Quantcast
Channel: SCN : Discussion List - SAP Identity Management
Viewing all 1754 articles
Browse latest View live

Provisioning to Java system not working

June 19, 2014, 5:23 pm
$
0
0

Hi,

I have hooked up a java portal to our IdM system, and I can read in the data no problem.

I can also provision users to the system, and all is good.

 

The problem is, as soon as I try to provision any roles or groups, nothing happens. And I mean nothing! No entries in the job log, no errors.

If I change data on the user, such as name or email, it gets provisioned through as expected.

 

Provisioning to ABAP systems works as intended...

 

Does anyone have any idea what is wrong?

 

Cheers,

Henrik

 

On version 7.2 SP6

Search

Recreate user in IDM

July 3, 2014, 12:30 am
$
0
0

Hi experts,

 

My user (MSKEYVALUE= myUser, MSKEY=12345678) has some problem.

 

Under "Simple search" the user cannot be found. Under "Advanced search" the user can be found and the user is not INACTIF.

 

In UI the user has 5 ABAP privileges that in Pending status that I cannot not removed form the UI.

 

 

select * from idmv_entry_simple where mcMSKEYVALUE='myUser'

 

--> NO RESULT

 

select * from idmv_link_ext where mcThisMskey= 12345678

 

--> Give more information and shows that this user has 5 privileges under the status mcExecState=1536

 

So I think that my user was deleted and only the links to pending privileges still available in IDM.

 

I tried a job with MXREF_MX_PRIVILEGE = {D} / {E} <privilege> and also MXREF_MX_PRIVILEGE = {D} {LINKID = linkid} <privilege>

 

But still no succes so any help how to get back my user?

 

Victoria

Mail box creation issue with LDAP Based access approach

July 3, 2014, 4:14 am
$
0
0

Hi Experts,


We are creating the mail box for the user from IdM using LDAP based access approach. In this approach, we are using the template account. Currently, we are using one test account as template account.

There are around 60 exchange databases. We have created/ pushed this template account (test account) in all these databases.

System is randomly picking the database while creating the mail box account.

 

Now, the vendor to maintain the Servers has been changed. Now, we need to configure the Exchange server of different vendor.

 

Now, we have created new template account in the Active Directory and changed the configurations in IdM by pointing to this newly created template account and new vendor exchange server. This newly created template account doesn't exists in all these 60 databases.

 

When we try to create mail box for the test user, system is randomly picking the database and roll-backed the changes that we made.

Can any one help us how to fix this issue. Whether you want us to create/push this new template account in all these databases.


Thanks in Advance


Regards,

C Kumar

How to get/set extended properties for a role using extension framework code ?

July 4, 2014, 2:07 am
$
0
0

Hello experts,

 

I am trying to read ValidFrom/ValidTo field in onLoad/onSubmit method.

 

Using following code snippet. (IDM 7.2 SP7)


IdMValue[] loadedIdmValues = data.getValues();
           
            for (int i = 0; i < loadedIdmValues.length; i++) {
                IdMValue aIdmValueToCheck= loadedIdmValues[i];
                String aAttr = aIdmValueToCheck.getAttributeName();
                if (aAttr.equalsIgnoreCase("MXREF_MX_ROLE"))
          {
           loc.warningT("ValidFrom :"+aIdmValueToCheck.getModValidFrom());
        loc.warningT("ValidTo :"+aIdmValueToCheck.getModValidTo());
        loc.warningT("Reason:"+aIdmValueToCheck.getModReason());
          }
   }
  
  Also tried
  
IdMReference[] roles = IdMFactory.getInstance().getEntryFactory().getRoles(locale, objectMSKEY,7);
            loc.warningT("roleLength"+roles.length);
            for (int j = 0; j < roles.length; j++)
            {
             IdMReference temp = roles[j];
             loc.warningT("ValidFrom"+temp.getValidFrom());
            }
 

It's returning 0 or null only. But in front end UI -ValidFrom,ValidTo,Reason property are lready set for the role.

 

Are these function meant for some other purpose ? API usage guide do not have detailed information.

 

 

Thanks,

Karthik

My first Rest API UI in SAP NW IDM 7.2

January 31, 2014, 2:06 am
$
0
0

Hi,

 

I am exploring to build a simple custom UI with the help of identity managment REST API interface. I am using SAP NW IDM 7.2 SP7.

 

I found couple of rest api interface docs and code samples but not sure where to start with :-) May be steps to setup the environment or a simple client to connect from SAP Netweaver Developer Studio would be helpful.

 

Also i tried to access below URL from browser but it gives 403 forbidden error

 

http://<hostname>:<port>/idmrest/

 

Any authentication settings need to be changed for this from NWA ?

 

 

Thanks,

Karthik

Issue on initial load write to Identity Store pass

July 1, 2014, 1:28 am
$
0
0

Hallo All,

 

I encounter an issue on my IDM development system which I have been trying to solve for a couple of days.

It seems that the passes part of the initial load job are not able to write or read on my identity store anymore.

 

This is the error message I receive.

Issue on initial load write to pass to Identity Store 1.jpg

 

There is probably a parameter somewhere that I missed and need to change.

 

Can someone please advice on this issue?

 

Thx by advance,

 

Laurent

Delete Role Assignments directly from an ABAP System

June 27, 2014, 8:23 am
$
0
0

Hi folks!

 

I'm working on a synchronization job and I have a particular challenge, delete Roles assigned to a user in the ABAP System.

 

Our use case is this: IDM is regarded as the authoritative source and as such if the user has a privilege in IDM, it should be in the backend.  Easy enough!

 

However if the privilege is not in IDM but is in the back-end, it needs to be removed.  Is there a way to do this in IDM? From what I saw in the Framework, we are assuming that the role already exists in IDM.

 

I suppose the work around would be to assign and then remove the matching privilege in IDM, but I really don't like that at all, for a number of reasons.

 

I looked in the business suite and plain ABAP portions of the framework.  I'll take a more detailed look and also check the RDS, but I get the feeling this will be a toughie.

 

Thanks for your help!

 

Matt

Cleaning up privilege assignments

July 7, 2014, 11:47 pm
$
0
0

Hi there

 

the scenario is as follows: during initial load the privilege-assignments have been loaded into IDM directly from the target systems as direct assignments. Now, some Business Roles (MX_ROLE) were created and some of the privileges were assigned to those roles. The business roles were assigned to the identities in IDM. As expected, the identities end up in having the privilege directly assigned due to initial load and indirectly assigned via business roles.

 

Now we would like to clean up the identity store so that privileges coming from a business role are only inherited but not directly assigned. My first thought how to solve this was to query the MXI_LINK table: mcAssignedDirect > 0 && mcAssignedInheritCount > 0. With this result I'd have an toIdentityStore pass       with MXREF_MX_PRIVILEGE = {D}{LINKID=%link%}%mskey%

 

Is this a good idea? I hope that deprovisioning won't start here? Is there any other concept to clean this up?

 

Best regards

Matthias

Search

SAP IDM Help down?

July 8, 2014, 5:54 am

Update ABAP user deletes SU01 parameters

July 9, 2014, 2:24 am
$
0
0

Hi experts,

 

After creating some ABAP users in 3 ABAP systems and setting them some SU01 parameters. my attributes are param_DEV, param_UAT, param_PRD.

 

Each time my ABAP create job runs my users are created successfully with the right parameters (set as constants in each system). After this the ABAPUpdate job deleted all the parameters because the 3 attributes (param_DEV, param_UAT, param_PRD) are empty.

 

For example:

In the CreateABAP job I set: parameter1= AB I CD I EF ...

In the UpdateABAP job I set: parameter1 = %param_%$rep.$NAME%%

 

After creating ABAP users, the end user can add, remove some parameters in the ABAP system so ABAPUpdate sets parameters as empty.

 

So how to keep the created parameters and the updated one ?

What should I put in my Attributes values to handle the updated parameters.

 

screen.JPG

 

Many thanks for the help,

 

Mia

IDM db installation issue

July 9, 2014, 5:48 am
$
0
0

Hi,

 

I am installing  Identity Center database on Oracle by using the sps09 patch files, this is a fresh installation.

 

while installing it is asking for below inputs.

In the installation guide, we cannot find any help for below values..

 

Enter value for dbtypename:

Enter value for dbtypenum:

Enter value for longclob:

 

 

Enter value for modcol:

Enter value for defval:

 

 

Enter value for clobclob:

 

 

Enter value for dropnotnull:

Enter value for setdayatype:

 

Any one face this issue while installing the DB using  sps09 patch, i am able to install the db if i use the sps04 patch files.

 

I am not sure why it is asking for above inputs if is use sps09  (IC_DESIGNTIME_72_9 )

how to change column configuration in tabs: manage, self service

July 10, 2014, 4:59 pm
$
0
0

Hello,

 

I've made notes on this and should remember, but can someone please remind me how the arrangement of columns and the layout of data in the 'manage' and 'self service' tabs is made?

 

Thanks, Paul

Calling REST api with POST method - ERROR: 403 Forbidden

April 22, 2014, 1:08 am
$
0
0

  Hi experts,

 

I’m trying to call a REST with POST method and I’m getting the following error: 403 Forbidden . I have followed the IdM documentation about: SAP NetWeaver Identity Management REST API Interface Description.

Here is an example:

URL:

  • host/idmrest/v72alpha/entries/{MSKEY}/tasks/{TASKID}

HTTP Method:

  • POST

Parameters:

  • Content-type:application/x-www-form-urlencoded
  • Content-type:JSONHttpRequest

Authentication:

  • BASIC (with user and password)

 

Note: I'm calling the REST with GET method with no such error.

BR,

Simona

Incorrect column data loaded after initial load

June 4, 2014, 4:46 pm
$
0
0

Hello,

 

I recently completed a move to SP9 and came across something I can't see to figure out.

 

I was validating user data loaded from an ECC6 repository after an initial load. In the browser I didn't see a value for MX_ADMIN_UNIT I was expecting. So I checked the database and found the MX_ADMIN_UNIT values loaded into the column called COMPANY_ID. This didn't make any sense so I checked the following:

 

*Notes

- this is a newly created identity store.

- I did run a Read Help Values job first.

Then

- I checked the attributes in this Identity Store and don't see MX_COMPANY_ID

- I checked the attribute MX_ADMIN_UNIT and it's properly setup to load values from the mxi_AttrValueHelp

- I checked the initial load pass ReadABAPUsers does have a source and target of Company_ID

- I checked the initial load pass WriteABAPUsers and it does use the MX_ADMIN_UNIT attribute with a value of $usergroups%

 

I don't understand how the user group values, through attribute MX_ADMIN_UNIT were populated into the CompanyID column. Are the columns dynamically created per repository? Does anyone know how I can remove/replace them? Can I just rename the column?

 

Thanks, Paul

Password change issue when updating user data in SAP ABAP system

June 30, 2014, 12:04 am
$
0
0

Hi Guru's,

 

One of my reconciliation tasks part of the reconciliation job I've created is doing some strange password updates.

As you can see below the task selects all users part of my identity store that are part of the account attribute of the particular ABAP system.

Once these users are selected the task updates different data like username, validto, ... but the task is updating a lot of other things that are not part of the destination tab. What is causing the biggest issue is the password fields that are updated in the ABAP system like, password, productive password, ...

 

password issue in reconcile job 1.jpg

 

password issue in reconcile job 2.jpg

 

Can you please advise if I missed something and how to solve?

 

Thanks a lot,

 

Laurent

Search

Errors detected, but not showing up in the Log

May 20, 2014, 8:50 am
$
0
0

Hi Experts!

 

I've made a copy of "Set JavaRoleForUser&Group" pass from the SAP IDM Provisioning Framework for use in a Sync task. I'm working with IDM 7.2 SP8, back end is DB2. Repository is set and the background configuration is correct.

 

However when the pass is executed, I get 253 errors but NONE of them show up in the log.  I've checked all varieties of log and I've also checked in the "\usr\sap\IdM\Identity Center\Jobs folder"

 

<mx:NENTRIES noops="0" mods="0" markdels="0" dels="0" adds="0">0</mx:NENTRIES>

<mx:NERRORS>253</mx:NERRORS>

<mx:NWARNINGS>0</mx:NWARNINGS>

 

No log exists.Capture.PNG

 

Is anyone aware of a way to get this information.  Clearly IDM and the SPML connector are seeing the error, but it's not piping back to the IDM log.

 

Thanks,

Matt

Looking up ABAP lock values

May 5, 2014, 1:06 pm
$
0
0

Hello Experts!

 

Working on a synchronization task for ABAP/IDM.  There is a requirement that we do not synchronize users who:

 

Have a ValidTo date in the past.

If their "Lock Value" is other than 128 or 0 as seen in the USR02 table via SE16.

 

Image 2.png

 

So based on the above example only A008421 (no lock) and A009018 (128 lock) would be synced.

 

So the question is, can I get this lock value when reading from an ABAP system? I'm currently using a To Custom pass to read from the ABAP system?

 

 

Thanks,

Matt

Pivot Identity Data?

July 26, 2012, 12:51 pm
$
0
0

I'm wondering anyone knows a SQL based method of pivoting the information in the Identity Store (as held in say, idmv_value_ext_active) to a more usable format. 

 

I've looked at the SQL Server pivot command but it does not seem to apply.

 

The only other way I can think of to do this is to virtualize the Identity Store via VDS and then read the data in a From LDAP pass, but I'd prefer to do this without the extra moving parts...

 

Thanks for your help!

Matt

401 Unauthorized Error when accessing a task from REST API which contains Role or Privilege in Access Control definition

July 15, 2014, 12:10 am
$
0
0

Hi Team,

 

As of IDM 7.2 SP8 patch2, when we use Enterprise role or Privilege in the access control definition of a task, accessing this task from UI5 i.e REST API is giving unauthorized error even though user is already having the required role or privilege.

 

But the task is working fine if we use fixed user ID or keeping blank value in allowed users field.

 

Attached the current access control definition of the task we configured & the error message info for reference

 

 

Regards,

Venkata Bavirisetty

Find task or Job in IDM console is only showing first occurrence of the task

July 15, 2014, 12:39 am
$
0
0

Hi team,

 

If a task is used in multiple task groups in IDM console, the find functionality is showing only the first occurrence of the task even though we clicked on find next option.

 

Does any one faced this issue?

 

 

Regards,

Venkata Bavirisetty

Viewing all 1754 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>