SAP IDM or CUA

Similar Messages

• SAP IDM with MS Active Directory (OU names in Arabic)

  Dear Gurus,
  With SAP IDM , we need to integrate with MS Active directory such a way that SAP IDM only fetches users who have “SAP” in one of the AD field. That means do not read entire AD but only fetches users in SAP who have “SAP” tagged in one of the AD field.
  Is it possible ? We tried that in SAP LDAP connector but its not possible in LDAP connector in SAP as LDAP connector is reading through all the users in our CUA system.
  Question is it possible through SAP IDM that we use some thing (maybe  BAPI) to restrict users and do not read all users but only users having “SAP” in one of the AD field.
  Also note that our AD has some OU's name in Arabic.
  Regards,

  If you want to filter this in the ADS Initial Load job then you can modify the repository LDAP Filter:
  (&(objectclass=person)(orgUnit=SAP))
  Replace orgUnit=SAP with your your attribute and tag.
  Br,
  Chris

• SAP IDM - SPML integation

  Hi,
  I was trying to integrate SAP IDM with SPML using VDS.
  While configuring VDS for SPML request I am getting an error as follows.
  "Exception: Could not load external 'attrClass' or one of its referenced classes"
  I am getting this error while starting the identity service in VDS.
  The configuration guide does not talk about adding any other jar/class files.
  Any help in this regard is highly appreciated.
  Thanks in advance.
  Regards
  Sunil

  I know that this thread is old, but when deploying the IdM Identity Service, in conjunction with GRC 10 WebServices (for the CallBack Service functionality), you can't just disable the attribute and continue; you must fix it or else you will not be able to deploy the .ear file needed to further deploy to java (i'll go into detail on this in another post).
  The way, I got past this error was to go Tools - > Options (in VDS) and update the java settings to use the java version I have installed (or as close as I could), I set VDS to use a specified complier (the same compiler for my version of Java - in the same BIN folder) then ensured the classpath was updated with all the classpath's listed in the error (I added them to the Windows CLASSPATH environment variable also):
  The service Compiled and started without issue and I was able to deploy the .ear file out of VDS for Java.
  -ALJ

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• SAP IDM  7.0 integration with third party system

  Hi Experts,
  I know SAP IDM  7.0 can integrate with third party systems and create user ids on most of the third party systems.
  But I need to know regarding If it is possible to integrate with following systems
  1) Microsoft Exchange 2007 (  I know till exchange 2003 SAP  IDM support )
  2)  Microsoft  Active directory 2008 ( I know till Actice directory 2003)
  3) EMC  Documentum 6.5
  4)  ARIS 7.1.0
  5)  BlackBoard, Release 9.0
  6) Oracle 10g  ( Is it possible to create users at oracle level ? or at what level ? )
  7)  Sun Solaris Sparc  ( Is it possible to create users at  OS level )
  If you have information how on this please share. I know that  provisioning framework will have templates for most of the target systems. I want to know if they are available for above systems on SAP IDM 7.0 or if not have we can connect to them?

  Hi Matthew
  Your expertise in SAP IDM is indeed a great help!!
  >Can't see why not, it's all done via SQL commands. I've done similar things with MSSQL
  You mean that there will be oracle 10g drivers/oledb connectors in SAP IDM and in through SQL commands like "create user alfredo identified by alfredos_secret; " we can create user  in oracle database ?. As you said this should be possible.  What about creating user( user management ) in oracle 10g application  like dba or scot  and assigning the privileges in oracle application?
  >might need to do via UNIX scripts, but it can be done
  You mean that Unix scripts will be defined in SAP IDM and SAP IDM will execute these scripts in the Sun Solaris Sparc ?. It should be possible as you said. By the way how we will be able connect to Sun Solaris sparc ?  Is it via  the option "file " under the "Repositories" with repositories wizard  and later executing the file from SAP IDM ?
  Thank you once again for your expert answers on third party systems.

• Reconciliation reports in SAP IDM

  Hello
  I am working on IDM 7.2 SP8 configuration and so far its going good and was able to configured scenerios.
  I wanted some reports (Reconcillation report) and saw some blog where its advised to install SAP IDM RDS solution, I am just wondering how can I adopt that solution since I am already on 7.2 SP8 and configure my tool with client required customization.
  I checked that RDS solution is avaialble for IDM 7.2 SP4.
  Is there any way I can find reconcillation report MCC File so I can upload and use ?
  Thanks & Regards
  Deepak Gupta

  Thanks Matt / Peter
  Do you mean that I can download the RDS Soultion from market place and then only upload the Reconicillation report to my current SP8 version and that would work fine ?
  Does the downloads will have *.MCC files for reconcillation report which can be directly uploaded ?
  Thanks & Regards
  Deepak Gupta

• New to SAP &  IDM

  Greetings,
  Is there a forum for beginners that provides information on getting started in SAP, IDM that anyone can share.  I have seen several clips and whitepaper, but is the a recommended path with prerequisite that a beginner might follow.
  Goodday.

  Hi Josh,
  PLease go thru these links. They might be helpful.
  [Training in IDM|http://www.sap.com/services/education/catalog/netweaver/curriculum.epx?context=FFC760B8923D16BB5150DAE63E7C1A6B331AF0B9E3A8F73CE3A9B7046E051044825A85DAE5E2A4D7B15301EA7956E5C79735C38D2C06CDDE87FF61D1338F01776B564F89C6581143490893016429EB4E2872B1079D5197E3057469DEFEF131000F9DD39519A541195551D1D48B83049AA0849D72456D2D0E434C98D67993D262804AC7EA853328063209ACA74B34280D13990A11FED7C64F|74A5F30734C748B61D39607247B0CDC3]
  [SAP NW Virtual Directory Service|http://help.sap.com/saphelp_nwidmvds70/en/mvd.htm]
  [SAP NW Identity Management|http://help.sap.com/saphelp_nwidmic70/en/dse.htm]
  These links will provide u the course structure of IDM and also the basic know how for IDM.
  I hope it helps.
  Regards,
  Sumit

• SAP IDM - GRC Integration Scenario Query

  Hello Experts
  I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
  Current Situation:
  SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
  SAP GRC Access Control 10.1
  Both systems installed, configured and connected (web service connection works well)
  Desired scenario:
  Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
  If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
  If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
  Problem:
  In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
  …and the “AC Validation” task:
  Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
  That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
  Question:
  How can this problem be solved? Is the desired scenario feasible?
  Thanks a lot in advance.
  Regards,
  Krishna.

  Hi Krishna,
  I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
  IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
  Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
  Kind regards,
  Jai

• SAP IDM 7.1 Role assignment issue

  Hello IDM Experts,
  I am facing one critical issue here. We have connected SAP GRC with SAP IDM for risk analysis and CUP approvals and then once the approvers have approved the requests, IDM assigns these approved roles to users in backend SAP Systems.
  We are now facing issue here past 1-month. Before we never faced this issue.
  The issue is when the Roles are approved from GRC-CUP AC 5.3, post the approvals, the IDM is pulling the data and some of the roles are not getting assigned in SAP Backend systems. In the 1st and 2nd attempt it is not getting assigned however sometimes in the 3rd attempt it is getting assigned. This kind of weird behavior we have come across first time.  Has anyone come across such issues before?
  What could be the possible reason for the roles not getting assigned in SAP Backend system from IDM?
  We checked everything right from dispatchers, connectors, workflow, SQL Logs, Job logs but we are unable to figure out the reason for this issue.
  Do we need to restart the dispatcher or is there any issue with cache memory? 
  Can anyone help here to resolve this High Priority issue?
  Thanks in advance!

  IDM Experts,
  Can I get response on this topic from the experts?
  Will restarting the dispatchers help in this situation? Is this related to housekeeping issue of dispatcher.
  Why are some roles from IDM are not getting assigned in SAP Backend system? Also it is getting rejected 1st and 2nd time and during 3rd time it is getting approved. Please advise
  Regards
  Malini Rao

• SAP IDM and GRC 5.3

  Hi all,
  I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
  When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
  If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
  You understand so I never got conflict detected by Compliance Calibrator.
  How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
  I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
  Thanks for your help,
  Benjamin

  Hi all,
  Due to following notes
  https://service.sap.com/sap/support/notes/1318053
  https://service.sap.com/sap/support/notes/1168508
  I upgrade SAP GRC 5.3 to SP7 Patch 1.
  But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
  I looked at VDS log files and VDS sounds to send a correct request :
  FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
  Some of you have already facing this problem ?
  Benjamin

• Webservice URI of SAP IdM 7.0 SP2

  Hi,
  I am trying to connect GRC AC CUP to SAP IdM 7.0 SP2, for that i was trying to get the webservice URI for IdM. Where do we get the web service URI of IdM ?
  Cheers !!
  Zaheer

  Hi Zaheer/Sunil
  >Once you have done that, you need to create an .ear file
  Can you explain how we can create tis ear file?. Is there any guide or documentation which tells these steps?
  >I deployed the EAR file generated by VDS (IdentityService.xml) configuration on a SAP WAS server
  How we can get this Identity service.xml and how we can generate teh EAR file from VDS?  Can you share any guides or documentation
  Regards
  Sahad

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• Reg: SAP IDM License

  Hello Experts,
  As I came to know SAP IDM is free with Netweaver license , Can somebody let me know the licensing term for SAP IDM ?
  If I use IDM for only provisioning to SAP system then would it be free or will be there be any license cost ?
  And how licensing differs when we connect IDM with Non-SAP systems i.e AD ?
  Regards
  Deepak Gupta

  Hello Deepak,
                       IdM is covered under the main license for the netweaver based product you are installing. There are no additional fees for connecting to non SAP (or other SAP) systems.
  I Hope this helps. If you have further license questions then please open a support incident under the component XX-SER-LAS.
  Best regards,
  Chris
  SAP Active Global Support

• SAP GRC AC with SAP IdM and without SAP Idm

  Hello,
  Could anyone provide me what are the advantages implementing SAP IdM with SAP AC suite?
  Can I use SAP GRC User Provisioning tool with SAP HCM position based concept?
  Thanks in advance.
  -Harry

  Hi ,
  In GRC 10 there is no concept of web services . GRC 10 uses native SQL query for calling risk analysis which mean no need to configure web service in GRC 10
  Thanks & Regards
  Asheesh

• SAP IDM 8.0 courses

  Hi all,
  I noticed there is a SAP training for upgrading from 72 to 80
  Anyone knows if there is an upcoming course for installing 80 from scratch?
  Thanks.
  Regards,
  Kenny

  Kenny,
  Take a look here:
  https://training.sap.com/shop/course/wdeid8-sap-idm-delta-training-72---80-classroom-001-de-en/
  Regards,
  Matt