > Security in Detail > Secure User Access > Identity Management > SAP Identity Management APIs.
  -Michael
  Edited by: Michael Shea on Jan 17, 2008 9:01 AM

• Integrate external identity management solution in SAP GRC Access Control

  We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
  thanks
  Detlef

  Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
  what do the published webservices do? Is there any documentation about them?
  In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
  The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
  Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
  IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
  VCC has any documentation that would help me to find how I would do this integrations?
  Thanks in advance

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Configuration Guide Job Scheduling Management with SAP Solution Manager

  Dear Gurus
  Could you please help me with the configuration guide of the Job Scheduling Management with SAP Solution Manager
  Best Regards

  Hello Luis,
  the configuration activities can be accessed via the "Implementatiopn Guide" by calling transaction SPRO in your SAP Solution Manager system.
  In SPRO navigate to -> SAP Solution Manager -> Scenario-Specific Settings -> Job Scheduling Management -> Standard Configuration and execute the following two activities.
  1. Activate Solution Manager Services
  2. Set Up Work Center for Job Scheduling Management
  Make sure that your user has role SAP_SM_SCHEDULER_EXE (or_ADMIN) assigned.
  Afterwards you should be able to access the Job Management Work Center and to create Job Documentation or to import Jobs from a Managed System into new Job Documentations.
  The following SAP notes might be usefuly as well:
  1054005  - FAQ on Job Scheduling Management
  1117355  - Work Center roles
  Kind regards,
  Martin
  http://service.sap.com/jsm

• Execute PowerShell Scripts via SAP NetWeaver Identity Management

  Hello,
  Has anyone implemented the execution of a PowerShell script from SAP NetWeaver Identity Management (7.1, 7.2, 8.0?).  Currently implementing 8.0, and our client is looking to kick off PowerShell scripts that would generate Active Directory accounts, Exchange accounts etc.
  Thanks!

  Hey Brendan,
  We've done this out of a 7.2 implementation for exchange 2010 admin processes.  We started with running powershell via a command line pass.  It worked pretty well but it wasn't plain sailing.  We used positional parameters to pass data to the scripts in question, we also had to come up with a return process that deals with any errors that might come of the powershell session.  We had some issues with the shell sessions closing after the script completed.
  We've since redesigned and now drop flat files to a constantly running powershell script that acts a bit like an IDM dispatcher (but obviously not integrated with IDM).  It kicks off other powershell sessions and monitors their progress allowing it to process time outs, stack work up, etc.
  We also found timing the processes to be an issue.  If you create an AD account in IDM and then try to immediately move onto mailbox enable (for example) the account we created wasn't yet replicated to exchange so we had to build wait time into various parts of the process.
  Thanks,
  Pete.

• Integrated google Map on SAP Work Manager 6.0

  Hi
  I am new in agentry and worked on SAP Work Manager App. I want to put customized map in Agentry and show some workorder on that map.
  Can anyone give me any suggestion regarding it.
  Thanks
  Mohit Tyagi

  Hi
  Can any one help me for putting map on SAPWM 6.0 . and i am working on SMP 2.3.So please give me suggestion how can i achieve this problem. and is it possible to put map on SAPWM 6.0 without integration any API?
  Thanks
  Mohit Tyagi

• Unified Job Monitoring -Share your experiences with SAP Solution Manager 7.1

  Dear Forum members,
  I woudl like to introduce myself as Raghav, S. I am in the development team responsible for building the unified job monitoring workcenter starting 7.1 SP10 (onwards).
  Please post your feedback, current status wrt to setup, commmon issues in this area.
  I will be more than glad to help you here.
  Regards, Raghav
  Development Manager
  CLM - Solution manager team, Labs India.

  Hello Raghev,
  we implemented unfied job monitoring on a larger scale by now, starting out with the monitoring of SAP Standard & Reorg Jobs.
  Everything seemed quiet OK at the beginning, but over time display performance of the Monitoring UI decreased drastically (exceeding 5 Min. "per click" in the UI).
  I pinned this down to the following (Oracle) SQL access:
    SELECT
    "CLIENT", "CONTEXT_ID", "TYPE_ID", "HASH_METRIC_PATH", "START_TIMESTAMP", "IS_CURRENT", "END_TIMESTAMP",
    "METRIC_PATH", "RATING_AGGREGATE", "VALUE_MIN", "VALUE_MAX", "VALUE_SUM", "VALUE_COUNT", "VALUE_LAST",
    "VALUE_DATA_TYPE", "VALUE_MAX_TIME", "LAST_TEXT"
  FROM
    "MES_DB_AGGREGATE"
  WHERE
    "CLIENT"=:A0 AND "CONTEXT_ID"=:A1 AND "TYPE_ID"=:A2 AND "IS_CURRENT"=:A3 OR "CLIENT"=:A4 AND
    "CONTEXT_ID"=:A5 AND "TYPE_ID"=:A6 AND "IS_CURRENT"=:A7 OR "CLIENT"=:A8 AND "CONTEXT_ID"=:A9 AND
    "TYPE_ID"=:A10 AND "IS_CURRENT"=:A11 OR "CLIENT"=:A12 AND "CONTEXT_ID"=:A13 AND "TYPE_ID"=:A14 AND
    "IS_CURRENT"=:A15 OR "CLIENT"=:A16 AND "CONTEXT_ID"=:A17 AND "TYPE_ID"=:A18 AND "IS_CURRENT"=:A19
  The execution plan used for this SQL is:
  0
  SELECT STATEMENT
  1
  INLIST ITERATOR      
  2  
  TABLE ACCESS BY INDEX ROWID MES_DB_AGGREGATE
  3    
  INDEX RANGE SCAN  MES_DB_AGGREGATECU
  MES_DB_AGGREGATE in our case has over 5 million entries.
  The parameterization of the DB incl. Memory and all should be OK.
  The index range scan simply takes that long.
  This might be, because the MES_DB_AGGREGATECU index has the lowest cardinality column (CLIENT) first.
  Header 1
  Header 2
  COLUMN_NAME
  NUM_DISTINCT
  CLIENT
  1
  CONTEXT_ID
  433
  TYPE_ID
  2192
  IS_CURRENT
  2
  Could you have your team check on this, because with the situation as is, the Job Monitoring application seemingly becomes non-usable, as soon, as you start to scale up.
  Best Regards,
  Thorsten