SAP IDM Help down?

Similar Messages

• SAP IDM help

  Dear experts,
  As beginner, I am trying to understand from which tables/iViews the data in the IDM UI comes from.
  I trying to display the user assignments content but I am quite confused:
  Question1: which sql request can provide this content for my user (screen A)? My question is focused on the "Assignments" not on the Assigned Privilges or automatic privilges.
  When I click on the status "OK" I can read Direct/Inherited assignment.
  Question2: How can I read this Assignment correctly? where is this data being stored (screen B)?
  Thanks,
  Mia

  Try searching from view idmv_link_ext.
  column mcThisMSKEYVALUE would be the unique id of an user
  column mcOtherMSKEYVALUE would be the unique id of the assigned access right
  columns mcLinkType and mcAssignedDirect would tell whether it's directly linked or inherited (privilege that's inherited via assigned role)
  regards, Tero

• SAP IDM - SPML integation

  Hi,
  I was trying to integrate SAP IDM with SPML using VDS.
  While configuring VDS for SPML request I am getting an error as follows.
  "Exception: Could not load external 'attrClass' or one of its referenced classes"
  I am getting this error while starting the identity service in VDS.
  The configuration guide does not talk about adding any other jar/class files.
  Any help in this regard is highly appreciated.
  Thanks in advance.
  Regards
  Sunil

  I know that this thread is old, but when deploying the IdM Identity Service, in conjunction with GRC 10 WebServices (for the CallBack Service functionality), you can't just disable the attribute and continue; you must fix it or else you will not be able to deploy the .ear file needed to further deploy to java (i'll go into detail on this in another post).
  The way, I got past this error was to go Tools - > Options (in VDS) and update the java settings to use the java version I have installed (or as close as I could), I set VDS to use a specified complier (the same compiler for my version of Java - in the same BIN folder) then ensured the classpath was updated with all the classpath's listed in the error (I added them to the Windows CLASSPATH environment variable also):
  The service Compiled and started without issue and I was able to deploy the .ear file out of VDS for Java.
  -ALJ

• SAP IDM  7.0 integration with third party system

  Hi Experts,
  I know SAP IDM  7.0 can integrate with third party systems and create user ids on most of the third party systems.
  But I need to know regarding If it is possible to integrate with following systems
  1) Microsoft Exchange 2007 (  I know till exchange 2003 SAP  IDM support )
  2)  Microsoft  Active directory 2008 ( I know till Actice directory 2003)
  3) EMC  Documentum 6.5
  4)  ARIS 7.1.0
  5)  BlackBoard, Release 9.0
  6) Oracle 10g  ( Is it possible to create users at oracle level ? or at what level ? )
  7)  Sun Solaris Sparc  ( Is it possible to create users at  OS level )
  If you have information how on this please share. I know that  provisioning framework will have templates for most of the target systems. I want to know if they are available for above systems on SAP IDM 7.0 or if not have we can connect to them?

  Hi Matthew
  Your expertise in SAP IDM is indeed a great help!!
  >Can't see why not, it's all done via SQL commands. I've done similar things with MSSQL
  You mean that there will be oracle 10g drivers/oledb connectors in SAP IDM and in through SQL commands like "create user alfredo identified by alfredos_secret; " we can create user  in oracle database ?. As you said this should be possible.  What about creating user( user management ) in oracle 10g application  like dba or scot  and assigning the privileges in oracle application?
  >might need to do via UNIX scripts, but it can be done
  You mean that Unix scripts will be defined in SAP IDM and SAP IDM will execute these scripts in the Sun Solaris Sparc ?. It should be possible as you said. By the way how we will be able connect to Sun Solaris sparc ?  Is it via  the option "file " under the "Repositories" with repositories wizard  and later executing the file from SAP IDM ?
  Thank you once again for your expert answers on third party systems.

• New to SAP &  IDM

  Greetings,
  Is there a forum for beginners that provides information on getting started in SAP, IDM that anyone can share.  I have seen several clips and whitepaper, but is the a recommended path with prerequisite that a beginner might follow.
  Goodday.

  Hi Josh,
  PLease go thru these links. They might be helpful.
  [Training in IDM|http://www.sap.com/services/education/catalog/netweaver/curriculum.epx?context=FFC760B8923D16BB5150DAE63E7C1A6B331AF0B9E3A8F73CE3A9B7046E051044825A85DAE5E2A4D7B15301EA7956E5C79735C38D2C06CDDE87FF61D1338F01776B564F89C6581143490893016429EB4E2872B1079D5197E3057469DEFEF131000F9DD39519A541195551D1D48B83049AA0849D72456D2D0E434C98D67993D262804AC7EA853328063209ACA74B34280D13990A11FED7C64F|74A5F30734C748B61D39607247B0CDC3]
  [SAP NW Virtual Directory Service|http://help.sap.com/saphelp_nwidmvds70/en/mvd.htm]
  [SAP NW Identity Management|http://help.sap.com/saphelp_nwidmic70/en/dse.htm]
  These links will provide u the course structure of IDM and also the basic know how for IDM.
  I hope it helps.
  Regards,
  Sumit

• SAP IDM 7.1 Role assignment issue

  Hello IDM Experts,
  I am facing one critical issue here. We have connected SAP GRC with SAP IDM for risk analysis and CUP approvals and then once the approvers have approved the requests, IDM assigns these approved roles to users in backend SAP Systems.
  We are now facing issue here past 1-month. Before we never faced this issue.
  The issue is when the Roles are approved from GRC-CUP AC 5.3, post the approvals, the IDM is pulling the data and some of the roles are not getting assigned in SAP Backend systems. In the 1st and 2nd attempt it is not getting assigned however sometimes in the 3rd attempt it is getting assigned. This kind of weird behavior we have come across first time.  Has anyone come across such issues before?
  What could be the possible reason for the roles not getting assigned in SAP Backend system from IDM?
  We checked everything right from dispatchers, connectors, workflow, SQL Logs, Job logs but we are unable to figure out the reason for this issue.
  Do we need to restart the dispatcher or is there any issue with cache memory? 
  Can anyone help here to resolve this High Priority issue?
  Thanks in advance!

  IDM Experts,
  Can I get response on this topic from the experts?
  Will restarting the dispatchers help in this situation? Is this related to housekeeping issue of dispatcher.
  Why are some roles from IDM are not getting assigned in SAP Backend system? Also it is getting rejected 1st and 2nd time and during 3rd time it is getting approved. Please advise
  Regards
  Malini Rao

• SAP IDM and GRC 5.3

  Hi all,
  I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
  When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
  If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
  You understand so I never got conflict detected by Compliance Calibrator.
  How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
  I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
  Thanks for your help,
  Benjamin

  Hi all,
  Due to following notes
  https://service.sap.com/sap/support/notes/1318053
  https://service.sap.com/sap/support/notes/1168508
  I upgrade SAP GRC 5.3 to SP7 Patch 1.
  But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
  I looked at VDS log files and VDS sounds to send a correct request :
  FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
  Some of you have already facing this problem ?
  Benjamin

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• Reg: SAP IDM License

  Hello Experts,
  As I came to know SAP IDM is free with Netweaver license , Can somebody let me know the licensing term for SAP IDM ?
  If I use IDM for only provisioning to SAP system then would it be free or will be there be any license cost ?
  And how licensing differs when we connect IDM with Non-SAP systems i.e AD ?
  Regards
  Deepak Gupta

  Hello Deepak,
                       IdM is covered under the main license for the netweaver based product you are installing. There are no additional fees for connecting to non SAP (or other SAP) systems.
  I Hope this helps. If you have further license questions then please open a support incident under the component XX-SER-LAS.
  Best regards,
  Chris
  SAP Active Global Support

• SAP IDM vs Microsoft Forefront Client(FIM)

  Hi experts,
  Actually my companyBig Company) is planning to implement tool for Identity Management but there are couple of options which we are thinking of considering particularly the last  2 options are SAP IDM and Microsoft Forefront(FIM) ... But I am not able to enough information or comparision points that will help me in convincing to my sr management to finally say to one of these tool.
  I would really appreciate a quick response, if some one can explain the comparisions points among these 2 tools.
  Thanks
  SAP_Enthu

  Hi All ,
  Just to add to my previous question as currently we have MS Active Directory already and as per plan implementing SAP in almost all areas entreprise wide with GRC. So with this background , I will appreciate the advantages and disadvantages of SAP IDM 7.1(might use 7.2 if it comes within next 3 months as planned) with MS Forefront IDM(FIM 2010) in terms of Technical , functionally , architecture ,economic point of view.
  This will help in selecting the best tool among them.
  Thanks
  SAP_Enthu

• SAP IDM 7.2 Questions

  Hi,
  I just recently started with SAP IDM and have a few Questions, maybe someone has the time to explain, thanks in advance!
  - What for is VDS (Virtual Directory Server)? I can write directly into AD? why another target system?
  - If I create a Role in Identity Center for testing its available on the idm portal http://localhost:50000/idm but not in /useradmin or Umeadmin?
  - Repository, does it matter in which repository I upload (CSV Import) users? I have multiple repositories and didn't understand the exact purpose of a repository?
  - Org Units? how can I create Org Units and assign roles for inheritance? is this only available on a Netweaver AS ABAP installation? (I installed AS JAVA) According this link: Indirect Role Assignment Using Organizational Management (OM) - Identity Management - SAP Library
  Thanks, Patrick

  Hi Patrick,
  here is some answers:
  Main purpose of VDS is to be an interface INTO IdM. It is an LDAP interface into the data stored in IdM database. It allows you for example to search, read, write and authenticate to IdM data via LDAP interface.
  IdM has its own UI (http:host:port/idm). You are not supposed to see business roles in useradmin of the J2EE. It is objects known to IdM, not to the J2EE.
  Repositories are objects representing mostly a source or target system. For example AD could be a source system where you get users from. An ABAP client can be a target system where you provision users to. Uploading users is just a way of creating users that you cannot get from some other source system like HCM, AD or ABAP. It depends on your scenarios and user life cycle where you get your user information from (source system) and where you provision to (target system).
  The link you shared regarding the org units is not really related to IdM as a product. If you do some automatic assignments in ABAP directly, you might need to reconcile with IdM. IdM is supposed to be a central user administration tool. If you have information about org units in IdM and want to use it to automatically assign authorizations you can do that for example by using dynamic groups.
  IdM is a very powerful tool opening a lot of possibilities as you can basically implement every requirement if you only have the required information available somewhere. It might be helpful for you to have someone to answer all your questions and help you solving your requirements in best way in the beginning, enabling you to use it in the most efficient way.
  Regards
  Norman

• SAP IDM : Master privilege and Grouping

  Hi Guys,
  I am using SAP IDM 7.1 SP5 Patch2. I am tyrying to user master privilege and grouping but it does not seem to work or i did not get the concepts.
  Anyone who is familiar with these two concepts.
  Example : Master privilege:
  i define one in Active Directory repository and i suppose that when i provision, all other privileges will wait until this one is provisioned. This is not what happens.
  As soon as i assign a role with five privileges to a user, the five privileges start executing.
  So create user executes five times.
  Any help is appreciated

  Hi Anup,
  Please have a look at the schema document, if you do not have it i can send you a copy.
  Here is the paragraphe for the MX_PRIVILEGE ENTRY TYPE
  In the schema document, i cannot see MXMEMEBER_MX_PRIVILEGE as allowed for the MX_PRIVILEGE ENTRY TYPE:
  Entry type MX_PRIVILEGE
  Description
  This entry type is to hold privileges.
  Attributes
  The entry type contains the following attributes:
  Attribute Mandatory (Yes/No) Available as of version
  DESCRIPTION No 7.1 SP1
  DISPLAYNAME Yes 7.1 SP1
  MSKEYVALUE Yes 7.1 SP1
  MX_ACCESS_CONTROL No 7.1 SP1
  MX_ADD_MEMBER_TASK No 7.1 SP1
  MX_ADDMEM_DISABLE_POLICY No 7.1 SP2
  MX_APPLICATION_ID No 7.1 SP4
  MX_APPROVAL_TASK No 7.1 SP1
  MX_APPROVERS No 7.1 SP1
  MX_AUDIT_FLAGS No 7.1 SP1
  MX_DEL_MEMBER_TASK No 7.1 SP1
  MX_DELMEM_DISABLE_POLICY No 7.1 SP2
  MX_DEPROVISIONTASK No 7.1 SP1
  MX_EDIT_ATTRIBUTES No 7.1 SP1
  MX_EDIT_MEMBERSHIP No 7.1 SP1
  MX_ENTRYTYPE Yes 7.1 SP1
  MX_GROUPING_DISABLED No 7.1 SP3 Patch 1
  MX_INACTIVE No 7.1 SP1
  MX_INHERIT No 7.1 SP1
  MX_MANAGER No 7.1 SP1
  MX_MODIFYTASK No 7.1 SP1
  MX_MODIFYTASK_ATTR No 7.1 SP1
  MX_OWNER No 7.1 SP1
  MX_PRIVILEGE_TYPE No 7.1 SP1
  MX_PROVISIONTASK No 7.1 SP1
  MX_RBAC_DIRECT_PRIVILEGE No 7.1 SP1
  MX_RBAC_REVERSE_PRIVILEGE No 7.1 SP1
  MX_REPOSITORYNAME No 7.1 SP1
  MX_REQ_PRIV No 7.1 SP2
  MX_REQ_PRIV_INTERVAL No 7.1 SP2
  MX_REQ_PRIV_NOMASTER_TASK No 7.1 SP2
  MX_REQ_PRIV_PCYADD_MISSING No 7.1 SP2
  MX_REQ_PRIV_PCYADD_PENDING No 7.1 SP2
  MX_REQ_PRIV_PCYADD_REMOVING No 7.1 SP2
  MX_REQ_PRIV_TIMEOUT No 7.1 SP2
  MX_SEMAPHORE No 7.1 SP1
  MX_TARGET_ALL No 7.1 SP1
  MX_TARGET_DYNAMIC_GROUP No 7.1 SP1
  MX_TARGET_SELF No 7.1 SP1
  MX_VALID_MEMBERS No 7.1 SP1
  MX_VIEW_ATTRIBUTES No 7.1 SP1
  MXAC_ENTRY No 7.1 SP1
  MXAC_MEMBERS No 7.1 SP1
  MXMEMBER_MX_GROUP No 7.1 SP1
  MXMEMBER_MX_PERSON No 7.1 SP1
  MXMEMBER_MX_ROLE No 7.1 SP1
  MXREF_MX_APPLICATION No 7.1 SP1
  MXREF_MX_ROLE No 7.1 SP1
  Relations
  One MX_PRIVILEGE object can reference multiple MX_GROUP, MX_PERSON and
  MX_ROLE objects. One MX_GROUP/MX_PERSON/MX_ROLE object can reference more
  than one MX_PRIVILEGE object.
  MX_PRIVILEGE object can be referenced to from MX_APPLICATION object.

• SAP IDM 7.2 SP 8 - Escalate an Approval through Approval Mgmt is not working

  Experts ,
  We are running SAP IDM SP8 Patch 3 Version . Prior to this version Escalate or Decline Option through Approval Management Tab was working as intended . But , when we moved to this Patch Version we are getting issues on Escalation process or Decline Process .
  System is not automatically adjusting MX_ESCALATION_APPROVER_1 -> MX_APPROVER Process . In our Scenario when we click on Escalate Button , System will Auto reject the Request ( Delete Pending Value) .
  On Further Analysis we found that , System is routing to TIMEOUT Scenario for the Approval Task . Have any one seen this issue with this Patch level ?
  Thanks ,
  Jerry George

  Hi Christina,
  this is a very interesting issue. The Execution Log Error seems to me like the RT is not able to write the APPROVAL_OPERATION_RESULT to the pending value object. Does this attribute already exist in your store? If not, do you have the automatic creation of attribute enabled on your your identity store configuration?
  I somehow remember that you have to enable this - either during the GRC initial load or during the first time you run the whole validation process.
  I think this might help. Looking forward to receive your feedback.
  Steffen

• SAP IDM - Can it be powered by SAP HANA

  Can SAP IDM powered by SAP HANA ? I have seen few Demo's on how SAP HANA can improve Performance drastically . Can IDM be integrated with HANA??

  Jerry,
  Great question.  The answer is not yet.  From what I understand this is planed for a later release of IDM.  Right now about all IDM does with HANA is provision to it.
  Hope this helps!
  Matt

• Search help for Web Dynpro using the SAP-search help

  Hi,
  I’m trying to create a generic search help for Web Dynpro using the SAP-search help. It should working so, that I construct a Web Dynpro-component, that gets the data of the search help from the SAP-system, interpreted it and creates the ui-elements and the needed context generic.
  The mapping between the Input field of the customerview and the right search help is to be made with an xml-file, which contains the information: name of the view, the input field, the search-help-name and the name of the field that will be returned.
  The xml-file is reading from a helper-class. That helper-class contains any information, witch need the search help-component as well as the customer-component.
  The initialization takes place in the method wdDoModify of the customer. The call of the search help from the customer should be implement with an Action, witch is bound to a Button(create dynamic in the helper-class behind the input field).
  In a second foot should be create a plugin for eclipse, witch insert the used files (search help component, helper class, …) in the project. In addition it should create the call in the customer generic.
  It would be great if someone can give me a feedback!

  Hi Mike,
  The BlanketAgreement.exe is a reference to the executable that will be created when you compile the solution you created in Part II - Part III. I think there is a mistake in the tutorial because it asks you to name the project 'Blanket' which means that by default the executable will be called Blanket.exe and not BlanketAgreement.exe. The tutorial also misses the step asking you to compile the Blanket project before you go on to create an installer. You should compile your Blanket project in Release mode before creating an installer. By compiling the project you'll get a Blanket.exe file in the bin folder of your Blanket project which you then need to add to the installer per the instructions.
  SAP do offer development courses in some areas and there is training material here on the SDN and on the SAP partner portal (and maybe the customer portal as well). Try searching this forum for 'training' or 'tutorial' and you should get a few links. There's also a development certification.
  Personally I'd recommend you give yourself a little project to work on and just get stuck in
  Kind Regards,
  Owen