SAP User Provisioning

Similar Messages

• Problem connection in OIM 9.1 with SAP user managment

  Hi!
  When I want to provision a sap user management resource to an user, it appeared this problem.
  2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] Create User Request
  2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] userId :PRUEBA4803, userGroup:AUDITOR_ARG,lastName:prueba4803,firstName:prueba4803,userTitle:0003,langComm:S,department:,langLogIn:,timeZone:,telephone:,extension:,Fax:,email:,dateFormat:1,decimalNotation:Y,function:,roomNo:,floor:,building:,code:,commType:,alias:,startMenu:000,userType:A,sapUserId:,empId:PRUEBA4803,fromHRMS:
  2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] SAP Create Connection Request
  2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] Inside XLSAPUTILITIES
  2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] SAP Create Connection Requesting****
  2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] START SAP Connection creation.
  It is strange because it was working all right since 3 months ago and in these 2 last weeks, it is frequently this problem. Sometimes it works sometimes it does not.
  Of course, I tried the connection between OIM and SAP, with the SAP login, and the connection is all OK.
  My oim vertion is 9.1 and the SAP User Management connector is 9.0.4.1.
  Did anybody have this problem before?
  Bye!

  Oh I forget, when I restart the application server, in my case the jboss, the problem is fixed. Strange...

• Sap UM connector 9.1.2 trouble with "SAP User Management User Recon" task

  Hello All,
  i have a problem with Sap UM Connector version 9.1.2.
  OIM version 11.1.1.5
  Windows 2008 R2
  Problem is:
  Then accounts in Sap are created through direct provisioning feature of connector everything works ok (subsequent update or delete an account).
  But if a user account is created in Sap using Sap GUI, scheduled task "SAP User Management User Recon" of connector doesn't create reconciliation event to link user.
  Sometimes it does though, but for one user account created using Sap GUI in OIM created two reconciliation events, so corrsponding user in oim have two records for resource SAP.
  In this reconciliation events, one have full set of attributes (Login, First Name, Last Name, E Mail, etc), another one - just these 3 attributes: IT Resource, User ID, Lock.
  "SAP User Management Delete Recon" scheduled task works ok then user account has been deleted using Sap Gui.
  How one can troubleshoot such behavior?
  Can anyone advise please?

  resolved the issue by updating sap um connector to version 9.1.2.5

• SAP user assigned with roles from HR-ORG incorrectly

  Hi All
  I have an issue where a SAP user appears to be receiving role assignments from some HR-ORG object erroneously.
  I have checked the user's HR positions and organisational assignments and they do not have any roles assigned.
  I also checked the job and no roles are assigned there as well.
  Where could these roles be coming from if they are not coming from the position or org unit?
  User currently has direct role assignments in SU01 except for 3 roles which appear as indirect assignments (HR assignments) in SU01.
  Is this is a bug and is there a note to fix it?
  Please could someone let me know why this is happening.
  Thanks
  Ran

  Hi Colleen.... Thanks for your email.
  Please see below screenshot, it is an Org assignment but single roles also belong to composite roles.
  PBS is not meant to be active and PFUD is scheduled as a daily job. CUA is not active here.
  User is assigned to a position and org unit but roles are not provisioned via the Org/position. So there is a 0105 mapping, I have checked those positions and org units but no roles are assigned there.
  Basis release 731 and level 0005, SP - SAPKB73105.

• Compliant user provisioning configuration done but can't create new request

  Hi All,
  We have upgraded our system from GRC 5.2 to GRC 5.3.
  Then we have done all the configuration for Risk analysis (CC) and then we have completed the configuration for Compliant user provisioning(Access enforcer) but now when we are going to create the request it is saying the request canniot be created.
  THe request passes through all the steps it is successful at Risk anlysis step also.
  But at the last step when we go to submit the Request this error comes.
  I have looked at the logs present in : Monitoring :--> System log.    I could not find anything.
  Am i looking at wrong place for logs. ?
  Is there any issue with the configuration.. Because the requests was successfully created when in GRC 5.2.
  Can anybody help me. ?

  Rajesh-
  Since 5.3 is in the ramp-up phase, you can contact SAP directly and they will resolve your problem very quickly, since they will be releasing it to all clients in October.
  And I am assuming you are working with SAP directly right now, since you have upgraded to 5.3, right?...
  Ankur
  GRC Consultant

• OIM11gR2 - How can I list users with an SAP User Application Instance?

  Hello,
  This is a feature I was used to in OIM9.
  Except that in OIM9 the model was a bit different, we had no application instance. We referred to it as a Resource.
  Anyway, as an Identity Manager administrator, I wanted to quickly find a user with an specific Resource, e.g. SAP User.
  I went to Resources, choose the resource I'm interested in finding the users, then from there I could filter them by Resource Status, either Provisioned, Provisioning, Revoked, Disabled, etc.
  Now in OIM11gR2 I can't find an equivalent for this.
  From /sysadmin I cant list users from the Application Instances
  From /identity I cant search users with a given Application Instance.
  Did I miss something? or this cannot be done in OIM11R2.
  (Alternatively, I opening SQL Developer and listing the UD_SAP table, but this is obviously not acceptable)
  Thanks for an insight.
  Adr

  this is a problem of realm definition.check the config.xml, you've got an invalid realm declared.

• Posixaccount and posixgroup user provisioning in sun LDAP through sunIDM 7

  Hi folk
  I am trying to do userprovisioning in LDAP for posixaccount and posixgroup.
  From authorative datasource I am getting role,rolestatus,uidNumber,cn etc.
  Based on role user will be placed in posixgoup.
  Role to group mapping is
  one-to-many
  Anybady can tell me how can i do it.
  User provisioning is automatically so i have make some changes in workflow and writea rule for role to group mapping and i need to call that rule in workflow.
  But how i will make changes in workflow and what chnages are required for posixaccount and posixgroup prov.
  please help if anybody has done or give me some idea how can i do it.
  Thanks

  Hello All,
  Thank you for your time and valuable replies.
  I got rid of the "Missing" error and now I am one step away from the solution.
  Now I am at a stage where: (for a user with initial password on LDAP)
  1. In AD if "User needs to change password on next logon" flag is NOT set - user can successfully logon to portal. (without being prompted for password change)
  2. In AD if "User needs to change password on next logon" flag is set - then user cannot logon to portal - I get User authentication failed error.
  I have went through a lot of discussions around this topic on SDN and different SAP Notes. I have tried to maintain UME Security policy as close as possible to LDAP (I cannot make it exactly same due to some differences in LDAP and UME).
  However, when and administrator can change passwords from UME successfully without any problem - it means that:
  - Security policy is being met
  - Service user used to communicate to LDAP has all the required access
  The only missing piece of the puzzle is how to enable the users to be able to change their passwords (with initial or expired passwords).
  According to Note 865399 - the default value for The property ume.ldap.access.set_pwd is TRUE.
  Also the property ume.ldap.access.pwd.via.usercontext can only be TRUE when ume.ldap.access.set_pwd is set to FALSE.
  So, I have tried setting the following without any success:
  <ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
  <ume.ldap.access.set_pwd>false</ume.ldap.access.set_pwd>
  Thanks,
  Shanti

• Future direction of User Provisioning Tools ( GRC CUP or IDM)

  Hi Security Colleagues,
  We all know that SAP has GRC CUP(Access Enforcer) and NW IDM for provisioing.
  We can use either of toll for user provisioning.
  Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.
  I am noticed that  lot of SAP devlopment activity going on around IDM.
  Based on SAP's future direction, what is the best tool ?
  Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.
  please share your thoughts..
  Thank You.

  For Futuristic product availabliliy, I always prefer the following two places to check. Can you please also check their?
  http://service.sap.com/pam
  http://service.sap.com/scl
  Check the following Two points under the 2nd Link:
  Scenario & Process Component
  SAP's Release Strategy
  Now based on your query I will also stick to the suggestions given in the Other two posts. To add few more points which you may get helpful I would like to emphasize on the below discussion:
  u2022 SAP NetWeaver Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.
  u2022 The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.
  u2022 In many cases resources such as meeting rooms, PCs and mobile devices, which all may have their own identity in some context, can be included in an identity management solution.
  Out of all other points, lets discuss about Provisioning:
  u2022 The term provisioning is often used to denote user provisioning or account provisioning.
  u2022 The functionality includes:
  o creation of accounts
  o setting initial passwords
  o setting and modifying access rights
  o disabling (revoking) an account
  o deleting an account
  u2022 The overall purpose is to make sure an identity (for example a user) has the correct access to the applications.
  u2022 User provisioning products also include workflow capabilities to apply business rules to the account provisioning process and typically provide user self-service capabilities (e.g., password reset)
  (All these details I picked up and pasted here from different section of a Solutioning Material I prepared for my company to introduce IDM solutions to my customer... couldn't give here properly due to space constraints). You can understand the Importance SAP is imposing on this product for All aspects of Automating Security and Identity of Living and Non-Living staffs as well. By using this you can get more benefits besides of Provisioning which is available in separate Solutions under other products like Virsa etc. Please go through the relevant materials available in the IDM Forum (Bernhard provided u the link) to understand go for an realization assessment.
  regards,
  Dipanjan
  Edited by: Dipanjan Sanpui on Oct 5, 2009 11:42 AM

• How to let SAP user use SSO to access Application in DMZ?

  Hi All,
  Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
  After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
  Regards,
  Bin

  Hi,
  Take a look at this example, it uses property nodes to select tha
  active plot and then changes the color of that plot.
  If you want to make the number of plots dynamic you could use a for
  loop and an array of color boxes.
  I hope this helps.
  Regards,
  Juan Carlos
  N.I.
  Attachments:
  Changing_plot_color.vi ‏38 KB

• Error while scheduling report for SAP users

  Hi All,
  We have SAP authentication enabled in our BO environment. (BO XI 3.1 sp2 FP 2.6 on windows 2003 server).
  There are some webi reports based on BW Bex queries that we are trying to run on behalf of certain SAP end users. This we are doing using "schedule for" option.
  Now what is happening here is if the end user has logged in once in BO system ,it runs fine. But in case user has not logged in to BO (using infoview etc.) ,it throws error saying "incomplete logon data" . Also if user changes or reset his password in BW and if he doesn't login to infoview after that ,system throws another error "Name or password incorrect (repeat logon)".
  Based on these observation, we are suspecting if BO system uses stored SAP users credentials while scheduling report for them based on their last login.
  Would like to mention here that we have checked option "automatically import users".
  Please advice if this behavior is normal or we are missing some setting.
  Thanks in advance,
  Chandra

  Hi All,
  Any pointers or suggestions for this issue ??
  Is there a setting/option avialable in CMC which could resolve these errors.
  Or, user has to login once to infoview in all circumstances to avoid these errors.
  Thanks,
  Chandra

• Backup message error -SAP system is running or SAP user is connected to dat

  Hello ..
  when the backup started i got this message error ..before starting the backup, the shell shutdown the sap system but below message was showed
  BR0262I Enter database user name[/password]:
  BR0055I Start of database backup: bedvugxg.aff 2010-08-08 05.31.48
  BR0484I BRBACKUP log file: /oracle/AAA/sapbackup/bedvugxg.aff
  BR0477I Oracle pfile /oracle/AAA/102_64/dbs/initAAA.ora created from spfile /oracle/AAA/102_64/dbs/spfileAAA.ora
  BR0068E SAP system is running or SAP user is connected to database AAA - database cannot be shut down
  BR1025I Please shut down SAP system first or use the 'offline_force' option
  BR0056I End of database backup: bedvugxg.aff 2010-08-08 05.31.48
  BR0280I BRBACKUP time stamp: 2010-08-08 05.31.49
  BR0054I BRBACKUP terminated with errors
  [Major] From:  "OMNISAP" Time: 08/08/10 05:31:49
  BRBACKUP /usr/sap/AAA/SYS/exe/run/brbackup -t offline -d util_file -c -m all -u hpbkup/******* returned 3
  i am new on this, what should i review into the db?
  Regards and thanks in advance
  Dma.

  Hello Daniela,
  you try to perform an offline backup (which is a very uncommon way nowadays) and your SAP system is not down.
  This is also described in the official documentation:
  http://help.sap.com/saphelp_sm32/helpdata/en/0d/d309664a0c11d182b80000e829fbfe/content.htm
  offline: Database backup in offline mode, in other words, the database is shut down during backup. When you select this parameter, BRBACKUP checks that no SAP system users are connected to the database. If an SAP System is active, the database is not shut down and BRBACKUP terminates the process with an error message (message number BR0068E).
  Regards
  Stefan

• How to Send SAP User to Spool Job instead of SAPService SID

  Dear Gurus,
  I have to print data using access method C (or L) via print server that runs on win 2008.
  SAP AS runs on win 2003.
  It works fine, but user which appears in print job is SAPService<SID>. We need here sap user who actually initiated printing. It can be obtained easily by chaning access method to G. However, this solution is not acceptable.
  Thank you in advance,
  Nenad

  Problem solved on OS level by introducing anonymous log on.
  Cheers.

• User provisioning problem from OIM 10g to Siebel CRM

  Hi Team,
  I am facing User provisioning problem from OIM 10g to Siebel CRM.Please find the log details.
  Running Get Attribute Mapping
  Running Siebel Create User
  <com.siebel.common.common.CSSException>
  <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
  </com.siebel.common.common.CSSException>
          at com.siebel.om.conmgr.Connection.readPacket(Connection.java:550)
          at com.siebel.om.conmgr.Connection.run(Connection.java:286)
          at java.lang.Thread.run(Thread.java:619)
  [CMGR FATAL] Error: <com.siebel.common.common.CSSException>
  <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
  </com.siebel.common.common.CSSException> connection:1
  <com.siebel.common.common.CSSException>
  <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
  </com.siebel.common.common.CSSException>
          at com.siebel.om.conmgr.Connection.readPacket(Connection.java:550)
          at com.siebel.om.conmgr.Connection.run(Connection.java:286)
          at java.lang.Thread.run(Thread.java:619)
  [CMGR FATAL] Error: <com.siebel.common.common.CSSException>
  <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
  </com.siebel.common.common.CSSException> connection:1ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.utils.SiebelConnection : createSiebelConnection() :  Siebel Connection Exception:Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.proxy.SiebelProxyEmployeeProvisionManager : createSiebelConnection() : BaseException: Siebel Connection JDB Exception: Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.provision.SiebelUtilEmployeeProvisionManager : createEmployee() : BaseException: Siebel Connection JDB Exception: Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
  ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
  Regards,
  Ravi.

  Hi
  I facing the same error message as yours, using OIM 11g R2
  Are you able solve it ?
  Please share
  Many Thanks !!!

• User Provisioning in OIM 11g to Oracle DB 11g R2

  Hi All,
  We have installed OIM 11.1.1.5. We have created User in OIM and wanted to provision it to database 11g R2. For this we have created a table in DB.
  We are not sure about the next steps or which connectors to use....
  Experts can u please guide me through steps or link or snapshots to achieve the above scenario?
  Regards,
  Newbie

  Hi Kevin,
  Thanks , that was a complete document.
  However I achieved User Provisioning by creating GTC. This i found in below document-
  http://tooweaktogivein.com/2010/02/16/oim-provisioning-db/
  Now my query is how do i fetch the values entered in UDF by admin (User Form) to the Form which comes when we select Resource Object (probably process form as i don't see any option as Object form in 11.1.1.5).
  Currently- 1. Admin creates user
  2. Admin selects Resource Object (Created via GTC)
  3. Admin has to re-enter the values which we created in our table (To be stored in DB).
  Summary- how to populate the values entered in step 1 to step 3
  Thanks & Regards,
  Newbie

• OIM - SAP Employee Recon and SAP User Management Connectors vs. OC4J

  In reading through the SAP connector documentation I've found that we cannot use OC4J to run OIM if the 9.0.3 SAP User Management Connector or SAP Employee Recon Connector is used. This is all related to a conflict in JDK versions supported between the SAP JCo (Java Connector) library and OC4J. A thought we've had is to use a Remote Manager for these connectors. Can anyone validate this approach? Is it possible to use a different JDK version with your remote manager? Is there another workaround that anyone is aware of?
  Thanks

  Hi,
  The remote manager should work with different JDKs. We are going to be doing the same thing for one of our adapters.
  As for SAP, I cannot think of another workaround -- we actually abandoned the SAP JCo approach and are doing web services with XI.
  Thanks,
  Deborah
  http://www.linkedin.com/in/dvolk