SAP IDM : Master privilege and Grouping

Similar Messages

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• SAP IDM Connector list

  Hi there!
  So I was looking at the most recent version of the SAP IDM Connector List, and I don't see BI or BOBJ.  Can anyone provide best practices information on connecting / working with these systems?  We are considering leveraging AD for Authentication and Authorization. 
  Please advise.
  Thanks,
  Matt

  AFAIK there is no direct provisioning from IdM 7.2 to BO. In my current project the BO access rights are delivered via AD groups. BI is just an ABAP system.
  It was possible to map the BO access rights agains BI-privileges. But  AD was chosen as that enabled SSO-login to BO.
  Your BO/BI/authorization-folks should know how the mapping of access rights works.
  regards, Tero

• SAP IDM 8.0 Provisioning of group privilege assignments

  Hi,
  I set up Active Directory as a target system. I imported the new packages for Eclipse and did the initial load for AD (System privileges were created).
  When I assign the PRIV:AD:ONLY privilege to an identity, the identity gets provisioned to AD.
  When I assign the PRIV:AD:ONLY privilege to a group, the group gets provisioned to AD.
  So far so good.
  But when I assign the group to the identity I get the error in the execution log:
  Cannot obtain mskey for group privilege PRIV:GROUP:AD:CN\=MY AD GROUP\,CN\=GROUPS\, DC\=DUMMY\, DC\=COM
  The CN represents my CN in the Active Directory, but, I have no PRIV:GROUP:AD privilege?
  so I can not provision group assignments to AD and I used only the default packages with no modifications.
  And an additional question, when does the RDS for 8.0 comes out?
  Are there some predefined approval processes like in 7.2?
  Thanks, Patrick

  Hi Jai,
  Ahhhh
  Thank you! you pointed me in the right direction, I disabled a few actions in the initial load job, including "WriteGroupPrivileges".
  I had to disable the following Attributes: MX_INHERIT, MX_GROUP_INHERITANCE
  I got the following error:
  Value not legal for this attribute:Attribute: MX_GROUP_INHERITANCE" when storing attribute 'MX_GROUP_INHERITANCE=ONE'
  Thanks for the fast help!
  Patrick
  Edit: Do I need for every Group in IDM a privilege for the target system?

• SAP IDM and GRC 5.3

  Hi all,
  I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
  When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
  If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
  You understand so I never got conflict detected by Compliance Calibrator.
  How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
  I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
  Thanks for your help,
  Benjamin

  Hi all,
  Due to following notes
  https://service.sap.com/sap/support/notes/1318053
  https://service.sap.com/sap/support/notes/1168508
  I upgrade SAP GRC 5.3 to SP7 Patch 1.
  But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
  I looked at VDS log files and VDS sounds to send a correct request :
  FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
  Some of you have already facing this problem ?
  Benjamin

• SAP IDM 7.1 SP4 and Windows 2008r2 domain controller

  Hello,
  in the PAM and in the SAP NetWeaver Identity Management  IDM Connector Overview  i can't find any information about its possible and supported  to provisioning user and groups to an 2008r2 domain controller?!
  is it supported?
  best regards
  thomas berger

  AllowSSBToAnyVolume isn't a key but a value under the key SystemStateBackup. So make sure you have the following:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine\SystemStateBackup
  Name: AllowSSBToAnyVolume
  Data type: DWORD
  Value data: 1
  Is that the case?
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Downloding the SAP master data and transaction data to a flat file

  Hello All,
  Is there any SAP standard method or transaction to download the SAP master data and transaction data to flat file.
  With out using ABAP development, SAP had provided any tool or method to download the SAP system master and transaction data to flat file.
  Thanks,
  Feroz.

  hi
  as of now up to my knowledge no.

• SAP BPC 7.5: Master Data and Hierachiy Load from InfoObject

  Hallo Forum Participants,
  I am going to load Master Data from a "Clarity" Reporting Tool in BW to SAP BPC 7.5 via Process Chains (/CPMB/IMPORT_IOBJ_MASTER, /CPMB/IMPORT_IOBJ_HIER) delivered from SAP.
  These Process Chains load the Master Data and Hierarchies from an InfoObject. To find out more about Ticking of BPC I have performed a following test. So, on BPC Admin Interface I have duplicated the Dimension u201CAu201D and called it as Dimension u201CBu201D (in BW site InfoObject u201CAu201D and u201CBu201D). In the Member Sheet of Dimension u201CBu201D I have implemented the several changes und tried to load Master Data from BW namely from infoObject u201CBu201D into BPC Dimension u201CAu201D. Therefor I created a transformation file and mapped one for one IDu2019s. The data Manager started these chains, but resulted nothing (Status: red X).
  What are the features of BPC InfoObjects in Comparision with regular InfoObject?
  How can I load Hierarchies into InfoObject?
  What else I must take into account?
  Why does not work this simple test?
  Regards.
  Alisher
  Edited by: Alisher Babaev on Jan 6, 2012 1:59 PM

  Hallo pkrishna,
  so it is successed with master data load, but without hierachiies.
  My Master Data Properties on Dimension Sheet are:
  -ID
  -EVDESCRIPTION
  -PARENTH1
  -CURRENCY
  I have mapped as below:
  ID=ID
  CURRENCY=/CPMB/CURR
  /CPMB/CURR- my technical id in BW.
  In the Note you advised transformation file has been mapped like below:
  -NODENAME=NODENAME
  -HIER_NAME=HIER_NAME
  -PARENT=PARENT
  -ORDER=ORDER
  After executing of package i get whether rejected list or log file. No data can be retirieved from InfoObject.
  Have you any Idea?
  regards

• Best practise in SAP BW master data management and transport

  Hi sap bw gurus,
  I like to know what is the best practise in sap bw master data transport. For example, if I updated my attributes in development, what are the 'required only' bw objects should I transport?
  Appreciate advice.
  Thank you,
  Eric

  Hi Vishnu,
  Thanks for the reply but that answer may be suitable if I'm implementing a new BW system. What I'm looking for is more on daily operational maintenance and transport (a BW systems that has gone live awhile).
  Regards,
  Eric

• AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

  Hello.
  in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
  I set settings:
  in file syslog.conf:
  *.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
  in file   /etc/security/audit_control:
  dir:/var/audit
  flags:lo,ad,ex,cc,am,no,fc,fd
  minfree:20
  naflags:lo
  plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
  in file   /etc/security/audit_user:
  root:lo,ad:no
  Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
  Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
  Where is the mistake?

  You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
  And the fix is only available in S11.2.
  -- Renaud

• SAP Corporate Master Program eligibility criteria and cost of the course

  Hello Everyone,
  I would like to know the eligibity criteria for SAP corporate master program offered in Germany in all three universities(SCMT,TUM,Heilderburg) and the total cost the course would demand. As I am planning to support my master's by getting some part time job or something related. whether its possible??? Any scholarship awarded during the masters??? I am from India, So do i need to clear any enterance exams like(TOFEL, GRE)???
  My profile is like
  1.Graduate in Computer Science and Engineering with 62% as aggrigate.
  2.Working in an IT company having 1+ year of experience.
  3.SAP is totaly new for me.
  4.I am from datawarehousing background
  Anything else the course needed from the student then please specify it too.
  I got to know that there are four type of master's SAP is offering from those three universities like, MBA, MBE,MS,MCompSc. I am interested in MS, MCompSc. Please give me info in respect to these courses.

  hii..
  check this link: it will ans all ur queries: Steinbeis Center of Management and Technology (SCMT) - SAP MBE

• SAP IDM and SAP Ariba Integration

  is there any connector available for the integration from sap ariba? or has anyone any experience with the sap ariba integration?!
  we want create,change and archive the ariba user with sap idm 7.2.

  hi fedya,
  the case is very simple - we must create / change and deactivte Enterprise users on the ariba Portal!
  I attached the ariba screenshot:
  bg thomas

• SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?

  Hello IDM-experts,
  where can my customer find information about
  SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?
  Customer situation description:
  The situation is that we are using SAP IDM 7.2. We are using a functionality to allow our users to access a webpage from where they can gain
  SSO access to the Abap systems via the SAPGui. See screenshot as an example.
  Now what we want is to access the CRM and GRC WebUI also with the same SSO possibility. We cannot find any guide/best practice on how to do
  this or if it is possible via SAP IDM 7.2.
  You can see a weblink in the first screenshot but it does not work. It will ask you for a username and password, see second screenshot.
  Kind regards,
  Daniela

  Do you know how the SAP GUI SSO is setup ? Is it using SNC/Kerberos ?
  If it is (I suspect it is), then you will need to use similar method of authentication for the ICF Services. These cannot use SNC since they are accessed via browser, but what you want is possible.
  Thanks
  Tim

• To grant  privileges to user or/and group

  Hi,
  I need information about to grant privileges on content area and folders.
  For example, if I grant privilege to view content on Content area and I grant privilege of Manage Items on folder. Can the users or group add items to folder? Or can they view the content?
  Thank you for information,
  Noel

  I changed the file (sudo vi $ORACLE_HOME/rdbms/admin/externaljob.ora) to read run_user = oracle and run_group = dba. The error remains the same - also after restart of dbconsole. Anyway, the file has note: The user and group specified here should be a lowly privileged user and group for your platform. For Linux this is nobody and nobody. Which it was, and I changed it back to that.
  Btw:
  SQL> SELECT owner, credential_name, username FROM dba_scheduler_credentials;
  no rows selected
  SQL> execute DBMS_SCHEDULER.CREATE_CREDENTIAL('oracle','oracle','password');
  After the above I was able to select "sys.oracle" as the credential name pull-down menu of the scheduler job edit mode.
  And the job succeeded: EXTERNAL_LOG_ID="job_73826_863", USERNAME="oracle"
  How does one set credentials if not in the "preferred credential setup" in dbconsole EM?
  Edited by: Dude on Jan 14, 2011 2:11 PM

• SAP CUA connector changes password in master system AND child systems?

  Please confirm if OIM can change the password in both SAP CUA master and child systems through SAP CUA connector. The connector guide mentions the following parameter can be defined in SAP CUA IT Resource.
  Parameter: SAPChangePasswordSystem Flag that accepts the value X or ' '
  If the value is X, then the password is changed
  only in the master system. If the value is ' ', then
  the password is changed in both master and child
  systems.
  This parameter is used by the Reset
  Password function.
  Thanks!

  Hi,
  1) You can use report RSCCUSND to distribute users from CUA to child client. Check section "Sending User Master Data to a Child System" in [CUA cookbook|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true].
  2) if the user account has not been synced to CUA then you should be able to delete it in child system. The button should be displayed for unsynced users. You can use transaction SCUG to sync users between new child system and CUA. Check section "Transfering Users from New System" in [CUA cookbook|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/fe4f76cc-0601-0010-55a3-c4a1ab8397b1?quicklink=index&overridelayout=true].
  Cheers